Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
A researcher has uncovered a loophole that Apple would prefer to keep silent about.
A security researcher under the pseudonym "Mickey Jin" has unveiled a new attack vector capable of bypassing macOS protections. The speaker at the POC2024 conference spoke about a recently discovered vulnerability that allows attackers to bypass the macOS sandbox and access files without restrictions.
The attack begins with a vulnerability related to the so-called XPC services used in macOS for interprocess communication. These services, according to the researcher, were not sufficiently protected, which allows attackers to use third-party programs to execute commands without restrictions. Vulnerabilities such as CVE-2023-27944 and CVE-2023-42977 allow applications to bypass protection by accessing files and even removing them from quarantine.
To date, there are two types of sandboxes in macOS: for applications and for system services. Application sandboxing actively restricts access to data and system resources, leaving only the functions necessary for the execution of the program. However, some system services operate in a less restrictive sandboxing environment, which opens up more opportunities for attackers. The researcher identified weaknesses in XPC services associated with the PID domain, which makes them vulnerable to exploitation.
Particular attention was paid to XPC services for system frameworks, which can be used by attackers to get out of the sandbox. For example, the ShoveService service, according to the researcher, can be loaded with a single line of code, after which the attacker gets the ability to execute commands at the system level.
Apple has already released patches for many of the vulnerabilities that have been identified. However, research is ongoing: some of the vulnerabilities identified are still in the process of being fixed. In particular, we are talking about attacks through services that do not check the permissions of the connected client, which allows an attacker to emulate system commands and manipulate files without proper verification.
In response to this research, Apple has updated the protection system in the latest versions of macOS to add a privilege check for XPC clients and restrict access to vulnerable services. macOS Ventura and macOS Sonoma have already implemented new mechanisms to protect the system from unauthorized commands, but the researcher continues to look for ways to bypass these protections as well.
Source
A security researcher under the pseudonym "Mickey Jin" has unveiled a new attack vector capable of bypassing macOS protections. The speaker at the POC2024 conference spoke about a recently discovered vulnerability that allows attackers to bypass the macOS sandbox and access files without restrictions.
The attack begins with a vulnerability related to the so-called XPC services used in macOS for interprocess communication. These services, according to the researcher, were not sufficiently protected, which allows attackers to use third-party programs to execute commands without restrictions. Vulnerabilities such as CVE-2023-27944 and CVE-2023-42977 allow applications to bypass protection by accessing files and even removing them from quarantine.
To date, there are two types of sandboxes in macOS: for applications and for system services. Application sandboxing actively restricts access to data and system resources, leaving only the functions necessary for the execution of the program. However, some system services operate in a less restrictive sandboxing environment, which opens up more opportunities for attackers. The researcher identified weaknesses in XPC services associated with the PID domain, which makes them vulnerable to exploitation.
Particular attention was paid to XPC services for system frameworks, which can be used by attackers to get out of the sandbox. For example, the ShoveService service, according to the researcher, can be loaded with a single line of code, after which the attacker gets the ability to execute commands at the system level.
Apple has already released patches for many of the vulnerabilities that have been identified. However, research is ongoing: some of the vulnerabilities identified are still in the process of being fixed. In particular, we are talking about attacks through services that do not check the permissions of the connected client, which allows an attacker to emulate system commands and manipulate files without proper verification.
In response to this research, Apple has updated the protection system in the latest versions of macOS to add a privilege check for XPC clients and restrict access to vulnerable services. macOS Ventura and macOS Sonoma have already implemented new mechanisms to protect the system from unauthorized commands, but the researcher continues to look for ways to bypass these protections as well.
Source
