A security researcher, Gergely Kalman, uncovered a severe macOS vulnerability privilege escalation in Apple’s MallocStackLogging framework, which had remained undetected for approximately 20 years. The bug, tracked as
The vulnerability exploited this mechanism to write files to arbitrary locations on the system with the privileges of the affected process.
Critical macOS Vulnerability
The issue resided in the MallocStackLogging framework, a debugging tool included in macOS for decades. This framework is force-loaded into applications whenever specific environment variables, such as MallocStackLoggingDirectory, are set.
The researcher identified three critical weaknesses in Apple’s initial mitigations:
- Insecure File Operations: The
access()function was insufficient for securing file writes, as it could be exploited in a race condition. - Symlink Bypass: The
open()function’sO_NOFOLLOWflag only prevented symlink traversal in the final segment of the file path. - Truncated Filenames: Bugs in the filename generation process could result in truncation, undermining randomization efforts.
Through clever exploitation, the researcher demonstrated how these flaws could be combined to write a file as root with specific contents, potentially enabling privilege escalation. The method involved using the crontab command to execute a malicious script, ultimately granting root access without a password.
“The bug’s impact was significant because it affected privileged and suid root binaries without requiring any special permissions,” explained Kalman in his detailed analysis. The vulnerability stemmed from improper file handling and missing security flags in the framework’s implementation.The exploit chain involved:
- Manipulating the MallocStackLogging environment variables
- Exploiting a missing O_CLOEXEC flag in file operations
- Utilizing the crontab utility to escalate privileges
- Gaining unauthorized root access through modified system files
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
The Vulnerability Fix
Apple acted swiftly, deploying fixes in a beta release within three weeks of the report. Updates included:
- Enhanced file operations using
O_NOFOLLOW_ANYandrealpath()to prevent symlink-based attacks. - Proper use of
O_CLOEXECto close file descriptors upon execution of new processes. - Fixes to bugs in filename truncation and randomness.
Despite the fixes, the researcher argued that the framework’s very existence remains risky, as it can still enable other potential exploits.
The Researcher’s Experience
The vulnerability researcher shared insights into the challenges faced while interacting with Apple’s security team:
- Delayed Communication: The company took seven months to adjudicate the bounty and publish the researcher’s credit.
- Underwhelming Bounty: The $22,500 payout was deemed disappointing compared to other Apple bug bounties, especially given the bug’s potential impact across multiple platforms.
- Unpleasant Interactions: Apple’s response included a threat to remove the researcher’s credit, although this was eventually resolved in their favor.
The researcher also criticized Apple’s focus on demonstrated impact rather than potential impact across platforms, urging others to thoroughly weaponize exploits before submitting them.
The researcher noted that missing a crucial macOS vulnerability detail (the absence of O_CLOEXEC) early on prolonged the bug’s exploitation process. Nevertheless, they regarded the discovery as a significant accomplishment, highlighting that the bug had gone unnoticed for over 20 years.
They also offered advice to fellow security researchers, emphasizing the importance of persistence and collaboration to maximize the impact of vulnerability reports.
This case illustrates the challenges of vulnerability discovery and disclosure, especially when dealing with large corporations like Apple. While Apple’s quick deployment of fixes is commendable, the delays and frustrations with their bug bounty program underscore the need for improvements in communication and reward structures for security researchers.
This discovery reinforces the critical role of security researchers in identifying and mitigating software vulnerabilities. While the researcher expressed frustration with Apple’s handling of the process, the case highlights the impact of diligent vulnerability research in strengthening digital security.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar