Lucene search

K
thnThe Hacker NewsTHN:E828782CB52567D01CA178688A53E3A6
HistoryJul 14, 2022 - 10:54 a.m.

Microsoft Details App Sandbox Escape Bug Impacting Apple iOS, iPadOS, macOS Devices

2022-07-1410:54:00
The Hacker News
thehackernews.com
50
microsoft
apple
sandbox escape bug
security vulnerability
ios
ipados
macos
device privileges
malware
cve-2022-26706
tvos
watchos
launchservices
app sandbox
third-party app access
system resources
user data
bypass restrictions
compromise machine
poc
launch services
open command
python payload

EPSS

0.001

Percentile

31.7%

Apple iOS, iPadOS, macOS Devices

Microsoft on Wednesday shed light on a now patched security vulnerability affecting Appleโ€™s operating systems that, if successfully exploited, could allow attackers to escalate device privileges and deploy malware.

โ€œAn attacker could take advantage of this sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing additional payloads,โ€ Jonathan Bar Or of the Microsoft 365 Defender Research Team said in a write-up.

Tracked as CVE-2022-26706 (CVSS score: 5.5), the security vulnerability impacts iOS, iPadOS, macOS, tvOS, and watchOS and was fixed by Apple in May 2022.

Calling it an access issue affecting the LaunchServices (launchd) component, the iPhone maker noted that โ€œA sandboxed process may be able to circumvent sandbox restrictions,โ€ adding it mitigated the issue with additional restrictions.

While Appleโ€™s App Sandbox is designed to tightly regulate a third-party appโ€™s access to system resources and user data, the vulnerability makes it possible to bypass these restrictions and compromise the machine.

Apple App Sandbox Escape

โ€œThe sandboxโ€™s primary function is to contain damage to the system and the userโ€™s data if the user executes a compromised app,โ€ Apple explains in its documentation.

โ€œWhile the sandbox doesnโ€™t prevent attacks against your app, it does reduce the harm a successful attack can cause by restricting your app to the minimum set of privileges it requires to function properly.โ€

Microsoft said it discovered the flaw during its attempts to figure out a way to escape the sandbox and execute arbitrary commands on macOS by concealing the malicious code in a specially crafted Microsoft Office macro.

Specifically, the tweet-sized proof-of-concept (PoC) devised by the tech giant leverages Launch Services as a means to run an open command โ€” a utility used to open files and launch apps โ€” on a Python payload containing rogue instructions.

But itโ€™s worth noting that any file dropped by a sandboxed app is automatically tagged with the โ€œcom.apple.quarantineโ€ extended attribute so as to trigger a prompt requiring explicit userโ€™s consent prior to execution.

This constraint, however, can be eliminated by utilizing the -stdin option for the open command associated with the Python exploit file.

โ€œโ€“stdin bypassed the โ€˜com.apple.quarantineโ€™ extended attribute restriction, as there was no way for Python to know that the contents from its standard input originated from a quarantined file,โ€ Bar Or said.

Found this article interesting? Follow THN on Facebook, Twitter ๏‚™ and LinkedIn to read more exclusive content we post.

EPSS

0.001

Percentile

31.7%

Related for THN:E828782CB52567D01CA178688A53E3A6