MacOS foi encontrado para conter uma vulnerabilidade de segurança de alta gravidade que foi recentemente divulgada ao público. Pelo visto, A Apple não conseguiu resolver a questão dentro do prazo de 90 dias, e Jann Corno, pesquisador do Google Project Zero, released the information to the public along with proof-of-concept code.
The vulnerability which resides in macOS XNU kernel is described as a “copy-on-write behavior bypass via mount of user-owned filesystem image”.
High-Severity Bypass Vulnerability in macOS
According to the official consultivo, “XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected against later modifications by the source process; de outra forma, the source process might be able to exploit double-reads in the destination process”.
The copy-on-write behavior works with both anonymous memory and file mappings, significa que memory pressure can cause the pages holding the transferred memory to be evicted from the page cache after the destination process has started.
Mais tarde, when the evicted pages are needed again, they can be reloaded from the backing Filesystem, o comunicado diz. This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.
Em outras palavras, the vulnerability could allow an attacker or a malicious program to bypass the copy-on-write functionality to cause unexpected changes in the memory shared between processes, which eventually leads to memory corruption attacks.
além disso, a malicious program or user can make changes to evicted pages stored on the disk without informing the virtual management subsystem. This would trick the destination processes to load malicious content into the memory.
That is why it is crucial that the copied memory is protected against later modification by the source process. In case of no protection, the source process might be able to exploit double-reads in the destination process, the Project Zero researcher explained.
This bypass is not the only vulnerability discovered by Jann Horn. The researcher also unearthed a similar copy-on-write behavior bypass which is assigned the CVE-2019-6208 número. This vulnerability exploits another macOS function.
Horn got in touch with Apple to notify the company about the discovered issues in November last year.
Apple acknowledged the findings privately. It should be noted that Apple patched CVE-2019-6208 in an update released in January. Contudo, the first severe bypass remains unpatched, thus the researcher made it public after the 90-day deadline.
Apple is currently working on a patch together with Google Project Zero.