CarderPlanet
Professional
- Messages
- 2,552
- Reaction score
- 675
- Points
- 83
Hackers rejoice, Mac users are shocked.
Researchers have discovered a vulnerability in macOS that allows you to intercept the rights of Apple applications. This vulnerability was discovered in macOS Monterey, but despite attempts to fix it, it still exists.
Vulnerability description
Graphical applications in macOS usually have a user interface defined by the NIB file. It turned out that replacing NIB files in packages does not revoke access rights after checking the Gatekeeper application. This can allow attackers to modify the application after it is deployed. This way, you can easily execute code using a modified NIB, especially since Apple adds private rights to its apps.
DirtyNIB
The method called "DirtyNIB" allows you to execute arbitrary code from the NIB file. To do this, create a new NIB file using XCode, add the object to the interface, and set the class for NSAppleScript. You can then activate AppleScript execution by adding a button that will be associated with the created AppleScript object.
As a demonstration, the researchers used the Pages app from Apple. After launching the app, they overwritten the existing NIB file with their DirtyNIB file. This allowed them to control code execution.
Bypassing new restrictions
Subsequent versions of macOS introduced new restrictions that made the previous exploit inapplicable. However, the researchers found a way to circumvent these restrictions by using other Apple apps with rights, such as CarPlay Simulator.
Conclusion
This vulnerability was first reported to Apple in November 2021. Despite multiple confirmations that the issue will be fixed, it still hasn't been fixed. Researchers expressed frustration with the process of working with Apple's bug bounty program.
Note: Researchers responsibly disclosed information about this vulnerability in an attempt to eliminate it.
Researchers have discovered a vulnerability in macOS that allows you to intercept the rights of Apple applications. This vulnerability was discovered in macOS Monterey, but despite attempts to fix it, it still exists.
Vulnerability description
Graphical applications in macOS usually have a user interface defined by the NIB file. It turned out that replacing NIB files in packages does not revoke access rights after checking the Gatekeeper application. This can allow attackers to modify the application after it is deployed. This way, you can easily execute code using a modified NIB, especially since Apple adds private rights to its apps.
DirtyNIB
The method called "DirtyNIB" allows you to execute arbitrary code from the NIB file. To do this, create a new NIB file using XCode, add the object to the interface, and set the class for NSAppleScript. You can then activate AppleScript execution by adding a button that will be associated with the created AppleScript object.
As a demonstration, the researchers used the Pages app from Apple. After launching the app, they overwritten the existing NIB file with their DirtyNIB file. This allowed them to control code execution.
Bypassing new restrictions
Subsequent versions of macOS introduced new restrictions that made the previous exploit inapplicable. However, the researchers found a way to circumvent these restrictions by using other Apple apps with rights, such as CarPlay Simulator.
Conclusion
This vulnerability was first reported to Apple in November 2021. Despite multiple confirmations that the issue will be fixed, it still hasn't been fixed. Researchers expressed frustration with the process of working with Apple's bug bounty program.
Note: Researchers responsibly disclosed information about this vulnerability in an attempt to eliminate it.
