Google Project Zero discloses zero-day in Apple macOS Kernel

Cybersecurity expert at Google Project Zero has publicly disclosed details and proof-of-concept exploit for a high-severity security vulnerability in macOS operating system.

Google Project Zero white hat hacker Jann Horn disclosed the flaw according to the 90-days disclosure policy of the company because Apple failed to address the issue within 90 days of being notified.

The zero-day flaw was demonstrated by Ian Beer, it resides in the way macOS XNU kernel allows an attacker to manipulate filesystem images without informing the operating system.

The vulnerability could be exploited by an attacker or a malicious application to bypass the copy-on-write (COW) functionality to cause unexpected changes in the memory shared between processes.

The flaw could potentially lead to memory corruption attacks.

“Copy-on-write (CoW or COW), sometimes referred to as implicit sharing or shadowing, is a resource-management technique used in computer programming to efficiently implement a “duplicate” or “copy” operation on modifiable resources.” reads the description provided by Wikipedia. “If a resource is duplicated but not modified, it is not necessary to create a new resource; the resource can be shared between the copy and the original. Modifications must still create a copy, hence the technique: the copy operation is deferred to the first write. By sharing resources in this way, it is possible to significantly reduce the resource consumption of unmodified copies, while adding a small overhead to resource-modifying operations.”

According to Horn, on macOS operating system, the copy-on-write technique also handles the page tables and memory mappings.

“XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages.” reads the security advisory published by the Google Project Zero

“This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache,”

“Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.”

The white hat hacker discovered an attacker can mutate an on-disk file without informing the virtual management subsystem. Normal users on
MacOS can mount filesystem images, but when a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), the information is not propagated into the mounted filesystem.

An attacker or a malicious program make changes to evicted pages stored on the disk without informing the virtual management subsystem, tricking the destination processes into loading manipulated malicious content into the memory.

Experts pointed out that the copied memory is protected against later modifications by the source process. Anyway, the source process might be able to exploit double-reads in the destination process.

The Project Zero researcher also discovered another copy-on-write behavior bypass tracked as CVE-2019-6208.

Horn reported both issues to Apple in November 2018, but Apple only addressed the latter flaw in January 2019.

The experts released the proof-of-concept code for both vulnerabilities.

Apple is working with the Project Zero experts on a fix for the vulnerability that is still unpatched.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Apple macOS kernel, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]