macOS Zero Day Found That Was Present Since 2002

A new macOS zero day exploit has been found, and this one has been present in the operating system since 2002. The researcher who found it—Siguza—says it lets any user gain full control of a Mac as long as they have physical access. This means that luckily, remote access is not possible.

macOS Zero Day

It seems that the exploit isn’t very sophisticated, and will log the user out once taken advantage of. However, it does affect all versions of macOS, although it stopped working on macOS High Sierra 10.13.2. It’s a local privilege escalation attack, meaning that the person can gain root access due to a vulnerability in ‘IOHIDFamily’.

Some of the code in the macOS zero day IOHIDeous.

IOHIDFamily is a kernel extension that gives users an interface of various human interface devices (HID). This can be used during iOS app development.

IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements. I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability discussed herein.

The exploit the researcher provided is called IOHIDeous, and it’s a proof-of-concept that can permanently disable System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI) security features. These features help protect the machine from malware.

Siguza has already been in contact with Apple, and a security update is sure to follow soon.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.