Friday, February 7, 2025
HomeAppleApple Privilege Escalation Bug Let Attacker Execute Arbitrary Code

Apple Privilege Escalation Bug Let Attacker Execute Arbitrary Code

Published on

SIEM as a Service

Follow Us on Google News

Trellix researchers discovered a new class of privilege escalation bugs based on the ForcedEntry attack, which exploited a feature of macOS and iOS to deploy the NSO Group’s mobile Pegasus malware.

The new class of bugs allows arbitrary code to be executed in the context of several platform applications, resulting in privilege escalation and sandbox escape on both macOS and iOS. 

The vulnerabilities range in severity from medium to high, with CVSS scores ranging from 5.1 to 7.1. Malicious applications and exploits could take advantage of these flaws to gain access to sensitive information such as a user’s messages, location data, call history, and photos.

The Citizen Lab, an interdisciplinary laboratory based at the University of Toronto’s Munk School of Global Affairs and Public Policy in Canada, revealed the existence of ForcedEntry – CVE-2021-30860 – in September 2021, after being the first to expose NSO’s malfeasance earlier.

However, Trellix claims that its Advanced Research Centre vulnerability team has noticed a group of bugs in iOS and macOS that circumvent Apple’s strengthened code-signing mitigations designed to prevent the exploitation of ForcedEntry.

According to vulnerability researcher Austin Emmitt, the new bugs involve the NSPredicate tool, which developers use to filter code, and around which, Apple tightened restrictions following the ForcedEntry on the side by introducing a protocol called ‘NSPredicateVisitor’.

NSPredicate, is an innocent-looking class that allows developers to filter lists of arbitrary objects. Reports say classes that implement this protocol can be used to check every expression to make sure they were safe to evaluate.

“These mitigations used large denylist to prevent the use of certain classes and methods that could clearly jeopardize security. However, we discovered that these new mitigations could be bypassed”, says Austin Emmitt.

“By using methods that had not been restricted it was possible to empty these lists, enabling all the same methods that had been available before”.

Apple assigned CVE-2023-23530 to this bypass. More importantly, it is discovered that almost every implementation of NSPredicateVisitor could be avoided. 

While there is no single implementation because nearly every process has its own version, the majority of implementations use the “expressionType” property to filter out function expressions. 

The problems that stem from the fact that this property can be set during the sending process and is trusted to be accurate by the receiver, rendering the checks ineffective. CVE-2023-23531 was assigned to this bypass.

New Bug ‘Class’ In Apple Devices

“The first vulnerability we found within this new class of bugs is in coreduetd, a process that collects data about behavior on the device”, researchers 

“An attacker with code execution in a process with the proper entitlements, such as Messages or Safari, can send a malicious NSPredicate and execute code with the privileges of this process”.

The user’s calendar, address book, and images are accessible to the attacker due to a process that runs as root on macOS. Contextstored, a process associated with CoreDuet, is likewise impacted by a very similar problem that has the same effect. 

This outcome is comparable to FORCEDENTRY, where the attacker uses a poor XPC service to run code from a process with more device access.

Moreover, the appstored daemons have weak XPC Services. These flaws could be used by an attacker in order to acquire access to a process that can connect with these daemons and enable the installation of any application, possibly even system software.

Also, researchers found XPC service OSLogService, which may be exploited to access potentially sensitive data from the Syslog. Most importantly, an attacker can make use of an iPad’s UIKitCore NSPredicate vulnerability.

“By setting malicious scene activation rules an app can achieve code execution inside of SpringBoard, a highly privileged app that can access location data, the camera and microphone, call history, photos, and other sensitive data, as well as wipe the device”, researchers

Final Thoughts

Researchers mention that the aforementioned flaws indicate a “significant breach of the security model of macOS and iOS”, which depends on each application having precise access to only the resources they require and contacting more privileged services to obtain any additional resources. Hence, both iOS 16.3 and macOS 13.2 fix these problems.

Network Security Checklist – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...