14 DAY TRIAL // Google’s Project Zero vulnerability research program released information about three security bugs present in Apple’s operating system.
The vulnerabilities were reported to Apple back in October, and as per the project’s 90-day disclosure policy, they were automatically revealed to the public in the past couple of days.
Improper verification leads to running shell command
Since Apple does not generally comment on security matters unless they are impacting a large number of customers, the company has not provided any details about repairing the issues.
A proof-of-concept exploit created to demonstrate one of the flaws takes advantage of the fact that the “effective_audit_token” is not verified as an xpc_data object, allowing the execution of a shell command as networkd component, which runs unsandboxed, as its own user.
“networkd parses quite complicated XPC messages and there are many cases where xpc_dictionary_get_value and xpc_array_get_value are used without subsequent checking of the type of the returned value,” says in an advisory Google security researcher Ian Beer. Important to note is that this verification failure has been tested only on OS X 10.9.5.
Glitches could be included in other attacks
Another security glitch discovered by the same researcher would allow an attacker to gain root access to the system. This could be achieved by exploiting a “kernel NULL pointer dereference calling a virtual function on an object at 0x0.”
This bug was also tested on OS X 10.9.5, but Beer checked it on Yosemite (10.10) and found that it was still present although some fixes had been applied and the initial PoC would not work anymore; however, the researcher wrote new exploit code to demo the glitch on OS X 10.10.
The third vulnerability described by Beer involves a Bluetooth device being connected to the machine. It is an IOKit kernel memory corruption issue due to bad bzero in IOBluetoothDevice.
Apple plans to release a fix in OS X 10.10.2 touching on the Bluetooth connection, which may address this problem.
In order to be leveraged successfully, all three vulnerabilities seem to require a potential attacker to have already gained a foothold onto the targeted machine. This makes them less significant, but their importance should not be downplayed because they could be included as a stage in a more elaborate attack aiming to take over Mac systems.