Patched Apple Bug Paved Way to Root Compromises

Apple patched an OS X vulnerability in a kernel driver that could give attackers root-level privileges on a Mac computer, researchers at Cisco Talos said.

While the iMessage crypto bug got most of the attention among this week’s Apple patches, another vulnerability that was addressed represents a nasty trend of privilege escalation flaws that merit watching.

Researchers at Cisco on Wednesday disclosed details on a flaw in an OS X graphics kernel driver that begs to be chained with any number of other exploits to gain kernel level access on a Mac computer.

Craig Williams, security outreach manager for Cisco Talos, said this is the type of flaw that could be exploited at scale and lead to a wide range of compromises.

“Take something like Dridex using weaponized PDFs to spread; you could absolutely do the same thing with this,” Williams said, comparing it to the prolific Dridex banking malware. “You could spam this out to an entire company and all it takes is for someone to open this with the right version of OS X and they’re compromised.”

The problem lies in the Apple Intel HD3000 Graphics kernel driver in OS X 10.11. An exploit would include a crafted IOConnectCallMethod request to the driver that would trigger the vulnerability. Cisco Talos said in its report that the vulnerable code lies in the driver’s IOGen575Shared::new_texture function.

This type of exploit gives an attacker a way onto an OS X machine with elevated privileges since the driver interacts with the kernel.

“This driver runs as root,” Williams said. “So if you can take it over, you have root on the box.”

Williams said that exploit could be sent via email as an attachment or in a link to a website hosting the malicious code. Cisco said it has not seen any public attacks exploiting this vulnerability, but Williams cautioned that malicious attachments sent over encrypted connections could elude analysts.

Once the attacker has root access, there are no limits to the payloads the attacker could inject next or uses for the elevated privileges they could gain.

“You can use this flaw to break out of the root directory as a root user and do what you want; the sky is the limit,” Williams said. “These are the types of vulnerabilities attackers chain together with two or three others to create some very serious exploits.”

Apple said in its advisory that it improved memory handling to address this vulnerability; Piotr Bania of Cisco and Ian Beer of Google Project Zero were credited with finding and disclosing the bugs.

On Monday, Apple patched nearly its entire product line with fixes for vulnerabilities OS X Server, OS X, Safari, Xcode, tvOS, watchOS and iOS.

The iOS 9.3 update was the most high-profile bug addressed in a while by Apple. Graduate student researchers at Johns Hopkins University led by professor Matthew Green examined the security of iMessage and found a handful of serious vulnerabilities that could be abused and allow an attacker to intercept and read attachments sent via iMessage.

The bugs were a demonstration not only of an exploitable weakness in Apple iOS encryption, but in context, show that the FBI and government officials could find ways to break into terrorist Syed Farook’s iPhone without having to compel Apple into helping by building new firmware that intentionally weakens security on the device.

Suggested articles

Discussion

  • BT7474 on

    It appears that Apple gives high priority to security whilst Google and third party partners probably gives such a low priority that security virtually doesn't exist.
  • Dave on

    Umm, Google found it.
  • BT7474 on

    Google is responsible for Android criteria Standard. Why did Google continue to state that they had created a patch that solved the Stagefright Trojan when they were probably aware that they hadn't solved the problem and Android consumers were still vulnerable. How many millions of Android customers still aren't protected against Stagefright? ~I don't think that there is a proper procedure, for example, every month for Google and its third party partners to provide patches to reduce security problems. Motorola UK/Europe, probably in 2015 kept on telling me that they had solved the Stagefright problem-based on what Google had told them. Eventually, Google created a second patch, which verified that Google can't be trusted, and besides other things, why I am not impressed with Google. Impossible to find out if I have received the 1st Stagefright patch for Moto G 3rd Gen. 2015, XT1541 UK. Interesting, these bugs appear to affect Apple products, and it appears that Apple has provided a fix for all affected Apple products. Shouldn't google be using their time fixing Android products instead of Apple products? Let's assume it also affects some Android products when will all Android products receive the fix for this and Stagefright, please supply links, because I am not impressed?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.