macOS Flaw Let Attackers Escalate Privilege & Gain Root Access

A critical flaw impacting macOS has been uncovered that gives unauthorized users, including those with guest access, the capacity to escalate privileges and take complete root control of the system.

According to the security researcher Yann Gascuel of Alter Solutions, the core of CVE-2023-42931 is the exploitation of the “diskutil” command line utility, which allows local users, including guests to mount filesystems with particular settings that may escalate privileges.

Apple has fixed this critical issue in its most recent security upgrades. 

Flaw Let Attackers Mount File Systems

Any local user (including “guest”) can mount filesystems on a macOS system using the “diskutil” command line utility. This command accepts mount options via the “-mountOptions” arguments. 

According to the researcher, two mount options might be of interest to cause a privilege escalation:

The first one is owners/noowners, which allows or prohibits support for user ownership. The other one is suid/nosuid, which turns on or off support for setuid and setgid bits.

An attacker may change a root-owned file into any arbitrary binary and add the setuid bit to it by using the diskutil -mountOptions parameter to mount a filesystem with the “noowners” flag. This would enable a privilege escalation when the file was remounted in “owners” mode.

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

• The problem of vulnerability fatigue today
• Difference between CVSS-specific vulnerability vs risk-based vulnerability
• Evaluating vulnerabilities based on the business impact/risk
• Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, which helps you to quantify risk accurately:

Book Your spot

It turns out that sensitive system files and directories are protected from modification at the kernel level by a mechanism called SIP (for “System Integrity Protection”), which means that not even the root user can change them.

Through a “.file” placeholder file in the root filesystem, which satisfied all requirements for the exploit to be successful, the researcher was able to identify by the following workable exploit path:

• Owned by root when mounted in “owners” mode;
• Considered owned by myself when mounted in “noowners” mode;
• Not protected by SIP.

Affected Assets

• MacOS Sonoma before 14.2
• MacOS Ventura before 13.6.3
• MacOS Monterey before 12.7.2

Patch Released

The vulnerability has been fixed in macOS versions 14.2, 13.6.3 and 12.7.2

Apple said that “The issue was addressed with improved checks”.

Therefore, it is recommended that macOS users patch their systems as soon as feasible.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.