Skip to content

Commit ad0da67

Browse files
authored
Merge pull request #1143 from HackTricks-wiki/research_update_src_macos-hardening_macos-security-and-privilege-escalation_mac-os-architecture_macos-kernel-vulnerabilities_20250717_082721
Research Update Enhanced src/macos-hardening/macos-security-...
2 parents e88ae0a + c2abfac commit ad0da67

File tree

1 file changed

+88
-1
lines changed

1 file changed

+88
-1
lines changed

src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md

Lines changed: 88 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,94 @@
77
[**In this report**](https://jhftss.github.io/The-Nightmare-of-Apple-OTA-Update/) are explained several vulnerabilities that allowed to compromised the kernel compromising the software updater.\
88
[**PoC**](https://github.com/jhftss/POC/tree/main/CVE-2022-46722).
99

10-
{{#include ../../../banners/hacktricks-training.md}}
10+
---
11+
12+
## 2024: In-the-wild Kernel 0-days (CVE-2024-23225 & CVE-2024-23296)
13+
14+
Apple patched two memory-corruption bugs that were actively exploited against iOS and macOS in March 2024 (fixed in macOS 14.4/13.6.5/12.7.4).
15+
16+
* **CVE-2024-23225 – Kernel**
17+
• Out-of-bounds write in the XNU virtual-memory subsystem allows an unprivileged process to obtain arbitrary read/write in the kernel address space, bypassing PAC/KTRR.
18+
• Triggered from userspace via a crafted XPC message that overflows a buffer in `libxpc`, then pivots into the kernel when the message is parsed.
19+
* **CVE-2024-23296 – RTKit**
20+
• Memory corruption in the Apple Silicon RTKit (real-time co-processor).
21+
• Exploitation chains observed used CVE-2024-23225 for kernel R/W and CVE-2024-23296 to escape the secure co-processor sandbox and disable PAC.
22+
23+
Patch level detection:
24+
```bash
25+
sw_vers # ProductVersion 14.4 or later is patched
26+
authenticate sudo sysctl kern.osversion # 23E214 or later for Sonoma
27+
```
28+
If upgrading is not possible, mitigate by disabling vulnerable services:
29+
```bash
30+
launchctl disable system/com.apple.analyticsd
31+
launchctl disable system/com.apple.rtcreportingd
32+
```
33+
34+
---
35+
36+
## 2023: MIG Type-Confusion – CVE-2023-41075
37+
38+
`mach_msg()` requests sent to an unprivileged IOKit user client lead to a **type confusion** in the MIG generated glue-code. When the reply message is re-interpreted with a larger out-of-line descriptor than was originally allocated, an attacker can achieve a controlled **OOB write** into kernel heap zones and eventually
39+
escalate to `root`.
40+
41+
Primitive outline (Sonoma 14.0-14.1, Ventura 13.5-13.6):
42+
```c
43+
// userspace stub
44+
typed_port_t p = get_user_client();
45+
uint8_t spray[0x4000] = {0x41};
46+
// heap-spray via IOSurfaceFastSetValue
47+
io_service_open_extended(...);
48+
// malformed MIG message triggers confusion
49+
mach_msg(&msg.header, MACH_SEND_MSG|MACH_RCV_MSG, ...);
50+
```
51+
Public exploits weaponise the bug by:
52+
1. Spraying `ipc_kmsg` buffers with active port pointers.
53+
2. Overwriting `ip_kobject` of a dangling port.
54+
3. Jumping to shellcode mapped at a PAC-forged address using `mprotect()`.
55+
56+
---
57+
58+
## 2024-2025: SIP Bypass through Third-party Kexts – CVE-2024-44243 (aka “Sigma”)
1159
60+
Security researchers from Microsoft showed that the high-privileged daemon `storagekitd` can be coerced to load an **unsigned kernel extension** and thus completely disable **System Integrity Protection (SIP)** on fully patched macOS (prior to 15.2). The attack flow is:
1261
62+
1. Abuse the private entitlement `com.apple.storagekitd.kernel-management` to spawn a helper under attacker control.
63+
2. The helper calls `IOService::AddPersonalitiesFromKernelModule` with a crafted info-dictionary pointing to a malicious kext bundle.
64+
3. Because SIP trust checks are performed *after* the kext is staged by `storagekitd`, code executes in ring-0 before validation and SIP can be turned off with `csr_set_allow_all(1)`.
1365
66+
Detection tips:
67+
```bash
68+
kmutil showloaded | grep -v com.apple # list non-Apple kexts
69+
log stream --style syslog --predicate 'senderImagePath contains "storagekitd"' # watch for suspicious child procs
70+
```
71+
Immediate remediation is to update to macOS Sequoia 15.2 or later.
72+
73+
---
74+
75+
### Quick Enumeration Cheatsheet
76+
77+
```bash
78+
uname -a # Kernel build
79+
kmutil showloaded # List loaded kernel extensions
80+
kextstat | grep -v com.apple # Legacy (pre-Catalina) kext list
81+
sysctl kern.kaslr_enable # Verify KASLR is ON (should be 1)
82+
csrutil status # Check SIP from RecoveryOS
83+
spctl --status # Confirms Gatekeeper state
84+
```
85+
86+
---
87+
88+
## Fuzzing & Research Tools
89+
90+
* **Luftrauser** – Mach message fuzzer that targets MIG subsystems (`github.com/preshing/luftrauser`).
91+
* **oob-executor** – IPC out-of-bounds primitive generator used in CVE-2024-23225 research.
92+
* **kmutil inspect** – Built-in Apple utility (macOS 11+) to statically analyse kexts before loading: `kmutil inspect -b io.kext.bundleID`.
93+
94+
95+
96+
## References
97+
98+
* Apple. “About the security content of macOS Sonoma 14.4.” https://support.apple.com/en-us/120895
99+
* Microsoft Security Blog. “Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions.” https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions/
100+
{{#include ../../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)