20-Year-Old macOS Vulnerability Allows Attackers To Gain Root Access Remotely

A security researcher uncovered a critical macOS vulnerability involving privilege escalation in Apple’s MallocStackLogging framework, which had gone undetected for nearly 20 years. The bug, tracked as CVE-2023-32428, was discovered in March 2023 and subsequently patched by Apple in October.

The vulnerability exploited this mechanism to write files to arbitrary locations on the system with the privileges of the affected process.

Critical macOS Vulnerability

The issue resided in the MallocStackLogging framework, a debugging tool included in macOS for decades. This framework is force-loaded into applications whenever specific environment variables, such as MallocStackLoggingDirectory, are set.

The researcher identified three critical weaknesses in Apple’s initial mitigations:

1. Insecure File Operations: The access() function was insufficient for securing file writes, as it could be exploited in a race condition.
2. Symlink Bypass: The open() function’s O_NOFOLLOW flag only prevented symlink traversal in the final segment of the file path.
3. Truncated Filenames: Bugs in the filename generation process could result in truncation, undermining randomization efforts.

Through clever exploitation, the researcher demonstrated how these flaws could be combined to write a file as root with specific contents, potentially enabling privilege escalation.

The method involved using the crontab command to execute a malicious script, ultimately granting root access without a password.

“The bug’s impact was significant because it affected privileged and suid root binaries without requiring any special permissions,” explained Kalman in his detailed analysis.

The vulnerability stemmed from improper file handling and missing security flags in the framework’s implementation.The exploit chain involved:

• Manipulating the MallocStackLogging environment variables
• Exploiting a missing O_CLOEXEC flag in file operations
• Utilizing the crontab utility to escalate privileges
• Gaining unauthorized root access through modified system files

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

The Vulnerability Fix

Apple acted swiftly, deploying fixes in a beta release within three weeks of the report. Updates included:

• Enhanced file operations using O_NOFOLLOW_ANY and realpath() to prevent symlink-based attacks.
• Proper use of O_CLOEXEC to close file descriptors upon execution of new processes.
• Fixes to bugs in filename truncation and randomness.

Despite the fixes, the researcher argued that the framework’s very existence remains risky, as it can still enable other potential exploits.

The Researcher’s Experience

The vulnerability researcher shared insights into the challenges faced while interacting with Apple’s security team:

• Delayed Communication: The company took seven months to adjudicate the bounty and publish the researcher’s credit.
• Underwhelming Bounty: The $22,500 payout was deemed disappointing compared to other Apple bug bounties, especially given the bug’s potential impact across multiple platforms.
• Unpleasant Interactions: Apple’s response included a threat to remove the researcher’s credit, although this was eventually resolved in their favor.

The researcher also criticized Apple’s focus on demonstrated impact rather than potential impact across platforms, urging others to thoroughly weaponize exploits before submitting them.

The researcher noted that missing a crucial macOS vulnerability detail (the absence of O_CLOEXEC) early on prolonged the bug’s exploitation process.

Nevertheless, they regarded the discovery as a significant accomplishment, highlighting that the bug had gone unnoticed for over 20 years.

They also offered advice to fellow security researchers, emphasizing the importance of persistence and collaboration to maximize the impact of vulnerability reports.

This case illustrates the challenges of vulnerability discovery and disclosure, especially when dealing with large corporations like Apple.

While Apple’s quick deployment of fixes is commendable, the delays and frustrations with their bug bounty program underscore the need for improvements in communication and reward structures for security researchers.

This discovery reinforces the critical role of security researchers in identifying and mitigating software vulnerabilities.

While the researcher expressed frustration with Apple’s handling of the process, the case highlights the impact of diligent vulnerability research in strengthening digital security.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar