{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2017-7170/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2017-7170"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","macos","cve-2017-7170"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eCVE-2017-7170 is a now-patched, but historically significant, local privilege escalation vulnerability affecting macOS. The vulnerability resides in the insecure implementation of the \u003ccode\u003eAuthorizationExecuteWithPrivileges\u003c/code\u003e API. This API, intended for executing binaries with elevated privileges after user authentication, lacks proper validation of the binary path.  An unprivileged attacker could potentially manipulate the binary executed via \u003ccode\u003eAuthorizationExecuteWithPrivileges\u003c/code\u003e, or more subtly, sniff the externalized authorization reference passed to \u003ccode\u003esecurity_authtrampoline\u003c/code\u003e and reuse it to perform actions as root. The issue was disclosed in March 2020, although the CVE was assigned earlier. While this vulnerability has been patched, understanding its exploitation provides valuable insight into macOS security mechanisms and potential attack vectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged user executes a legitimate application (e.g., an installer) that utilizes the \u003ccode\u003eAuthorizationExecuteWithPrivileges\u003c/code\u003e API.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAuthorizationExecuteWithPrivileges\u003c/code\u003e function externalizes the authorization reference via \u003ccode\u003eAuthorizationMakeExternalForm\u003c/code\u003e creating an \u003ccode\u003eAuthorizationExternalForm\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application invokes \u003ccode\u003eAuthorizationExecuteWithPrivilegesExternalForm\u003c/code\u003e, passing the externalized authorization reference.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAuthorizationExecuteWithPrivilegesExternalForm\u003c/code\u003e executes the setuid binary \u003ccode\u003e/usr/libexec/security_authtrampoline\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esecurity_authtrampoline\u003c/code\u003e process invokes \u003ccode\u003eAuthorizationCopyRights\u003c/code\u003e, generating an XPC message to \u003ccode\u003eauthd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system prompts the user for authentication via the Security Agent.\u003c/li\u003e\n\u003cli\u003eAn attacker sniffs the externalized authorization reference passed to the \u003ccode\u003esecurity_authtrampoline\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker re-uses the captured authorization reference to execute arbitrary commands with root privileges, bypassing intended security controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2017-7170 allows a local, unprivileged attacker to gain complete control of the affected macOS system. This could lead to arbitrary code execution as root, installation of malware, data theft, or denial of service. While the vulnerability has been patched, systems that have not been updated remain vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Execution of Security Authtrampoline\u0026rdquo; to identify potential exploitation attempts even on patched systems by monitoring for unusual invocations of \u003ccode\u003e/usr/libexec/security_authtrampoline\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line argument logging to facilitate the detection of suspicious activity related to privilege escalation (reference the logsource in the Sigma rules).\u003c/li\u003e\n\u003cli\u003eWhile a direct fix isn\u0026rsquo;t possible given the patch status, monitor for applications using deprecated APIs such as \u003ccode\u003eAuthorizationExecuteWithPrivileges\u003c/code\u003e within your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:00:00Z","date_published":"2024-01-26T18:00:00Z","id":"/briefs/2024-01-26-macos-privesc-cve-2017-7170/","summary":"CVE-2017-7170 is a local privilege escalation vulnerability in macOS stemming from insecure use of the `AuthorizationExecuteWithPrivileges` API, allowing unprivileged users to execute arbitrary code as root by sniffing authorization references.","title":"macOS Local Privilege Escalation via CVE-2017-7170","url":"https://feed.craftedsignal.io/briefs/2024-01-26-macos-privesc-cve-2017-7170/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2017-7170","version":"https://jsonfeed.org/version/1.1"}