Patched Apple Bug Paved Way to Root Compromises

Apple patched an OS X vulnerability in a kernel driver that could give attackers root-level privileges on a Mac computer, researchers at Cisco Talos said.

While the iMessage crypto bug got most of the attention among this week’s Apple patches, another vulnerability that was addressed represents a nasty trend of privilege escalation flaws that merit watching.

Researchers at Cisco on Wednesday disclosed details on a flaw in an OS X graphics kernel driver that begs to be chained with any number of other exploits to gain kernel level access on a Mac computer.

Craig Williams, security outreach manager for Cisco Talos, said this is the type of flaw that could be exploited at scale and lead to a wide range of compromises.

“Take something like Dridex using weaponized PDFs to spread; you could absolutely do the same thing with this,” Williams said, comparing it to the prolific Dridex banking malware. “You could spam this out to an entire company and all it takes is for someone to open this with the right version of OS X and they’re compromised.”

The problem lies in the Apple Intel HD3000 Graphics kernel driver in OS X 10.11. An exploit would include a crafted IOConnectCallMethod request to the driver that would trigger the vulnerability. Cisco Talos said in its report that the vulnerable code lies in the driver’s IOGen575Shared::new_texture function.

This type of exploit gives an attacker a way onto an OS X machine with elevated privileges since the driver interacts with the kernel.

“This driver runs as root,” Williams said. “So if you can take it over, you have root on the box.”

Williams said that exploit could be sent via email as an attachment or in a link to a website hosting the malicious code. Cisco said it has not seen any public attacks exploiting this vulnerability, but Williams cautioned that malicious attachments sent over encrypted connections could elude analysts.

Once the attacker has root access, there are no limits to the payloads the attacker could inject next or uses for the elevated privileges they could gain.

“You can use this flaw to break out of the root directory as a root user and do what you want; the sky is the limit,” Williams said. “These are the types of vulnerabilities attackers chain together with two or three others to create some very serious exploits.”

Apple said in its advisory that it improved memory handling to address this vulnerability; Piotr Bania of Cisco and Ian Beer of Google Project Zero were credited with finding and disclosing the bugs.

On Monday, Apple patched nearly its entire product line with fixes for vulnerabilities OS X Server, OS X, Safari, Xcode, tvOS, watchOS and iOS.

The iOS 9.3 update was the most high-profile bug addressed in a while by Apple. Graduate student researchers at Johns Hopkins University led by professor Matthew Green examined the security of iMessage and found a handful of serious vulnerabilities that could be abused and allow an attacker to intercept and read attachments sent via iMessage.

The bugs were a demonstration not only of an exploitable weakness in Apple iOS encryption, but in context, show that the FBI and government officials could find ways to break into terrorist Syed Farook’s iPhone without having to compel Apple into helping by building new firmware that intentionally weakens security on the device.

Suggested articles