A researcher that goes by the handle “Siguza” released details of a local privilege escalation attack against macOS that dates back to 2002. A successful attack could give adversaries complete root access to targeted systems.
Siguza released details of the attack on Dec. 31 via Twitter, wishing followers a “Happy New Year” and linked to a technical write-up outlining the research.
The local privilege escalation (LPE) attack requires a pre-existing foothold on targeted systems. For that reason, LPEs are generally not considered critical vulnerabilities.
“An attacker needs to already have a presence on the system to take advantage of this vulnerability. This could be through infecting the target system via a remote vulnerability, such as a Safari bug, or could be through physical access, such as on a kiosk-type system,” said Jasiel Spelman, senior vulnerability researcher with Zero Day Initiative.
The most troubling thing about this vulnerability is that it has existed for years, said Jason Haddix, head of trust and security at Bugcrowd. “We see this every so often where a bug has been latent in a system for years and no one has found it – or we hope no one has. It does go to show that automation, which Apple is no-doubt using, is not a catch-all solution for finding bugs.”
Apple did not return a request for comment for this story.
The vulnerability identified by Siguza allows for compromise of the IOHIDFamily macOS kernel driver from a process with low privileges. The IOHIDFamily is a kernel extension that provides an interface for human interface devices, such as keyboards and mice, which can be implemented by vendors, describes ZDI.
“This particular code path is only supposed to be used by a privileged process known as WindowServer, however part of this attack involves breaking the assumption that WindowServer will interact with this particular component within IOHIDFamily,” Spelman said.
An attacker wanting to exploit the vulnerability has several options, depending on the level of access already gained on the targeted system.
“Even in the most extreme case, where an attacker must first compromise an unprivileged process, evidence of the attack may be visible to the user. Specifically, in order to trigger this bug, the user must logout, either forcibly by the attacker, or manually by the user while the attacker’s code waits for an opportune moment. If successful, the attacker will be able to escalate to have kernel privileges,” ZDI wrote.
Spelman said this type of vulnerability, where data from userland is trusted, has existed for years. “The assumption that was made, and unfortunately not enforced, was that only a trusted process would be able to access the vulnerable code path. The researcher managed to break that assumption through the use of the forced logout,” he said.
Siguza stated via Twitter he declined to first share his research of the macOS exploit with Apple and opted instead to post it online for maximum exposure to the problem.
“My primary goal was to get the write-up out for people to read. I wouldn’t sell to blackhats because I don’t wanna help their cause. I would’ve submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable,” Siguza said in a tweet.
A patch for the bug is expected by Apple later this month as part of a cumulative update, say experts.