PackageKit SIP Bypass

Mickey Jin (tweet):

I found some new attack surfaces in the macOS PackageKit.framework, and successfully disclosed 15+ critical SIP-Bypass vulnerabilities. Apple has addressed 12 of them with CVE assigned so far.

[…]

Moreover, an attacker could get arbitrary kernel code execution with the SIP-Bypass primitive. I did find a new way to do this on the macOS Monterey, but I couldn’t share the exploit here right now, because it is related to another unpatched 0-day.

[…]

The service provides only one method to shove files from one place to another place[…] However, there is no check for the incoming clients, and any process can fire the XPC request to the service. Therefore, we can abuse the service to bypass the SIP restriction.

And another issue:

In short, the system command /usr/libexec/configd has a special TCC entitlement: kTCCServiceSystemPolicySysAdminFiles, which grants the command permission to change a user’s home directory and forge the user’s database file TCC.db. An attacker could inject a malicious dylib into the process to enjoy the special TCC permission.

Previously:

• Overview of TCC Bypasses by Accident and Design
• PrivilegedHelperTools and Checking XPC Peers

Bug Entitlements Exploit Mac macOS 12 Monterey Security System Integrity Protection Transparency Consent and Control (TCC) XPC

Comments RSS · Twitter

Leave a Comment