![]() Other vulnerabilities could allow an attacker to read potentially sensitive information from the syslog, or exploit an NSPredicate vulnerability in UIKitCore on the iPad. These two techniques opened a huge range of potential vulnerabilities that we are still exploring.Īccording to Trellix, an attacker could use the bugs to access a user’s calendar, address book and photos, as well as install arbitrary applications. The issues reside in the fact that this property can be set in the sending process and is trusted to be accurate by the receiver, rendering the checks useless. While there is no single implementation as nearly every process has its own version, most use the “expressionType” property to filter out function expressions. There are many processes with XPC Services (the primary method of high-level inter-process communication on macOS and iOS) that accept NSPredicate arguments and use NSPredicateVisitor to ensure that the provided expression is safe to evaluate. Even more significantly we discovered that nearly every implementation of NSPredicateVisitor could be bypassed. This bypass was assigned CVE-2023-23530 by Apple. This led to the discovery of a “large new class of bugs” that allow bypassing code signing to execute arbitrary code in the context of several applications, leading to escalation of privileges and sandbox escape on both operating systems.Īpple has removed features used in previous exploits and added new mitigations to restrict what could be done with NSPredicate using large denylist to prevent the use of certain classes and methods, but Trellix discovered that the new mitigations could be bypassed.īy using methods that had not been restricted it was possible to empty these lists, enabling all the same methods that had been available before. CodeColorist notes at the end of his post that “Without a proper validation, it could be an inter-process attack surface to bypass TCC.” Classes that implement this protocol can be used to check every expression to make sure they were safe to evaluate. However, the post also describes ways in which Apple has mitigated the dangerousness of these objects, namely through a protocol called NSPredicateVisitor. Using existing classes in Apple’s private frameworks, it was possible to bypass pointer authentication (PAC) and every other mitigation to call any function. The gist of this research was that NSExpression objects, the building blocks of an NSPredicate, could be used to call arbitrary methods on arbitrary classes and objects. However, this was not the first example, as a researcher in 2019 discovered how to exploit the mechanics of NSPredicate to run arbitrary code. However, this was just the beginning, as this feature revealed an entirely new bug class that completely breaks inter-process security in macOS and iOS. The ability to dynamically generate and run code on iOS had been an official feature this whole time. In reality the syntax of NSPredicate is a full scripting language. ![]() It involved NSPredicate, an innocent looking class that allows developers to filter lists of arbitrary objects. “While much attention was given to the first exploit, we were much more interested in the second as it described a way to dynamically execute arbitrary code in another process which completely sidestepped code signing,” the company’s researchers say. The exploits included the initial exploitation of PDF parsing code and sandbox escape. In a research blog, Trellix details a 2021 bug that allowed for 0-click remote code execution that was used to infect a Saudi activist’s iPhone with the Pegasus malware. Attackers could use these exploits–which have been fixed in recent updates–to gain access to sensitive information such as a user’s messages, location data, call history and photos. The vulnerabilities range from medium to high severity, with CVSS scores between 5.1 and 7.1. ![]() Cybersecurity firm Trellix says it has discovered a new class of privilege escalation bugs in macOS and iOS that could allow attackers to bypass code signing to execute arbitrary code and gain access to messages, location data, call history and photos.Īccording to the firm, this could allow sandbox escape on both macOS and iOS. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |