In a somewhat unorthodox New Year’s gift, a developer detailed a long-unpatched macOS zero-day flaw that could allow an attacker root access for full system compromise, although it cannot be exploited remotely.
Siguza, a hobbyist developer and hacker from Switzerland, described in great detail a zero-day vulnerability, dubbed IOHIDeous, which is said to affect all versions of macOS going back 15 years.
“This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel [read and write] and can be exploited by any unprivileged user,” Siguza wrote in a Github post. “IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements. I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then [sic] is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability discussed herein.”
Siguza released proof-of-concept (PoC) exploit code for IOHIDeous but noted that not all of the parts have been tested across all versions of macOS. Part of the attack used “doesn’t work on High Sierra 10.13.2 anymore,” but Siguza said the vulnerability is still present and may be exploitable in different ways. Siguza successfully tested other portions of the PoC attack on High Sierra and assumed to work on other versions of macOS or stated to be easily adapted for other versions.
However, while exploiting the IOHIDeous macOS zero-day could allow for an attacker to escalate privilege, run arbitrary code and gain root access, Siguza said on Twitter that the risks are somewhat lessened because the flaw is not remotely exploitable and because “triggering [the] bug is pretty noticeable with the entire UI being torn down and whatnot…”
Siguza also commented on why IOHIDeous details were released publicly and not sold either on the dark web or to a bug bounty program.
“My primary goal was to get the write-up out for people to read. I wouldn’t sell to blackhats because I don’t wanna help their cause. I would’ve submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable,” Siguza wrote on Twitter. “Since neither of those were the case, I figured I’d just end 2017 with a bang because why not. But if I wanted to watch the world burn, I would be writing zero-day ransomware rather than write-ups ;)”
As of the time of this post, Apple has not responded to requests for comment or released information about any potential IOHIDeous patch.