{"id":36619,"date":"2022-07-28T16:37:05","date_gmt":"2022-07-28T20:37:05","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=36619"},"modified":"2023-12-06T14:21:34","modified_gmt":"2023-12-06T19:21:34","slug":"packagekit-sip-bypass","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/07\/28\/packagekit-sip-bypass\/","title":{"rendered":"PackageKit SIP Bypass"},"content":{"rendered":"

Mickey Jin<\/a> (tweet<\/a>):<\/p>\n

I found some new attack surfaces in the macOS PackageKit.framework, and successfully disclosed 15+ critical SIP-Bypass vulnerabilities. Apple has addressed 12 of them with CVE assigned<\/a> so far.<\/p>\n

[…]<\/p>\n

Moreover, an attacker could get arbitrary kernel code execution with the SIP-Bypass primitive. I did find a new way to do this on the macOS Monterey, but I couldn’t share the exploit here right now, because it is related to another unpatched 0-day.<\/p>\n

[…]<\/p>\n

The service provides only one method to shove files from one place to another place[…] However, there is no check for the incoming clients, and any process can fire the XPC request to the service. Therefore, we can abuse the service to bypass the SIP restriction.<\/p><\/blockquote>\n

And another issue:<\/p>\n

In short, the system command \/usr\/libexec\/configd<\/code> has a special TCC entitlement: kTCCServiceSystemPolicySysAdminFiles<\/code>, which grants the command permission to change a user’s home directory and forge the user’s database file TCC.db<\/tt>. An attacker could inject a malicious dylib into the process to enjoy the special TCC permission.<\/p><\/blockquote>\n\n

Previously:<\/p>\n