Trellix researchers discovered a new class of privilege escalation bugs based on the ForcedEntry attack, which exploited a feature of macOS and iOS to deploy the NSO Group’s mobile Pegasus malware.
The new class of bugs allows arbitrary code to be executed in the context of several platform applications, resulting in privilege escalation and sandbox escape on both macOS and iOS.
The vulnerabilities range in severity from medium to high, with CVSS scores ranging from 5.1 to 7.1. Malicious applications and exploits could take advantage of these flaws to gain access to sensitive information such as a user’s messages, location data, call history, and photos.
The Citizen Lab, an interdisciplinary laboratory based at the University of Toronto’s Munk School of Global Affairs and Public Policy in Canada, revealed the existence of ForcedEntry – CVE-2021-30860 – in September 2021, after being the first to expose NSO’s malfeasance earlier.
However, Trellix claims that its Advanced Research Centre vulnerability team has noticed a group of bugs in iOS and macOS that circumvent Apple’s strengthened code-signing mitigations designed to prevent the exploitation of ForcedEntry.
According to vulnerability researcher Austin Emmitt, the new bugs involve the NSPredicate tool, which developers use to filter code, and around which, Apple tightened restrictions following the ForcedEntry on the side by introducing a protocol called ‘NSPredicateVisitor’.
NSPredicate, is an innocent-looking class that allows developers to filter lists of arbitrary objects. Reports say classes that implement this protocol can be used to check every expression to make sure they were safe to evaluate.
“These mitigations used large denylist to prevent the use of certain classes and methods that could clearly jeopardize security. However, we discovered that these new mitigations could be bypassed”, says Austin Emmitt.
“By using methods that had not been restricted it was possible to empty these lists, enabling all the same methods that had been available before”.
Apple assigned CVE-2023-23530 to this bypass. More importantly, it is discovered that almost every implementation of NSPredicateVisitor could be avoided.
While there is no single implementation because nearly every process has its own version, the majority of implementations use the “expressionType” property to filter out function expressions.
The problems that stem from the fact that this property can be set during the sending process and is trusted to be accurate by the receiver, rendering the checks ineffective. CVE-2023-23531 was assigned to this bypass.
“The first vulnerability we found within this new class of bugs is in coreduetd, a process that collects data about behavior on the device”, researchers
“An attacker with code execution in a process with the proper entitlements, such as Messages or Safari, can send a malicious NSPredicate and execute code with the privileges of this process”.
The user’s calendar, address book, and images are accessible to the attacker due to a process that runs as root on macOS. Contextstored, a process associated with CoreDuet, is likewise impacted by a very similar problem that has the same effect.
This outcome is comparable to FORCEDENTRY, where the attacker uses a poor XPC service to run code from a process with more device access.
Moreover, the appstored daemons have weak XPC Services. These flaws could be used by an attacker in order to acquire access to a process that can connect with these daemons and enable the installation of any application, possibly even system software.
Also, researchers found XPC service OSLogService, which may be exploited to access potentially sensitive data from the Syslog. Most importantly, an attacker can make use of an iPad’s UIKitCore NSPredicate vulnerability.
“By setting malicious scene activation rules an app can achieve code execution inside of SpringBoard, a highly privileged app that can access location data, the camera and microphone, call history, photos, and other sensitive data, as well as wipe the device”, researchers
Researchers mention that the aforementioned flaws indicate a “significant breach of the security model of macOS and iOS”, which depends on each application having precise access to only the resources they require and contacting more privileged services to obtain any additional resources. Hence, both iOS 16.3 and macOS 13.2 fix these problems.
Network Security Checklist – Download Free E-Book
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…
Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated cybercriminals to achieve its strategic goals,…