Headline
Microsoft Details App Sandbox Escape Bug Impacting Apple iOS, iPadOS, macOS Devices
Microsoft on Wednesday shed light on a now patched security vulnerability affecting Apple’s operating systems that, if successfully exploited, could allow attackers to escalate device privileges and deploy malware. "An attacker could take advantage of this sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing additional
Microsoft on Wednesday shed light on a now patched security vulnerability affecting Apple’s operating systems that, if successfully exploited, could allow attackers to escalate device privileges and deploy malware.
“An attacker could take advantage of this sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing additional payloads,” Jonathan Bar Or of the Microsoft 365 Defender Research Team said in a write-up.
Tracked as CVE-2022-26706 (CVSS score: 5.5), the security vulnerability impacts iOS, iPadOS, macOS, tvOS, and watchOS and was fixed by Apple in May 2022.
Calling it an access issue affecting the LaunchServices (launchd) component, the tech giant noted that “A sandboxed process may be able to circumvent sandbox restrictions,” adding it mitigates the issue with additional restrictions.
While Apple’s App Sandbox is designed to tightly regulate a third-party app’s access to system resources and user data, the vulnerability makes it possible to bypass these restrictions and compromise the machine.
“The sandbox’s primary function is to contain damage to the system and the user’s data if the user executes a compromised app,” Apple explains in its documentation.
“While the sandbox doesn’t prevent attacks against your app, it does reduce the harm a successful attack can cause by restricting your app to the minimum set of privileges it requires to function properly.”
Microsoft said it discovered the flaw during its attempts to figure out a way to escape the sandbox and execute arbitrary commands on macOS by concealing the malicious code in a specially crafted Microsoft Office macro.
Specifically, the tweet-sized proof-of-concept (PoC) devised by the tech giant leverages Launch Services as a means to run an open command — a utility used to open files and launch apps — on a Python payload containing rogue instructions.
But it’s worth noting that any file dropped by a sandboxed app is automatically attached to the “com.apple.quarantine” extended attribute so as to trigger a prompt requiring explicit user’s consent prior to execution.
This constraint, however, can be eliminated by utilizing the -stdin option for the open command associated with the Python exploit file.
“–stdin bypassed the ‘com.apple.quarantine’ extended attribute restriction, as there was no way for Python to know that the contents from its standard input originated from a quarantined file,” Bar Or said.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
Microsoft reveals now-fixed flaw in Apple's App Sandbox controls could allow attackers to escalate device privileges and deploy malware.
An authentication issue was addressed with improved state management. This issue is fixed in tvOS 15.5. A local user may be able to enable iCloud Photos without authentication.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, macOS Monterey 12.4, iOS 15.5 and iPadOS 15.5. An application may be able to execute arbitrary code with kernel privileges.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.3.1, iOS 15.4.1 and iPadOS 15.4.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..
This issue was addressed with improved checks. This issue is fixed in iOS 15.5 and iPadOS 15.5. Processing a large input may lead to a denial of service.
Apple Security Advisory 2022-05-16-6 - tvOS 15.5 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.
Apple Security Advisory 2022-05-16-5 - watchOS 8.6 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.
Apple Security Advisory 2022-05-16-3 - macOS Big Sur 11.6.6 addresses bypass, code execution, denial of service, out of bounds access, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
Apple Security Advisory 2022-05-16-2 - macOS Monterey 12.4 addresses buffer overflow, bypass, code execution, denial of service, integer overflow, out of bounds access, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
Apple Security Advisory 2022-05-16-1 - iOS 15.5 and iPadOS 15.5 addresses bypass, code execution, denial of service, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.