Cybersecurity firm Trellix says it has discovered a new class of privilege escalation bugs in macOS and iOS that could allow attackers to bypass code signing to execute arbitrary code and gain access to messages, location data, call history and photos.
According to the firm, this could allow sandbox escape on both macOS and iOS. The vulnerabilities range from medium to high severity, with CVSS scores between 5.1 and 7.1. Attackers could use these exploits–which have been fixed in recent updates–to gain access to sensitive information such as a user’s messages, location data, call history and photos.
In a research blog, Trellix details a 2021 bug that allowed for 0-click remote code execution that was used to infect a Saudi activist’s iPhone with the Pegasus malware. The exploits included the initial exploitation of PDF parsing code and sandbox escape.
“While much attention was given to the first exploit, we were much more interested in the second as it described a way to dynamically execute arbitrary code in another process which completely sidestepped code signing,” the company’s researchers say.
Trellix describes that exploit as such:
It involved NSPredicate, an innocent looking class that allows developers to filter lists of arbitrary objects. In reality the syntax of NSPredicate is a full scripting language. The ability to dynamically generate and run code on iOS had been an official feature this whole time. However, this was just the beginning, as this feature revealed an entirely new bug class that completely breaks inter-process security in macOS and iOS.
However, this was not the first example, as a researcher in 2019 discovered how to exploit the mechanics of NSPredicate to run arbitrary code.
The gist of this research was that NSExpression objects, the building blocks of an NSPredicate, could be used to call arbitrary methods on arbitrary classes and objects. Using existing classes in Apple’s private frameworks, it was possible to bypass pointer authentication (PAC) and every other mitigation to call any function. However, the post also describes ways in which Apple has mitigated the dangerousness of these objects, namely through a protocol called NSPredicateVisitor. Classes that implement this protocol can be used to check every expression to make sure they were safe to evaluate. CodeColorist notes at the end of his post that “Without a proper validation, it could be an inter-process attack surface to bypass TCC.”
This led to the discovery of a “large new class of bugs” that allow bypassing code signing to execute arbitrary code in the context of several applications, leading to escalation of privileges and sandbox escape on both operating systems.
Apple has removed features used in previous exploits and added new mitigations to restrict what could be done with NSPredicate using large denylist to prevent the use of certain classes and methods, but Trellix discovered that the new mitigations could be bypassed.
By using methods that had not been restricted it was possible to empty these lists, enabling all the same methods that had been available before. This bypass was assigned CVE-2023-23530 by Apple. Even more significantly we discovered that nearly every implementation of NSPredicateVisitor could be bypassed. There are many processes with XPC Services (the primary method of high-level inter-process communication on macOS and iOS) that accept NSPredicate arguments and use NSPredicateVisitor to ensure that the provided expression is safe to evaluate. While there is no single implementation as nearly every process has its own version, most use the “expressionType” property to filter out function expressions. The issues reside in the fact that this property can be set in the sending process and is trusted to be accurate by the receiver, rendering the checks useless. This bypass was assigned CVE-2023-23531. These two techniques opened a huge range of potential vulnerabilities that we are still exploring.
According to Trellix, an attacker could use the bugs to access a user’s calendar, address book and photos, as well as install arbitrary applications.
Other vulnerabilities could allow an attacker to read potentially sensitive information from the syslog, or exploit an NSPredicate vulnerability in UIKitCore on the iPad. Attackers could use to achieve code execution inside SpringBoard, a highly privileged app that can access location data, camera, microphone, call history, photos and other sensitive data, as well as wipe the device.
Apple addressed these issues with the release of macOS 13.2 and iOS 16.3, according to the Trellix blog.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!