Ancient unpatched IOHIDeous vulnerability allows root access to macOS
Apple has a tendency to pride itself on security, but a researcher has released details of a macOS vulnerability that allows for complete system control by an unprivileged user.
A self-described "hobbyist hacker," Siguza, has published details of the exploit which is thought to have existed, undetected and unpatched for at least a decade. As well as details of the security flaw, Suguza has also published proof-of-concept code for the IOHIDeous vulnerability on GitHub.
In a highly-detailed write-up, Siguza says that the bug has been present for at least 15 years, but suggests it is possible that it has been around for as much as 25 years. The security researcher sums up the flaw by saying: "Woah. One tiny, ugly bug. Fifteen years. Full system compromise."
News of the vulnerability broke on New Year's Eve with Siguza using a tweet to say:
Fuck it, dropping a macOS 0day. Happy New Year, everyone. https://t.co/oG2nOlUOjk
— Siguza (@s1guza) December 31, 2017
Introducing the vulnerability, the researcher explains:
This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel r/w and can be exploited by any unprivileged user.
IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements. I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS -- specifically IOHIDSystem, which contains the vulnerability discussed herein.
The exploit accompanying this write-up consists of three parts:
- poc (make poc)
Targets all macOS versions, crashes the kernel to prove the existence of a memory corruption.
- leak (make leak)
Targets High Sierra, just to prove that no separate KASLR leak is needed.
- hid (make hid)
Targets Sierra and High Sierra (up to 10.13.1, see README), achieves full kernel r/w and disables SIP to prove that the vulnerability can be exploited by any unprivileged user on all recent versions of macOS.
Apple is yet to comment on the discovery, but the level of detail publicly provided by Siguza means that a fix can't be far away.