Saturday, June 22, 2024

Apple Privilege Escalation Bug Let Attacker Execute Arbitrary Code

Trellix researchers discovered a new class of privilege escalation bugs based on the ForcedEntry attack, which exploited a feature of macOS and iOS to deploy the NSO Group’s mobile Pegasus malware.

The new class of bugs allows arbitrary code to be executed in the context of several platform applications, resulting in privilege escalation and sandbox escape on both macOS and iOS. 

The vulnerabilities range in severity from medium to high, with CVSS scores ranging from 5.1 to 7.1. Malicious applications and exploits could take advantage of these flaws to gain access to sensitive information such as a user’s messages, location data, call history, and photos.

The Citizen Lab, an interdisciplinary laboratory based at the University of Toronto’s Munk School of Global Affairs and Public Policy in Canada, revealed the existence of ForcedEntry – CVE-2021-30860 – in September 2021, after being the first to expose NSO’s malfeasance earlier.

However, Trellix claims that its Advanced Research Centre vulnerability team has noticed a group of bugs in iOS and macOS that circumvent Apple’s strengthened code-signing mitigations designed to prevent the exploitation of ForcedEntry.

According to vulnerability researcher Austin Emmitt, the new bugs involve the NSPredicate tool, which developers use to filter code, and around which, Apple tightened restrictions following the ForcedEntry on the side by introducing a protocol called ‘NSPredicateVisitor’.

NSPredicate, is an innocent-looking class that allows developers to filter lists of arbitrary objects. Reports say classes that implement this protocol can be used to check every expression to make sure they were safe to evaluate.

“These mitigations used large denylist to prevent the use of certain classes and methods that could clearly jeopardize security. However, we discovered that these new mitigations could be bypassed”, says Austin Emmitt.

“By using methods that had not been restricted it was possible to empty these lists, enabling all the same methods that had been available before”.

Apple assigned CVE-2023-23530 to this bypass. More importantly, it is discovered that almost every implementation of NSPredicateVisitor could be avoided. 

While there is no single implementation because nearly every process has its own version, the majority of implementations use the “expressionType” property to filter out function expressions. 

The problems that stem from the fact that this property can be set during the sending process and is trusted to be accurate by the receiver, rendering the checks ineffective. CVE-2023-23531 was assigned to this bypass.

New Bug ‘Class’ In Apple Devices

“The first vulnerability we found within this new class of bugs is in coreduetd, a process that collects data about behavior on the device”, researchers 

“An attacker with code execution in a process with the proper entitlements, such as Messages or Safari, can send a malicious NSPredicate and execute code with the privileges of this process”.

The user’s calendar, address book, and images are accessible to the attacker due to a process that runs as root on macOS. Contextstored, a process associated with CoreDuet, is likewise impacted by a very similar problem that has the same effect. 

This outcome is comparable to FORCEDENTRY, where the attacker uses a poor XPC service to run code from a process with more device access.

Moreover, the appstored daemons have weak XPC Services. These flaws could be used by an attacker in order to acquire access to a process that can connect with these daemons and enable the installation of any application, possibly even system software.

Also, researchers found XPC service OSLogService, which may be exploited to access potentially sensitive data from the Syslog. Most importantly, an attacker can make use of an iPad’s UIKitCore NSPredicate vulnerability.

“By setting malicious scene activation rules an app can achieve code execution inside of SpringBoard, a highly privileged app that can access location data, the camera and microphone, call history, photos, and other sensitive data, as well as wipe the device”, researchers

Final Thoughts

Researchers mention that the aforementioned flaws indicate a “significant breach of the security model of macOS and iOS”, which depends on each application having precise access to only the resources they require and contacting more privileged services to obtain any additional resources. Hence, both iOS 16.3 and macOS 13.2 fix these problems.

Network Security Checklist – Download Free E-Book


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles