A safety researcher uncovered a important macOS vulnerability involving privilege escalation in Apple’s MallocStackLogging framework, which had gone undetected for practically 20 years. The bug, tracked as
The vulnerability exploited this mechanism to put in writing recordsdata to arbitrary areas on the system with the privileges of the affected course of.
Essential macOS Vulnerability
The problem resided within the MallocStackLogging framework, a debugging device included in macOS for many years. This framework is force-loaded into purposes at any time when particular setting variables, corresponding to MallocStackLoggingDirectory, are set.
The researcher recognized three important weaknesses in Apple’s preliminary mitigations:
- Insecure File Operations: The
entry()perform was inadequate for securing file writes, because it might be exploited in a race situation. - Symlink Bypass: The
open()perform’sO_NOFOLLOWflag solely prevented symlink traversal within the remaining phase of the file path. - Truncated Filenames: Bugs within the filename era course of might lead to truncation, undermining randomization efforts.
By means of intelligent exploitation, the researcher demonstrated how these flaws might be mixed to put in writing a file as root with particular contents, probably enabling privilege escalation.
The strategy concerned utilizing the crontab command to execute a malicious script, finally granting root entry with out a password.
“The bug’s influence was important as a result of it affected privileged and suid root binaries with out requiring any particular permissions,” defined Kalman in his detailed analysis.
The vulnerability stemmed from improper file dealing with and lacking safety flags within the framework’s implementation.The exploit chain concerned:
- Manipulating the MallocStackLogging setting variables
- Exploiting a lacking O_CLOEXEC flag in file operations
- Using the crontab utility to escalate privileges
- Gaining unauthorized root entry by modified system recordsdata
Analyze cyber threats with ANYRUN's highly effective sandbox. Black Friday Offers : Get up to 3 Free Licenses.
The Vulnerability Repair
Apple acted swiftly, deploying fixes in a beta launch inside three weeks of the report. Updates included:
- Enhanced file operations utilizing
O_NOFOLLOW_ANYandrealpath()to forestall symlink-based assaults. - Correct use of
O_CLOEXECto shut file descriptors upon execution of recent processes. - Fixes to bugs in filename truncation and randomness.
Regardless of the fixes, the researcher argued that the framework’s very existence stays dangerous, as it may possibly nonetheless allow different potential exploits.
The Researcher’s Expertise
The vulnerability researcher shared insights into the challenges confronted whereas interacting with Apple’s safety crew:
- Delayed Communication: The corporate took seven months to adjudicate the bounty and publish the researcher’s credit score.
- Underwhelming Bounty: The $22,500 payout was deemed disappointing in comparison with different Apple bug bounties, particularly given the bug’s potential influence throughout a number of platforms.
- Disagreeable Interactions: Apple’s response included a menace to take away the researcher’s credit score, though this was ultimately resolved of their favor.
The researcher additionally criticized Apple’s concentrate on demonstrated influence reasonably than potential influence throughout platforms, urging others to completely weaponize exploits earlier than submitting them.
The researcher famous that lacking an important macOS vulnerability element (the absence of O_CLOEXEC) early on extended the bug’s exploitation course of.
Nonetheless, they regarded the invention as a big accomplishment, highlighting that the bug had gone unnoticed for over 20 years.
Additionally they provided recommendation to fellow safety researchers, emphasizing the significance of persistence and collaboration to maximise the influence of vulnerability reports.
This case illustrates the challenges of vulnerability discovery and disclosure, particularly when coping with giant firms like Apple.
Whereas Apple’s fast deployment of fixes is commendable, the delays and frustrations with their bug bounty program underscore the necessity for enhancements in communication and reward buildings for safety researchers.
This discovery reinforces the important position of safety researchers in figuring out and mitigating software program vulnerabilities.
Whereas the researcher expressed frustration with Apple’s dealing with of the method, the case highlights the influence of diligent vulnerability analysis in strengthening digital safety.
Leveraging 2024 MITRE ATT&CK Outcomes for SME & MSP Cybersecurity Leaders – Attend Free Webinar
