macOS Flaw Let Attackers Escalate Privilege & Gain Root Access
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical flaw impacting macOS has been uncovered that gives unauthorized users, including those with guest access, the capacity to escalate privileges and take complete root control of the system.
According to the security researcher Yann Gascuel of Alter Solutions, the core of CVE-2023-42931 is the exploitation of the “diskutil” command line utility, which allows local users, including guests to mount filesystems with particular settings that may escalate privileges.
Apple has fixed this critical issue in its most recent security upgrades.
Flaw Let Attackers Mount File Systems
Any local user (including “guest”) can mount filesystems on a macOS system using the “diskutil” command line utility. This command accepts mount options via the “-mountOptions” arguments.
According to the researcher, two mount options might be of interest to cause a privilege escalation:
Two mounts option that triggers privilege escalation
The first one is owners/noowners, which allows or prohibits support for user ownership. The other one is suid/nosuid, which turns on or off support for setuid and setgid bits.
An attacker may change a root-owned file into any arbitrary binary and add the setuid bit to it by using the diskutil -mountOptions parameter to mount a filesystem with the “noowners” flag. This would enable a privilege escalation when the file was remounted in “owners” mode.
📁🄳🄾🄲🅄🄼🄴🄽🅃
It turns out that sensitive system files and directories are protected from modification at the kernel level by amechanism called SIP (for “System Integrity Protection”), which means that not even the root user can change them.
Through a “.file” placeholder file in the root filesystem, which satisfied all requirements for the exploit to be successful, the researcher was able to identify by the following workable exploit path:
Affected Assets
Patch Released
The vulnerability has been fixed in macOS versions 14.2, 13.6.3 and 12.7.2
Apple said that “The issue was addressed with improved checks”.
Therefore, it is recommended that macOS users patch their systems as soon as feasible.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onLinkedIn&Twitter.
#Cyber_Security_News #macOS #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
macOS Flaw Let Attackers Escalate Privilege & Gain Root Access
Author: Guru BaranA critical flaw impacting macOS has been uncovered that gives unauthorized users, including those with guest access, the capacity to escalate privileges and take complete root control of the system.
According to the security researcher Yann Gascuel of Alter Solutions, the core of CVE-2023-42931 is the exploitation of the “diskutil” command line utility, which allows local users, including guests to mount filesystems with particular settings that may escalate privileges.
Apple has fixed this critical issue in its most recent security upgrades.
Flaw Let Attackers Mount File Systems
Any local user (including “guest”) can mount filesystems on a macOS system using the “diskutil” command line utility. This command accepts mount options via the “-mountOptions” arguments.
According to the researcher, two mount options might be of interest to cause a privilege escalation:
Two mounts option that triggers privilege escalationThe first one is owners/noowners, which allows or prohibits support for user ownership. The other one is suid/nosuid, which turns on or off support for setuid and setgid bits.
An attacker may change a root-owned file into any arbitrary binary and add the setuid bit to it by using the diskutil -mountOptions parameter to mount a filesystem with the “noowners” flag. This would enable a privilege escalation when the file was remounted in “owners” mode.
📁🄳🄾🄲🅄🄼🄴🄽🅃
It turns out that sensitive system files and directories are protected from modification at the kernel level by amechanism called SIP (for “System Integrity Protection”), which means that not even the root user can change them.
Through a “.file” placeholder file in the root filesystem, which satisfied all requirements for the exploit to be successful, the researcher was able to identify by the following workable exploit path:
- Owned by root when mounted in “owners” mode;
- Considered owned by myself when mounted in “noowners” mode;
- Not protected by SIP.
Affected Assets
- MacOS Sonoma before 14.2
- MacOS Ventura before 13.6.3
- MacOS Monterey before 12.7.2
Patch Released
The vulnerability has been fixed in macOS versions 14.2, 13.6.3 and 12.7.2
Apple said that “The issue was addressed with improved checks”.
Therefore, it is recommended that macOS users patch their systems as soon as feasible.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onLinkedIn&Twitter.
#Cyber_Security_News #macOS #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
