The issue described in this report was found in the CMMLutTag::InitializeCurveTable method, as called by CMMLutTag::CMMLutTag during the initialization of A2B0/B2A0 tags of type mAB/mBA.
GitHub - Muirey03/CVE-2022-42864: Proof-of-concept for the CVE-2022-42864 IOHIDFamily race condition
Proof-of-concept for the CVE-2022-42864 IOHIDFamily race condition - GitHub - Muirey03/CVE-2022-42864: Proof-of-concept for the CVE-2022-42864 IOHIDFamily race condition
Bad things come in large packages: .pkg signature verification bypass on macOS
Code signing of applications is an essential element of macOS security. Besides signing applications, it is also possible to sign installer packages (.pkg files). During a short review of the xar source code, we found a vulnerability (CVE-2022-42841) that could be used to modify a signed installer package without invalidating its signature. This vulnerability could be abused to bypass Gatekeeper, SIP and under certain conditions elevate privileges to root.
Read how macOS vulnerability in Archive Utility could lead to the execution of an unsigned and unnotarized application without displaying security prompts.
Intro: While reverse-engineering the process of which the Apple Neural Engine loads a model in the kernel level, I identified two interesting memory corruption vulnerabilities in the code responsible for processing the neural network features in H11ANEIn::ANE_ProgramCreate_gated(). These kind of vulnerabilities, in my opinion, are easy to find when manually auditing the kernel driver, but nearly impossible to catch with fuzzers unless you build something incredibly sophisticated.
Introduction In 2020 I observed a strange behavior a sandboxed macOS app may launch any application that won’t inherit the main app’s sandbox profile. It was even funnier as the sandboxed app can spawn those new apps with environment variables. I of course reported it to Apple, but I was told that it’s expected behavior. From that time there were at least 2 publicly-disclosed vulnerabilities that exploited the above-mentioned behavior:
Intro Normally, when a users backup their iOS device, the backup is saved into ~/Library/Application Support/MobileSync/Backup directory. The MobileSync directory is properly protected by TCC, as the backup can contain photos, contact information, everything from the iOS device, and it might be unencrypted, so this is a whole lot of private information. It’s only accessible with Full Disk Access rights. The issue is that an attacker can invoke the AppleMobileBackup utility and make a backup to a custom location.
[0-Day] CVE-2022-42823 - Apple Safari JavaScriptCore Inspector Type Confusion Vulnerability
Title Apple Safari JavaScriptCore Inspector Type confusion Vulnerability Summary A Type confusion vulnerability exists in the Apple Safari JSC Inspector This issue causes Memory Corruption due to Type confusion. An attacker must open a arbitrary generated HTML file to exploit this vulnerability. Test environment macOS M1 Monterey 12.5(21G72) Apple Safari 15.6(17613.3.9.1.5) Root Cause Analysis I..
CVE-2022-26743 A tale of a simple Apple kernel bug
Earlier this year, I discovered a flaw in XNU, which is the kernel that Apple uses on both macOS and iOS. While it's not a particularly complicated flaw, I wanted to explain how I discovered it and how it works, both so that I can motivate others and so that they can learn from my discovery.
During the analysis of the patch for CVE-2021-30724 while writing a Fermium-252 report, our researcher (@jinmo123) discovered a vulnerability introduced by the patch. The vulnerability was reported to Apple and fixed in macOS 12.4.
Step-by-Step Walkthrough of CVE-2022-32792 - WebKit B3ReduceStrength Out-of-Bounds Write
Recently, ZDI released the advisory for a Safari out-of-bounds write vulnerability exploited by Manfred Paul (@_manfp) in Pwn2Own. We decided to take a look at the patch and try to exploit it. The patch is rather simple: it creates a new function (IntRange::sExt) that is used to decide the integer range after applying a sign extension operation (in rangeFor). Before this patch, the program assumes that the range stays the same after applying sign extension.
Intro CVE-2017-2533 was part of a chain of vulnerabilities, used at pwn2own 2017 found by the phoenhex team. They wrote a blogpost about it here. This vulnerability led me to find CVE-2022-32780, which I detailed at Black Hat Asia 2022. Although the nature of CVE-2017-2533 was discussed by the authors, but the actual code part was never truly revealed, and I always wondered about the full details. Now I took the time to dig up the details, including how it was fixed, and why the fix solves the problem.
You're M̶u̶t̶e̶d̶ Rooted. Exploiting Zoom on MacOS
With a recent market cap of over $100 billion and the genericization of its name, the popularity of Zoom is undeniable. But what about its security? This imperative question is often quite personal, as who amongst us isn't jumping on weekly (daily?) Zoom calls? In this talk, we’ll explore Zoom’s macOS application to uncover several critical security flaws. Flaws, that provided a local unprivileged attacker a direct and reliable path to root. The first flaw, presents itself subtly in a core cryptographic validation routine, while the second is due to a nuanced trust issue between Zoom’s client and its privileged helper component. After detailing both root cause analysis and full exploitation of these flaws, we’ll end the talk by showing how such issues could be avoided …both by Zoom, but also in other macOS applications.
CVE-2021-30873 Process injection: breaking all macOS security layers with a single vulnerability
If you have created a new macOS app with Xcode 13.2, you may noticed this new method in the template: - (BOOL)applicationSupportsSecureRestorableState:(NSApplication *)app { return YES; } This was added to the Xcode template to address a process injection vulnerability we reported! In macOS 12.0.1 Monterey, Apple fixed CVE-2021-30873. This was a process injection vulnerability affecting (essentially) all macOS AppKit-based applications. We reported this vulnerability to Apple, along with methods to use this vulnerability to escape the sandbox, elevate privileges to root and bypass the filesystem restrictions of SIP.
Bad handling by Apple Safari allows attackers to use certain look-alike characters instead of the real ones allow attackers to confuse victims into thinking they are reach a certain site, while they are accessing another one.
CVE-2022-26712: The POC for SIP-Bypass Is Even Tweetable
I found some new attack surfaces in the macOS PackageKit.framework, and successfully disclosed 15+ critical SIP-Bypass vulnerabilities. Apple has addressed 12 of them with CVE assigned so far. There are still some reports in the Apple’s processing queue. All of them are interesting logic issues, and of course each has a successful exploit demonstration.
Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706 - Microsoft Security Blog
Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to “escape” the App Sandbox and run unrestricted on the system. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). A fix for this vulnerability, now identified as CVE-2022-26706, was included in the security updates released by Apple on May 16, 2022.
CVE-2021-30735 Exploiting Intel Graphics Kernel Extensions on macOS
To escape the Safari sandbox for our Pwn2Own 2021 submission, we exploited a vulnerability in the Intel graphics acceleration kernel extensions (drivers) on ...
Get root on macOS 12.3.1: proof-of-concepts for Linus Henze’s CoreTrust and DriverKit bugs (CVE-2022-26766, CVE-2022-26763)
Here are two proof-of-concepts for CVE-2022-26766 (CoreTrust allows any root certificate) and CVE-2022-26763 (IOPCIDevice::_MemoryAccess not checking bounds at all), two issues discovered by @LinusHenze and patched in macOS 12.4 / iOS 15.5.