Right as 2018 began, one security researcher made a public declaration about an unpatched vulnerability present in the macOS, which can be exploited by hackers to gain total control of an affected system.
The researcher, operating under the handle Siguza, formally released a statement outlining the particulars of the zero-day unpatched macOS security vulnerability which he su
ggests is approximately 15 years old.
The proof-of-concept exploit code is available on GitHub.
This bug is apparently a dangerous LPE (Local Privilege Escalation) vulnerability which could subsequently provide leeway for any unprivileged users to get not only unlimited access into a targeted device, but also effect malicious code within it.
Malware created to exploit this particular flaw could entirely affect the targeted system.
While the initial assumption of the age of this vulnerability is said to be 15 years, some clues give a different perspective, even indicating that it could be at least a decade older than the proposed age.
In his submission, Siguza referred to the vulnerability as a tiny 15-year-old bug, one that inspires a total system compromise.
In itself, this LPE vulnerability exists in a distinct extension of the macOS kernel known as the IOHIDFamily.
It is designed precisely for HIDs (Human Interface Devices) such as buttons or touchscreens, permitting an attacker to either effect arbitrary code or install root shells on the affected system.
In an extensive explanation, the researcher goes on to describe the notoriety of the IOHIDFamily in the recent past.
Particularly, he detailed the multiple conditions it contained which, in the end, lead to some of its major components undergoing a rewriting procedure to utilize command gates, not to mention the lockdown of large portions through entitlements.
He further outlined that before he identified the zero-day vulnerability, he was previously examining it and trying to determine its source with the hopes of subsequently compromising an iOS kernel.
According to him, he was surprised to discover the characteristics of this vulnerability especially the fact that it resides on macOS. Siguza dubbed his creation IOHIDeous.
It affects every operating system version and permits arbitrary write/read in the software kernel.
What’s more, IOHIDeous also apparently disables Apple Mobile Free Integrity (AMFI) and the System Integrity Protection (SIP) features, which had been designed to safeguard against malware.
Siguza made an exclusive POC Code which works on the High Sierra 10.13.2 version and High Sierra 10.13.1 version, although it requires a slight tweak to work on the former.
Nonetheless, Siguza also noted that for his exploit to take full effect, it consequently needs to force the logged-in user to log out, although this is even possible by pushing the exploit to operate by manually shutting down or rebooting the targeted device.
When asked why he chose to go ahead and dump the discovery online rather than consult with Apple, the researcher said it is because this vulnerability is both remotely exploitable and only affects macOS.
Interestingly, as was pointed out during the infamous High Sierra “root” vulnerability that tarnished Apple’s reputation a few months ago, the tech giant’s bug bounty program does not cover macOS bugs.