|
7 | 7 | [**In this report**](https://jhftss.github.io/The-Nightmare-of-Apple-OTA-Update/) are explained several vulnerabilities that allowed to compromised the kernel compromising the software updater.\ |
8 | 8 | [**PoC**](https://github.com/jhftss/POC/tree/main/CVE-2022-46722). |
9 | 9 |
|
10 | | -{{#include ../../../banners/hacktricks-training.md}} |
| 10 | +--- |
| 11 | + |
| 12 | +## 2024: In-the-wild Kernel 0-days (CVE-2024-23225 & CVE-2024-23296) |
| 13 | + |
| 14 | +Apple patched two memory-corruption bugs that were actively exploited against iOS and macOS in March 2024 (fixed in macOS 14.4/13.6.5/12.7.4). |
| 15 | + |
| 16 | +* **CVE-2024-23225 – Kernel** |
| 17 | + • Out-of-bounds write in the XNU virtual-memory subsystem allows an unprivileged process to obtain arbitrary read/write in the kernel address space, bypassing PAC/KTRR. |
| 18 | + • Triggered from userspace via a crafted XPC message that overflows a buffer in `libxpc`, then pivots into the kernel when the message is parsed. |
| 19 | +* **CVE-2024-23296 – RTKit** |
| 20 | + • Memory corruption in the Apple Silicon RTKit (real-time co-processor). |
| 21 | + • Exploitation chains observed used CVE-2024-23225 for kernel R/W and CVE-2024-23296 to escape the secure co-processor sandbox and disable PAC. |
| 22 | + |
| 23 | +Patch level detection: |
| 24 | +```bash |
| 25 | +sw_vers # ProductVersion 14.4 or later is patched |
| 26 | +authenticate sudo sysctl kern.osversion # 23E214 or later for Sonoma |
| 27 | +``` |
| 28 | +If upgrading is not possible, mitigate by disabling vulnerable services: |
| 29 | +```bash |
| 30 | +launchctl disable system/com.apple.analyticsd |
| 31 | +launchctl disable system/com.apple.rtcreportingd |
| 32 | +``` |
| 33 | + |
| 34 | +--- |
| 35 | + |
| 36 | +## 2023: MIG Type-Confusion – CVE-2023-41075 |
| 37 | + |
| 38 | +`mach_msg()` requests sent to an unprivileged IOKit user client lead to a **type confusion** in the MIG generated glue-code. When the reply message is re-interpreted with a larger out-of-line descriptor than was originally allocated, an attacker can achieve a controlled **OOB write** into kernel heap zones and eventually |
| 39 | +escalate to `root`. |
| 40 | + |
| 41 | +Primitive outline (Sonoma 14.0-14.1, Ventura 13.5-13.6): |
| 42 | +```c |
| 43 | +// userspace stub |
| 44 | +typed_port_t p = get_user_client(); |
| 45 | +uint8_t spray[0x4000] = {0x41}; |
| 46 | +// heap-spray via IOSurfaceFastSetValue |
| 47 | +io_service_open_extended(...); |
| 48 | +// malformed MIG message triggers confusion |
| 49 | +mach_msg(&msg.header, MACH_SEND_MSG|MACH_RCV_MSG, ...); |
| 50 | +``` |
| 51 | +Public exploits weaponise the bug by: |
| 52 | +1. Spraying `ipc_kmsg` buffers with active port pointers. |
| 53 | +2. Overwriting `ip_kobject` of a dangling port. |
| 54 | +3. Jumping to shellcode mapped at a PAC-forged address using `mprotect()`. |
| 55 | +
|
| 56 | +--- |
| 57 | +
|
| 58 | +## 2024-2025: SIP Bypass through Third-party Kexts – CVE-2024-44243 (aka “Sigma”) |
11 | 59 |
|
| 60 | +Security researchers from Microsoft showed that the high-privileged daemon `storagekitd` can be coerced to load an **unsigned kernel extension** and thus completely disable **System Integrity Protection (SIP)** on fully patched macOS (prior to 15.2). The attack flow is: |
12 | 61 |
|
| 62 | +1. Abuse the private entitlement `com.apple.storagekitd.kernel-management` to spawn a helper under attacker control. |
| 63 | +2. The helper calls `IOService::AddPersonalitiesFromKernelModule` with a crafted info-dictionary pointing to a malicious kext bundle. |
| 64 | +3. Because SIP trust checks are performed *after* the kext is staged by `storagekitd`, code executes in ring-0 before validation and SIP can be turned off with `csr_set_allow_all(1)`. |
13 | 65 |
|
| 66 | +Detection tips: |
| 67 | +```bash |
| 68 | +kmutil showloaded | grep -v com.apple # list non-Apple kexts |
| 69 | +log stream --style syslog --predicate 'senderImagePath contains "storagekitd"' # watch for suspicious child procs |
| 70 | +``` |
| 71 | +Immediate remediation is to update to macOS Sequoia 15.2 or later. |
| 72 | + |
| 73 | +--- |
| 74 | + |
| 75 | +### Quick Enumeration Cheatsheet |
| 76 | + |
| 77 | +```bash |
| 78 | +uname -a # Kernel build |
| 79 | +kmutil showloaded # List loaded kernel extensions |
| 80 | +kextstat | grep -v com.apple # Legacy (pre-Catalina) kext list |
| 81 | +sysctl kern.kaslr_enable # Verify KASLR is ON (should be 1) |
| 82 | +csrutil status # Check SIP from RecoveryOS |
| 83 | +spctl --status # Confirms Gatekeeper state |
| 84 | +``` |
| 85 | + |
| 86 | +--- |
| 87 | + |
| 88 | +## Fuzzing & Research Tools |
| 89 | + |
| 90 | +* **Luftrauser** – Mach message fuzzer that targets MIG subsystems (`github.com/preshing/luftrauser`). |
| 91 | +* **oob-executor** – IPC out-of-bounds primitive generator used in CVE-2024-23225 research. |
| 92 | +* **kmutil inspect** – Built-in Apple utility (macOS 11+) to statically analyse kexts before loading: `kmutil inspect -b io.kext.bundleID`. |
| 93 | + |
| 94 | + |
| 95 | + |
| 96 | +## References |
| 97 | + |
| 98 | +* Apple. “About the security content of macOS Sonoma 14.4.” https://support.apple.com/en-us/120895 |
| 99 | +* Microsoft Security Blog. “Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions.” https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions/ |
| 100 | +{{#include ../../../banners/hacktricks-training.md}} |
0 commit comments