2018 is here and it’s already delivering some quite nasty vulnerabilities. A security researcher known as Siguza has just released detailed information on an unpatched zero-day flaw in macOS, which could lead to an attacker gaining root access on a compromised system. According to Siguza, the flaw is at least 15 years old, and its proof-of-concept exploit code is available on GitHub.
Researcher Discovers macOS-only Vulnerability in IOHIDFamily
“This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel r/w and can be exploited by any unprivileged user,” the researcher wrote.
IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements. I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability discussed herein.
To summarize, the zero-day is a local privilege escalation one, and it’s quite severe. The bug could enable an attacker to obtain root access to the compromised system and run malicious code. As a result, a specifically crafted malware could install itself deeply into the system, which may lead to other outcomes.
Siguza’s analysis also suggests that the flaw has been present since at least 2002. However, there are clues that indicate that it may be ever 10 years older than the initial suggestion. “One tiny, ugly bug. Fifteen years. Full system compromise,” the researcher said.
From looking at the source, this vulnerability seems to have been present at least since as far back as 2002. There also used to be a copyright notice from NeXT Computer, Inc. noting an EventDriver.m – such a file is nowhere to be found on the web, but if the vulnerable code came from there and if the dates in the copyright notice are to be trusted, that would put the origin of the bug even 10 years further back (older than myself!), but I don’t know that so I’m just gonna assume it came to life in 2002.
IOHIDeous Proof-of-Concept Also Available
The researcher also created an exploit, a proof-of-concept which he called IOHIDeous. It affects all macOS versions and enables an arbitrary read/write bug in the kernel. The exploit also disables the System Integrity Protection and Apple Mobile File Integrity security features that guard the system against malware attacks. The exploit, however, has stopped working on macOS High Sierra 10.13.2. However, Siguza thinks that the exploit code can be adjusted to work on the latest version of the operating system.
There are further specifications for the exploit to work flawlessly – a log out of the logged-in user should be done. The process of logging out can be done by activating the exploit when the system is manually shut down or restarted.
As to why Siguza posted his research only, he gave the following explanation on Twitter:
My primary goal was to get the write-up out for people to read. I wouldn’t sell to blackhats because I don’t wanna help their cause. I would’ve submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable. Since neither of those were the case, I figured I’d just end 2017 with a bang because why not. But if I wanted to watch the world burn, I would be writing 0day ransomware rather than write-ups ;)