A high-severity vulnerability has been found in Apple’s MacOS which was revealed by the cybersecurity researcher at Google’s Project Zero division. They have publicly disclosed the details and proof-of-concept of the exploit after Apple failed to release a patch within 90 days of being notified.
The Project Zero researcher Jann Horn discovered the flaw and demonstrated by Ian Beer. They found that the vulnerability resides in the way macOS XNU kernel permits an attacker to manipulate filesystem images without informing the operating system.
The vulnerability could let a hacker or a malicious program to bypass the copy-on-write (COW) functionality to make unexpected changes in the memory shared between processes which can eventually lead to memory corruption attacks.
Copy-On-Write also called as COW, is a resource-management optimization strategy used in computer programming.
If any process (destination) needs a file or data which is in the memory but had been created by another process (source), then both processes can share the same resource instead of creating a new copy of it. This will reduce the consumption of resources of unmodified copies.
But if the source process wanted to make some changes in the data, the copy-on-write (COW) function becomes useful and create a copy of it in the memory so that the destination process will be able to access the data.
The Project Zero researcher states that on Apple’s macOS operating system, this copy-on-write method works not only with the anonymous memory, but also efficiently handles the page tables and memory mappings.
According to the advisory, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.
It is found that when a mounted filesystem image is mutated directly this information is not propagated into the mounted filesystem. So, an attacker can easily make changes to evicted pages stored on the disk without informing the virtual management subsystem thereby fooling the destination processes into loading manipulated malicious content into the memory.
It is important that the copied memory is protected from being modified later by the source process. Or else the source process might be able to exploit double-reads in the destination process.
Besides this vulnerability, the researcher also found a similar copy-on-write behavior bypass (CVE-2019-6208) by exploiting another function on macOS operating system.
The researcher has informed Apple regarding both the vulnerabilities last year November itself for which the company privately acknowledged the existence of the flaws. Apple patched the latter flaw in January 2019 update, but the former flaw was not patched even after the 90-day deadline Project Zero gave tp the affected companies.
The researchers made the vulnerability public with a “high severity” label and also released the proof-of-concept code that demonstrates the bug, which still remains unpatched.
Apple is at present working with the Project Zero team to find a fix for the vulnerability which might be included in a future macOS release.