Microsoft has released details of vulnerabilities patched in Apple macOS. This vulnerability could be exploited by an attacker with root access to bypass security enforcement and take arbitrary actions on the affected device.
Specifically, what is called a defect Migraine It is tracked as CVE-2023-32369 and can be exploited to bypass a critical security measure dubbed “CVE-2023-32369”. System integrity protection (SIP), or “routeless”. Restrict actions that the root user can perform on protected files and folders.
“The simplest meaning of SIP bypass is […] An attacker could create files that cannot be deleted by normal means because they are protected by SIP,” said Microsoft researchers Jonathan Bar Or, Michael Pearse and Anurag Bohra.
Worse, it can be exploited to execute arbitrary kernel code or access sensitive data by replacing the database that governs Transparency, Consent, and Control (TCC) policies. .
This bypass is made possible by leveraging a built-in macOS tool called Migration Assistant to activate the migration process via AppleScripts designed to ultimately launch arbitrary payloads.
This is because systemmigrationd, the daemon used to handle device transfers, is granted the com.apple.rootless.install.heritable permission, allowing all its child processes, including bash and perl, to bypass SIP checks. arises from the fact that
As a result, an attacker who already has the ability to execute code as root can trigger systemmigrationd to run Perl, which can be leveraged to execute malicious shell scripts while the migration process is in progress. There is a possibility.
Following responsible disclosure, this vulnerability was addressed by Apple as part of the updates (macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7) shipped on May 18, 2023. I was.
The iPhone manufacturer described CVE-2023-32369 as a logic issue that allows malicious apps to modify protected portions of the file system.
Migrene is Shrootless (CVE-2021-30892, CVSS score: 5.5), powerdir (CVE-2021-30970, CVSS score: 5.5), and Achilles (CVE-2022-42821, CVSS score: 5.5).
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
The researchers said, “The impact of arbitrary SIP bypasses is severe because of the high likelihood of malware authors.”
“Bypassing SIP has serious consequences, including increasing the likelihood of attackers and malware authors installing rootkits, creating persistent malware, and expanding the attack surface with additional techniques and exploits. There is a possibility.”
The discovery indicates that Jamf Threat Labs has uncovered details of a type confusion flaw in the macOS kernel that could be weaponized by a malicious app installed on the device to execute arbitrary code with kernel privileges. received and announced.
The flaw, dubbed ColdInvite (a.k.a. CVE-2023-27930), “could be exploited to leverage the coprocessor to gain read/write access to the kernel, which could lead to malicious An attacker can get closer to achieving the ultimate goal of fully compromising a device. “
