Happy New Year: Researcher Drops MacOS Zero-Day Root Access Kernel Exploit

To ring in the new year, a security researcher on New Year’s Day disclosed an unpatched security vulnerability that allows an attacker to take complete control of an infected machine.

“One tiny, ugly bug. Fifteen years. Full system compromise.”

A security researcher going by the pseudonym Siguza has released details of a zero-day macOS vulnerability that, he or she claims, is 15 years old. The proof-of-concept exploit, believed to be still unpatched, has been posted on GitHub.

The “macOS-only vulnerability in IOHIDFamily that yields kernel r/w and can be exploited by any unprivileged user,” the researcher wrote. The exploit leverages a critical local privilege escalation (LPE) vulnerability that allows an attacker to gain read and write – essentially root – access to the targeted Apple machine.

After a deeper dive into the source code, the researcher revealed the vulnerability could have been present since 2002. The vulnerability through the LPE flaw resides in an extension of the macOS kernel called the IOHIDFamily, designed for human interface devices. If compromised, the attacker can fundamentally install a root shell or even execute arbitrary code on the machine.

“IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements,” wrote Siguza. “I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability discussed herein.”

Siguza eventually developed the exploit dubbed IOHIDeous and, at the time of publishing, affects all versions of macOS by allowing arbitrary read/write bugs in the kernel.

Before the exploit is triggered, the logged-in user needs to be force logged out or the targeted machine should be rebooted or manually shut down.

Crucially, the exploit isn’t remotely exploitable and hence the researcher saw fit to release his findings online instead of reaching out to Apple. Besides, Apple’s bug bounty program does not cover bugs in its macOS platform, leaving the researcher little incentive to keep the vulnerability under wraps.

Image credit: Pixabay.