January 3, 2018 by

Happy New Year: Researcher Drops MacOS Zero-Day Root Access Kernel Exploit

To ring in the new year, a security researcher on New Year’s Day disclosed an unpatched security vulnerability that allows an attacker to take complete control of an infected machine.

“One tiny, ugly bug. Fifteen years. Full system compromise.”

A security researcher going by the pseudonym Siguza has released details of a zero-day macOS vulnerability that, he or she claims, is 15 years old. The proof-of-concept exploit, believed to be still unpatched, has been posted on GitHub.

The “macOS-only vulnerability in IOHIDFamily that yields kernel r/w and can be exploited by any unprivileged user,” the researcher wrote. The exploit leverages a critical local privilege escalation (LPE) vulnerability that allows an attacker to gain read and write – essentially root – access to the targeted Apple machine.

After a deeper dive into the source code, the researcher revealed the vulnerability could have been present since 2002. The vulnerability through the LPE flaw resides in an extension of the macOS kernel called the IOHIDFamily, designed for human interface devices. If compromised, the attacker can fundamentally install a root shell or even execute arbitrary code on the machine.

“IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements,” wrote Siguza. “I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability discussed herein.”

Siguza eventually developed the exploit dubbed IOHIDeous and, at the time of publishing, affects all versions of macOS by allowing arbitrary read/write bugs in the kernel.

Before the exploit is triggered, the logged-in user needs to be force logged out or the targeted machine should be rebooted or manually shut down.

Crucially, the exploit isn’t remotely exploitable and hence the researcher saw fit to release his findings online instead of reaching out to Apple. Besides, Apple’s bug bounty program does not cover bugs in its macOS platform, leaving the researcher little incentive to keep the vulnerability under wraps.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Apple Partners Allianz to Offer CyberCrime Insurance Perks

A new partnership between Apple, Cisco and insurance firm Allianz SE will see businesses using...

Read more arrow_forward

Apple Pushes Update to Fix Major Mac OS Vulnerability

Apple has issued an emergency patch after admitting to a major security flaw that enabled anyone to...

Read more arrow_forward

MacOS Zero-Day Flaw Exposes Passwords in Plaintext

A critical flaw in the newly-released version of macOS, High Sierra, allows rogue applications to...

Read more arrow_forward