Apple Privilege Escalation Bug Let Attacker Execute Arbitrary Code

Trellix researchers discovered a new class of privilege escalation bugs based on the ForcedEntry attack, which exploited a feature of macOS and iOS to deploy the NSO Group’s mobile Pegasus malware.

The new class of bugs allows arbitrary code to be executed in the context of several platform applications, resulting in privilege escalation and sandbox escape on both macOS and iOS. 

The vulnerabilities range in severity from medium to high, with CVSS scores ranging from 5.1 to 7.1. Malicious applications and exploits could take advantage of these flaws to gain access to sensitive information such as a user’s messages, location data, call history, and photos.

The Citizen Lab, an interdisciplinary laboratory based at the University of Toronto’s Munk School of Global Affairs and Public Policy in Canada, revealed the existence of ForcedEntry – CVE-2021-30860 – in September 2021, after being the first to expose NSO’s malfeasance earlier.

However, Trellix claims that its Advanced Research Centre vulnerability team has noticed a group of bugs in iOS and macOS that circumvent Apple’s strengthened code-signing mitigations designed to prevent the exploitation of ForcedEntry.

According to vulnerability researcher Austin Emmitt, the new bugs involve the NSPredicate tool, which developers use to filter code, and around which, Apple tightened restrictions following the ForcedEntry on the side by introducing a protocol called ‘NSPredicateVisitor’.

NSPredicate, is an innocent-looking class that allows developers to filter lists of arbitrary objects. Reports say classes that implement this protocol can be used to check every expression to make sure they were safe to evaluate.

“These mitigations used large denylist to prevent the use of certain classes and methods that could clearly jeopardize security. However, we discovered that these new mitigations could be bypassed”, says Austin Emmitt.

“By using methods that had not been restricted it was possible to empty these lists, enabling all the same methods that had been available before”.

Apple assigned CVE-2023-23530 to this bypass. More importantly, it is discovered that almost every implementation of NSPredicateVisitor could be avoided. 

While there is no single implementation because nearly every process has its own version, the majority of implementations use the “expressionType” property to filter out function expressions. 

The problems that stem from the fact that this property can be set during the sending process and is trusted to be accurate by the receiver, rendering the checks ineffective. CVE-2023-23531 was assigned to this bypass.

New Bug ‘Class’ In Apple Devices

“The first vulnerability we found within this new class of bugs is in coreduetd, a process that collects data about behavior on the device”, researchers 

“An attacker with code execution in a process with the proper entitlements, such as Messages or Safari, can send a malicious NSPredicate and execute code with the privileges of this process”.

The user’s calendar, address book, and images are accessible to the attacker due to a process that runs as root on macOS. Contextstored, a process associated with CoreDuet, is likewise impacted by a very similar problem that has the same effect. 

This outcome is comparable to FORCEDENTRY, where the attacker uses a poor XPC service to run code from a process with more device access.

Moreover, the appstored daemons have weak XPC Services. These flaws could be used by an attacker in order to acquire access to a process that can connect with these daemons and enable the installation of any application, possibly even system software.

Also, researchers found XPC service OSLogService, which may be exploited to access potentially sensitive data from the Syslog. Most importantly, an attacker can make use of an iPad’s UIKitCore NSPredicate vulnerability.

“By setting malicious scene activation rules an app can achieve code execution inside of SpringBoard, a highly privileged app that can access location data, the camera and microphone, call history, photos, and other sensitive data, as well as wipe the device”, researchers

Final Thoughts

Researchers mention that the aforementioned flaws indicate a “significant breach of the security model of macOS and iOS”, which depends on each application having precise access to only the resources they require and contacting more privileged services to obtain any additional resources. Hence, both iOS 16.3 and macOS 13.2 fix these problems.

Network Security Checklist – Download Free E-Book

Source: gbhackers.com