Cve-2017-7170 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2017-7170/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 26 Jan 2024 18:00:00 +0000macOS Local Privilege Escalation via CVE-2017-7170https://feed.craftedsignal.io/briefs/2024-01-26-macos-privesc-cve-2017-7170/Fri, 26 Jan 2024 18:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-26-macos-privesc-cve-2017-7170/CVE-2017-7170 is a local privilege escalation vulnerability in macOS stemming from insecure use of the `AuthorizationExecuteWithPrivileges` API, allowing unprivileged users to execute arbitrary code as root by sniffing authorization references.CVE-2017-7170 is a now-patched, but historically significant, local privilege escalation vulnerability affecting macOS. The vulnerability resides in the insecure implementation of the AuthorizationExecuteWithPrivileges API. This API, intended for executing binaries with elevated privileges after user authentication, lacks proper validation of the binary path. An unprivileged attacker could potentially manipulate the binary executed via AuthorizationExecuteWithPrivileges, or more subtly, sniff the externalized authorization reference passed to security_authtrampoline and reuse it to perform actions as root. The issue was disclosed in March 2020, although the CVE was assigned earlier. While this vulnerability has been patched, understanding its exploitation provides valuable insight into macOS security mechanisms and potential attack vectors.

Attack Chain

  1. An unprivileged user executes a legitimate application (e.g., an installer) that utilizes the AuthorizationExecuteWithPrivileges API.
  2. The AuthorizationExecuteWithPrivileges function externalizes the authorization reference via AuthorizationMakeExternalForm creating an AuthorizationExternalForm.
  3. The application invokes AuthorizationExecuteWithPrivilegesExternalForm, passing the externalized authorization reference.
  4. AuthorizationExecuteWithPrivilegesExternalForm executes the setuid binary /usr/libexec/security_authtrampoline.
  5. The security_authtrampoline process invokes AuthorizationCopyRights, generating an XPC message to authd.
  6. The system prompts the user for authentication via the Security Agent.
  7. An attacker sniffs the externalized authorization reference passed to the security_authtrampoline process.
  8. The attacker re-uses the captured authorization reference to execute arbitrary commands with root privileges, bypassing intended security controls.

Impact

Successful exploitation of CVE-2017-7170 allows a local, unprivileged attacker to gain complete control of the affected macOS system. This could lead to arbitrary code execution as root, installation of malware, data theft, or denial of service. While the vulnerability has been patched, systems that have not been updated remain vulnerable.

Recommendation

  • Deploy the Sigma rule “Detect Execution of Security Authtrampoline” to identify potential exploitation attempts even on patched systems by monitoring for unusual invocations of /usr/libexec/security_authtrampoline.
  • Enable process monitoring with command-line argument logging to facilitate the detection of suspicious activity related to privilege escalation (reference the logsource in the Sigma rules).
  • While a direct fix isn’t possible given the patch status, monitor for applications using deprecated APIs such as AuthorizationExecuteWithPrivileges within your environment.
]]>criticaladvisoryprivilege-escalationmacoscve-2017-7170