Researcher at Google’s Project Zero has disclosed details of a high-severity security vulnerability in macOS operating system after Apple failed to release a patch within 90 days of being notified.
Researcher Jann Horn and demonstrated by Ian Beer, the vulnerability resides in the way macOS XNU kernel which can allow attackers to manipulate filesystem images without informing the operating system. Eventually bypassing the copy-on-write (COW) functionality to cause changes in the memory shared between processes, leading to memory corruption attacks.
According to the Project Zero researcher, on Apple’s macOS operating system, this copy-on-write behavior works not only with the anonymous memory, but also efficiently handles the page tables and memory mappings.
“This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache,” reads the advisory detailing the vulnerability.
“Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.”
Google researcher finds that when a mounted filesystem image is mutated directly (for example, by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem.
Thus, malicious program or an attacker can simply make changes to evicted pages stored on the disk without informing the virtual management subsystem, tricking the destination processes into loading manipulated malicious content into the memory.
“It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process,” the resaercher says.
In addition to this vulnerability, the Project Zero researcher also found a similar copy-on-write behavior bypass (CVE-2019-6208) by abusing another function on macOS operating system.
The researcher notified Apple of both the vulnerabilities back in November 2018 and the company privately acknowledged the existence of the flaws. While Apple patched the latter flaw in January 2019 update, the former flaw remains unaddressed even after the 90-day deadline Project Zero provides the affected companies.
So, the researchers made the vulnerability public with a “high severity” label and also released the proof-of-concept code that demonstrates the bug, which remains unpatched at the time of writing.