Thursday, July 28, 2022

PackageKit SIP Bypass

Mickey Jin (tweet):

I found some new attack surfaces in the macOS PackageKit.framework, and successfully disclosed 15+ critical SIP-Bypass vulnerabilities. Apple has addressed 12 of them with CVE assigned so far.


Moreover, an attacker could get arbitrary kernel code execution with the SIP-Bypass primitive. I did find a new way to do this on the macOS Monterey, but I couldn’t share the exploit here right now, because it is related to another unpatched 0-day.


The service provides only one method to shove files from one place to another place[…] However, there is no check for the incoming clients, and any process can fire the XPC request to the service. Therefore, we can abuse the service to bypass the SIP restriction.

And another issue:

In short, the system command /usr/libexec/configd has a special TCC entitlement: kTCCServiceSystemPolicySysAdminFiles, which grants the command permission to change a user’s home directory and forge the user’s database file TCC.db. An attacker could inject a malicious dylib into the process to enjoy the special TCC permission.


Comments RSS · Twitter

Leave a Comment