Researcher drops 15-year-old macOS zero-day that leads to full system compromise

On New Year’s Eve, a security researcher going by Siguza decided to drop a macOS zero-day exploit without giving Apple a heads-up warning to fix the flaw.

“Woah. One tiny, ugly bug. Fifteen years. Full system compromise,” the self-described “hobbyist hacker” said in highly-detailed “IOHIDeous” write-up about the bug that has been lurking for at least 15 years and affects all Mac operating systems.

“A macOS kernel exploit based on an IOHIDFamily 0day,” he added in the proof-of-concept zero-day code published on GitHub.

While the vulnerability is now in the wild, the bug is a local privilege escalation (LPE) flaw that can be exploited only if an attacker has local access to the Mac — or previously pwned the computer. However, exploiting it would give an attacker root access.

Siguza’s announcement set off a flurry of New Year’s Eve fireworks on Twitter.

When asked why he didn’t sell the exploit to either governments or black hats, Siguza tweeted:

My primary goal was to get the write-up out for people to read. I wouldn’t sell to black hats because I don’t wanna help their cause. I would’ve submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable.

Since neither of those were the case, I figured I’d just end 2017 with a bang because why not. But if I wanted to watch the world burn, I would be writing 0day ransomware rather than write-ups 😉

Bug allows root access to Macs

The bug, which has been around in macOS for more than a decade, could allow an attacker to get root access. But first, the user has to log out. Siguza suggested the possibility of an attacker using a “sleeper program” that would trigger when a user logs off, reboots or shuts down the Mac.

Under the header of “wreaking havoc,” Siguza noted, “Getting root is trivial with ROP.” While they are at it, attackers could disable the protections afforded by System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI), and install a root shell.

As previously noted, the write-up about the zero-day is extensive and detailed. Not everyone grasped the actual flaw, so when asked for a tldr explanation, Siguza replied:

Any user on the machine -> full system compromise.

When the discussion rolled around to the name-blame-shame game, Siguza said he didn’t look for and release the flaw “out of hate,” but “out of love” for the “craft of hacking.” Although he does not claim to be a white hat, if he wanted to actually hurt people, he would have “found some remotely triggerable vuln, written some ransomware worm and not done a write-up on it.”

Nevertheless, some folks were not happy with Siguza. To those people, he responded:

People mad at me for dropping a 0day and making them vulnerable: what’s your threat model?

If it’s script kiddies, you’re safe because it’s just a LPE and nothing remote. If it’s people who can get remote code exec, what makes you think they don’t have kernel r/w as well anyway?