MACOS LPE EXPLOIT GIVES ATTACKERS ROOT ACCESS

Haythem Elmir 6 ans ago
0 1
Read Time2 Minute, 9 Second

A researcher that goes by the handle “Siguza” released details of a local privilege escalation attack against macOS that dates back to 2002. A successful attack could give adversaries complete root access to targeted systems.

Siguza released details of the attack on Dec. 31 via Twitter, wishing followers a “Happy New Year” and linked to a technical write-up outlining the research.

The local privilege escalation (LPE) attack requires a pre-existing foothold on targeted systems. For that reason, LPEs are generally not considered critical vulnerabilities.

“An attacker needs to already have a presence on the system to take advantage of this vulnerability. This could be through infecting the target system via a remote vulnerability, such as a Safari bug, or could be through physical access, such as on a kiosk-type system,” said Jasiel Spelman, senior vulnerability researcher with Zero Day Initiative.

“The most troubling thing about this vulnerability is that it has existed for years,”  Spelman said. “Worse yet, is that this vulnerability exists in open-source components.”

Apple did not return a request for comment for this story.

The vulnerability identified by Siguza allows for compromise of the IOHIDFamily macOS kernel driver from a process with low privileges. The IOHIDFamily is a kernel extension that provides an interface for human interface devices, such as keyboards and mice, which can be implemented by vendors, describes ZDI.

“This particular code path is only supposed to be used by a privileged process known as WindowServer, however part of this attack involves breaking the assumption that WindowServer will interact with this particular component within IOHIDFamily,” Spelman said.

An attacker wanting to exploit the vulnerability has several options, depending on the level of access already gained on the targeted system.

“Even in the most extreme case, where an attacker must first compromise an unprivileged process, evidence of the attack may be visible to the user. Specifically, in order to trigger this bug, the user must logout, either forcibly by the attacker, or manually by the user while the attacker’s code waits for an opportune moment. If successful, the attacker will be able to escalate to have kernel privileges,” ZDI wrote.

Spelman said this type of vulnerability, where data from userland is trusted, has existed for years. “The assumption that was made, and unfortunately not enforced, was that only a trusted process would be able to access the vulnerable code path. The researcher managed to break that assumption through the use of the forced logout,” he said.

To read the original article:https://threatpost.com/macos-lpe-exploit-gives-attackers-root-access/129282/

About Post Author

Haythem Elmir

haythem.elmir@keystone.tn
http://ww.cyber.tn
Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%
(Add your review)

Laisser un commentaire

Next Post

Necurs botnet involved in massive ransomware campaigns at the end of 2017

mer Jan 3 , 2018
The Necurs botnet made the headlines at year-end sending out tens of millions of spam emails daily as part of massive ransomware campaigns. Necurs was not active for a long period at the beginning of 2017 and resumed it activity in April. The Necurs botnet was used in the past months to push […]

You May Like