On April 26, 2021 Apple covered CVE-2021-1740, which was a susceptible function inside the system daemon procedure cfprefsd (these kinds of procedures normally run in the background and deal with system jobs). The bug might have been made use of to check out approximate files, compose approximate files, and get root opportunity escalation. It was attended to in Apple’s Security Update 2021-002 (Catalina) for a range of Apple running systems, consisting of iOS and macOS. Nevertheless, in early August 2021, Zhipeng Huo, Yuebin Sun, and Chuanda Ding (all from XuanwuLab) provided an exploitation presentation for the vulnerability throughout the DEF CON 29 security conference. Their discussion was called “Caught you – expose and make use of IPC reasoning bugs inside Apple”.
While studying the slides, I discovered that the spot for CVE-2021-1740 was still susceptible to approximate file checked out exploits. Apple repaired this defect, and on September 20, 2021 appointed CVE-2021-30855 to the 2nd spot.
Nevertheless, I discovered that the 2nd spot was still susceptible to approximate file compose and root opportunity escalation. This vulnerability concern was advanced and attended to on December 13, 2021, with Apple designating CVE-2021-30995 as the 3rd spot (credited to this author). Apple launched Security Update 2021-008 (Catalina) to protect their impacted items, so any users who set up these updates need to be secured.
The report detailed listed below programs the examination of the initial vulnerability, and the procedure that led me to find CVE-2021-30995.
Tracking the patching history
To totally examine the vulnerability initially reported in April, we need to show how an attack might work. The essential reasoning of the susceptible function [CFPDSource cloneAndOpenPropertyListWithoutDrainingPendingChangesOrValidatingPlist] is:
If the manageable plist file size is bigger than 1MB, then it will be cloned to a short-term file with a random name and return the file descriptor of the brand-new cloned one.
The approximate file compose attack from the XuanwuLab scientists’ DefCon slides reveal that it changed the repaired file name of the dst_path with a symbolic link prior to the API call clonefile.
After getting the primitive of approximate file compose, there are some recognized methods to get root opportunity escalation. One easy approach includes using regular scripts, detailed by Csaba Fitzl.
For the concerns with the 2nd spot, we can see the brand-new API call fclonefileat at line 25 (in Figure 1). The target directory site fd is -2, and v6 is the complete course of the short-lived plist file. So, I discovered that I might change the target moms and dad directory site with a symbolic link to an approximate directory site.