A zero-click chain of critical-, medium-, and low-severity vulnerabilities in macOS might have allowed attackers to undermine macOS’s model identify safety protections and finally compromise victims’ iCloud information.
The story begins with a scarcity of sanitization of recordsdata hooked up to Calendar occasions. From there, researcher Mikko Kenttälä found he might obtain distant code execution (RCE) on focused programs, and entry delicate information — in his experiments, he used iCloud Images. No step within the course of required any consumer interplay, and neither Apple’s Gatekeeper nor Transparency, Consent, and Management (TCC) protections might cease it.
Zero-Click on Exploit Chain in macOS
The all-important first bug within the chain — CVE-2022-46723 — was awarded a “vital” 9.8 out of 10 CVSS rating again in February 2023.
It wasn’t simply harmful, it was easy to use. An attacker might merely ship the sufferer a calendar invite containing a malicious file. As a result of macOS did not correctly vet the filename, the attacker might identify it arbitrarily, to variously attention-grabbing impact.
For instance, they may identify it with the objective of deleting a selected, preexisting system file. In the event that they gave it the identical identify as an present file, then deleted the calendar occasion by means of which they delivered it, the system would delete each the malicious file and the unique file it mimicked, for no matter purpose.
Extra harmful was the potential for an attacker to carry out path traversal, naming their attachment in such a means that may enable it to flee the Calendar’s sandbox, the place hooked up recordsdata are purported to be saved, to different places on the system.
Kenttälä used this arbitrary file write energy to make the most of an working system improve (on the time of discovery, macOS Ventura was about to be launched). First, he created a file mimicking a Siri-suggested repeating calendar occasion, hiding alerts that may set off the execution of additional recordsdata throughout a migration. A type of follow-on recordsdata was chargeable for migrating previous calendar information to the brand new system. One other allowed him to mount a community share from Samba, the open supply Server Message Block (SMB) protocol, with out triggering a safety flag. One other two recordsdata triggered the launch of a malicious app.
Undermining Apple’s Native Safety Controls
The malicious app snuck in with out elevating any alarm, because of a bypass in macOS’s Gatekeeper safety function — the factor standing in the way in which of Mac programs and untrusted apps. Labeled CVE-2023-40344, it was assigned a medium-severity 5.5 out of 10 CVSS score again in January 2024.
Gatekeeper, although, wasn’t the one signature macOS safety function undermined within the assault. Utilizing a script launched by the malicious app, Kenttälä efficiently changed the configuration file related to iCloud Images with a malicious one. This re-pointed Images to a customized path, outdoors of the safety of TCC, the protocol macOS makes use of to make sure apps do not improperly entry delicate information and sources. The re-pointing, CVE-2023-40434 — with a “low” 3.3 CVSS severity rating — opened the door to wanton theft of images, which may very well be exfiltrated to overseas servers with “trivial modifications.”
“MacOS’s Gatekeeper and TCC are vital for guaranteeing solely trusted software program is put in and managing entry to delicate information,” explains Callie Guenther, senior supervisor of cyber risk analysis for Important Begin. “Nonetheless, the zero-click vulnerability in macOS Calendar confirmed how attackers can bypass these protections by exploiting sandbox processes.” Guenther notes, although, that macOS is not uniquely weak to all these assaults: “Related vulnerabilities exist in Home windows, the place System Guard and SmartScreen might be bypassed utilizing methods like privilege escalation or exploiting kernel vulnerabilities.”
For instance, she provides, “Attackers have used DLL hijacking or sandbox escape strategies to defeat Home windows safety controls. Each working programs depend on strong safety frameworks, however persistent adversaries — particularly APT teams — discover methods to bypass these defenses.”
Apple acknowledged and patched the various vulnerabilities within the exploit chain at numerous factors between October 2022 and September 2023.
Do not miss the most recent Darkish Studying Confidential podcast, the place we speak to 2 cybersecurity professionals who had been arrested in Dallas County, Iowa, and compelled to spend the evening in jail — only for doing their pen-testing jobs. Pay attention now!