{"uuid": "ecc0c01f-7b39-4824-80da-120bdc5cb9dc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-46689", "type": "published-proof-of-concept", "source": "https://t.me/hackingshadow/2736", "content": "\ud83e\udd19Shizo is in touch!\n\ud83d\udca5I hope you didn't forget about Dirty COW(PoCs). Zhulwei has a new post about getting root in macOS 13.0.1 / 12.6.1 and below by exploiting CVE-2022-46689 (starting the binary, overwriting and starting over again). In fact, this is the equivalent of Dirty COW, only affecting macOS (XNU), instead of the Linux kernel, so the repository is called:\n\"MacDirtyCowDemo\" and Ian Beer (i41nbeer, \"former\" GCHQ employee, previous linked vulnerability here). The Apple security update says that an attacker exploiting this vulnerability can execute arbitrary code with kernel privileges and the race condition is prevented by new checks (as will be written below - they indirectly affect). Zhulwei began to analyze the vulnerability by analyzing a file in Apple XNU (vm_unaligned_copy_switch_race.c) and achieved a race condition (one thread switches memory between readonly and writable, and the second one tries to write data), allowing him to temporarily modify files in the /System volume (for saving changes after reboot, you need to run on a writable volume, all this is due to the Sealed System Volume).\n\nChzhulwei failed to achieve the execution of arbitrary code with kernel privileges and only managed to influence userspace processes. The disabling of password checking was achieved through recommendations for user authentication based on a policy located in /etc/pam.d (/etc/pam.d/login, pam_permit.so always allows access without authentication) and was introduced at Pwn2Own2020 and affected in a talk at Black Hat USA 2020 \"Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities\" and for convenience, a command line parameter was added that takes as an argument what needs to be overwritten.\n\nTo get root, you need to execute the following commands to download the repository and go to the directory with it:\n1\ufe0f\u20e3clang -o switcharoo vm_unaligned_copy_switch_race.c\n2\ufe0f\u20e3sed -e \"s/rootok/permit/g\" /etc/pam.d/su &gt; overwrite_file.bin\n3\ufe0f\u20e3./switcharoo /etc/pam.d/su overwrite_file.bin\n4\ufe0f\u20e3su\nAnd after executing the binary at step 3\ufe0f\u20e3, you should get the following output:\nTesting for 10 seconds...\nRO mapping was modified\nAnd after executing the su command in step 4\ufe0f\u20e3, access to the rooted shell will be obtained:\nsh-3.2#\n\nAmong other things:\n\ud83d\udcbeThere is another type of confusion in the unaligned write function in the XNU kernel:\nmach_vm_write(mach_task_self(), printf, printf, 0x8001);\nOf interest is the union vm_map_object:\nunion vm_map_object {\nvm_object_t vmo_object; /* object object */\nvm_map_t vmo_submap; /* belongs to another map */\n} vm_map_object_t;\nFor vm addresses in sharedcache, the first entry will be a nested map (submap)\nMoreover, VME_OBJECT just causes type confusion\nThat is, shared cache mapping in memory cannot be directly overwritten!\n\ud83d\udcbeDue to the fact that the submap does not own VM_PROT_WRITE, the patch leads to an early return (or the next dst_object = VME_OBJECT(entry) leads to panic), which, as it were, indirectly prevents type confusion, and in vm_map_copy_overwrite_nested this was already in the shortcut at:\nif (dst_end &lt;= entry-&gt;vme_end) {\n\u00a0\u00a0\u00a0\u00a0\u00a0 goto start_overwrite; /* you can prevent permission checks */\n}\n\ud83d\udcbevm_map_copy_overwrite_unaligned does not imply write check\n\ud83d\udcbeProbably, code signing (codesigning) and sandbox will prevent overwriting. Since the whole process dies if an incorrect signature is submitted, and re-checking the codesignature on the page is quite a hindrance.\n\n\u26a0\ufe0fSo if the subscriber uses apple products, update (the vulnerability was patched in:\niOS 16.2 and iPadOS 16.2, iOS 15.7.2 and iPadOS 15.7.2, macOS 13.1, macOS 12.6.2, macOS 11.7.2, tvOS 16.2, watchOS 9.2)!\n\n#macOS #XNU #vulnerability #exploitation #security #DirtyCOW #MacDirtyCow #root #su", "creation_timestamp": "2022-12-18T04:04:21.000000Z"}