研究人员发布了macOS 沙箱逃逸高危漏洞PoC 代码

研究人员发布了macOS 沙箱逃逸高危漏洞PoC 代码

A security researcher has published details and proof-of-concept (PoC) code for a macOS vulnerability that could be exploited to escape a sandbox and execute code within Terminal.

Tracked as CVE-2022-26696 (CVSS score of 7.8), the security defect was identified and reported last year, with a patch available since the release of macOS Monterey 12.4 in May.

In its advisory, Apple notes that the flaw allowed a sandboxed process to circumvent sandbox restrictions, and that improved environment sanitization resolved the issue.

Successful exploitation of the vulnerability would require for the attacker to be able to execute low-privileged code on the target system.

“The specific flaw exists within the handling of XPC messages in the LaunchServices component. A crafted message can trigger execution of a privileged operation,” Trend Micro’s Zero Day Initiative (ZDI) explains.

An attacker able to exploit this vulnerability could “escalate privileges and execute arbitrary code in the context of the current user,” ZDI says.

According to SecuRing researcher Wojciech Reguła, who was credited for reporting CVE-2022-26696, the root cause of the bug is that macOS allows sandboxed applications to launch processes that do not inherit the main app’s sandbox profile.

The platform also allows for applications to be spawned with environment variables, and CVE-2022-26696 was identified in this mechanism.

Regula discovered that, on the one hand, a specific function was returning ‘Yes’ when a specific environment variable was set, while, on the other hand, some environment variables were not cleared when the function returned ‘Yes’.

This, the researcher says, allowed him to “execute code within the Terminal.app context without any sandbox”.

On Friday, Reguła published details on the code needed to exploit the flaw, as well as a video demonstration on how a weaponized Word document can be used to escape the sandbox and execute code within the Terminal.

“Executing code within the Terminal.app context can be really dangerous as it can also have some TCC permissions already granted,” the researcher points out.

Related: Apple Patches Remote Code Execution Flaws in iOS, macOS

Related: Apple Patches Over 100 Vulnerabilities With Release of macOS Ventura 13

Related: Apple Warns of macOS Kernel Zero-Day Exploitation

机翻：

一名安全研究人员发布了macOS漏洞的详细信息和概念验证(PoC)代码，该漏洞可以被利用来逃离沙盒并在终端中执行代码。

该安全缺陷被追踪为CVE-2022-26696 (CVSS评分7.8)，去年发现并报告了该漏洞，自macOS Monterey 12.4于5月发布以来，该补丁已经可用。

苹果在其建议中指出，该缺陷允许沙盒进程绕过沙盒限制，改进的环境消毒解决了这个问题。

成功利用该漏洞需要攻击者能够在目标系统上执行低特权代码。

具体的缺陷存在于LaunchServices组件中XPC消息的处理中。精心制作的消息可以触发特权操作的执行，”趋势科技的零日计划(ZDI)解释道。

ZDI表示，能够利用该漏洞的攻击者可以“升级特权并在当前用户的上下文中执行任意代码”。

据安全研究人员Wojciech reguska(他报告了CVE-2022-26696)称，该漏洞的根本原因是macOS允许沙盒应用程序启动不继承主应用程序沙盒配置文件的进程。

该平台还允许使用环境变量生成应用程序，CVE-2022-26696就是在这种机制中确定的。

Regula发现，一方面，特定的函数在设置特定的环境变量时返回’ Yes ‘，另一方面，当函数返回’ Yes ‘时，一些环境变量没有被清除。

研究人员说，这允许他“在终端内执行代码”。没有任何沙盒的应用程序上下文”。

上周五，雷古萨发布了利用该漏洞所需代码的细节，以及一段演示如何使用武器化的Word文档逃离沙箱并在终端内执行代码的视频。

“在终端内执行代码。app上下文可能真的很危险，因为它可能已经被授予了一些TCC权限，”研究人员指出。

相关:苹果补丁远程代码执行漏洞在iOS, macOS

相关:苹果发布macOS Ventura补丁超过100个漏洞

相关:苹果警告macOS内核零日利用

原文链接：https://www.securityweek.com/poc-code-published-high-severity-macos-sandbox-escape-vulnerability

admin普通

收藏 海报 链接