Attack Chain

1. An attacker (or a system utility like TaskExplorer) attempts to enumerate loaded libraries of a process.
2. TaskExplorer executes the vmmap command, targeting a specific process ID (PID).
3. The vmmap utility starts and is given PID 1 as a command-line argument.
4. vmmap invokes task_suspend to suspend the target process (launchd) before taking a memory snapshot.
5. vmmap attempts to symbolicate the memory regions of the suspended process via the CoreSymbolication framework, calling CoreSymbolication'mmap_storage_daemon.
6. The CoreSymbolication framework makes XPC calls, including xpc_connection_resume, which are routed to launchd.
7. Because launchd is suspended, the XPC requests are never serviced, specifically a call to libxpc’s _xpc_look_up_endpoint for com.apple.coresymbolicationd.
8. This blocked XPC call deadlocks the system, as vmmap waits for a response from launchd, but launchd cannot respond because it is suspended by vmmap. The entire system becomes unresponsive, requiring a hard reboot.

Impact

Successful exploitation of this bug results in a complete system lockup on macOS Mojave. The user loses any unsaved data and must perform a hard reboot to restore functionality. While the bug does not directly lead to data theft or code execution, it causes significant disruption and data loss. This affects any user running macOS Mojave who attempts to run vmmap against PID 1, either directly or indirectly through a utility like TaskExplorer.

Recommendation

• Deploy the Sigma rule Detect vmmap Execution Against PID 1 to detect direct attempts to exploit this bug via command-line execution.
• Investigate any system lockups on macOS Mojave systems and correlate them with vmmap executions, using the macOS Mojave System Lockup via vmmap rule as a starting point.
• Consider blocking execution of vmmap with PID 1 as an argument via endpoint detection and response (EDR) tools, preventing the vulnerability from being triggered.