A security expert who uses the online moniker Siguza has made public the details and proof-of-concept (PoC) code for a local privilege escalation vulnerability affecting all versions of the macOS operating system. The flaw, which the researcher described as a “zero day,” allows a malicious application installed on the targeted system to execute arbitrary code and obtain root privileges.
Apple is working on patching the vulnerability and has shared some mitigation advice until the fix becomes available.
“Apple is committed to the security of our customers’ devices and data, and we plan to patch this issue in a software update later this month,” Apple said in a statement emailed to SecurityWeek. “Since exploiting the vulnerability requires a malicious app to be loaded on your Mac, we recommend downloading software only from trusted sources such as the Mac App Store.”
The flaw affects IOHIDFamily, a kernel extension designed for human interface devices (e.g. touchscreens and buttons). Siguza discovered that some security bugs in this component introduce a kernel read/write vulnerability, which he has dubbed IOHIDeous.
The exploit created by the hacker also disables the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI) security features.
The PoC exploit is not stealthy as it needs to force a logout of the legitimate user. However, the researcher said an attacker could design an exploit that is triggered when the targeted device is manually rebooted or shut down.
Some of the PoC code made available by Siguza only works on macOS High Sierra 10.13.1 and earlier, but the researcher believes it can be adapted for version 10.13.2 as well.
The vulnerability has been around since at least 2002, but it could actually be much older.
Siguza says he is not concerned that malicious actors will abuse his PoC exploit as the vulnerability is not remotely exploitable. The hacker claims he would have privately disclosed the flaw to Apple had it been remotely exploitable or if the tech giant’s bug bounty program covered macOS.