{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/vmmap/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS Mojave"],"_cs_severities":["high"],"_cs_tags":["macos","lockup","vmmap","pid1"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eA critical bug exists in macOS Mojave (10.14) where executing the \u003ccode\u003evmmap\u003c/code\u003e utility against process ID 1, which is always \u003ccode\u003elaunchd\u003c/code\u003e, causes a complete system lockup. This issue was discovered when users reported that the TaskExplorer utility, which uses \u003ccode\u003evmmap\u003c/code\u003e to enumerate loaded dynamic libraries in remote processes, would freeze the system when run. The root cause is that \u003ccode\u003evmmap\u003c/code\u003e suspends the target process before enumerating memory regions. When \u003ccode\u003elaunchd\u003c/code\u003e (PID 1) is targeted, this suspension prevents \u003ccode\u003evmmap\u003c/code\u003e from completing its symbolication process, which relies on XPC communication facilitated by \u003ccode\u003elaunchd\u003c/code\u003e. The blocked XPC call results in a deadlock, requiring a hard reboot of the affected macOS Mojave system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker (or a system utility like TaskExplorer) attempts to enumerate loaded libraries of a process.\u003c/li\u003e\n\u003cli\u003eTaskExplorer executes the \u003ccode\u003evmmap\u003c/code\u003e command, targeting a specific process ID (PID).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evmmap\u003c/code\u003e utility starts and is given PID 1 as a command-line argument.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003evmmap\u003c/code\u003e invokes \u003ccode\u003etask_suspend\u003c/code\u003e to suspend the target process (launchd) before taking a memory snapshot.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003evmmap\u003c/code\u003e attempts to symbolicate the memory regions of the suspended process via the CoreSymbolication framework, calling \u003ccode\u003eCoreSymbolication'mmap_storage_daemon\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe CoreSymbolication framework makes XPC calls, including \u003ccode\u003expc_connection_resume\u003c/code\u003e, which are routed to launchd.\u003c/li\u003e\n\u003cli\u003eBecause launchd is suspended, the XPC requests are never serviced, specifically a call to \u003ccode\u003elibxpc\u003c/code\u003e’s \u003ccode\u003e_xpc_look_up_endpoint\u003c/code\u003e for \u003ccode\u003ecom.apple.coresymbolicationd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis blocked XPC call deadlocks the system, as \u003ccode\u003evmmap\u003c/code\u003e waits for a response from \u003ccode\u003elaunchd\u003c/code\u003e, but \u003ccode\u003elaunchd\u003c/code\u003e cannot respond because it is suspended by \u003ccode\u003evmmap\u003c/code\u003e. The entire system becomes unresponsive, requiring a hard reboot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this bug results in a complete system lockup on macOS Mojave. The user loses any unsaved data and must perform a hard reboot to restore functionality. While the bug does not directly lead to data theft or code execution, it causes significant disruption and data loss. This affects any user running macOS Mojave who attempts to run \u003ccode\u003evmmap\u003c/code\u003e against PID 1, either directly or indirectly through a utility like TaskExplorer.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect vmmap Execution Against PID 1\u003c/code\u003e to detect direct attempts to exploit this bug via command-line execution.\u003c/li\u003e\n\u003cli\u003eInvestigate any system lockups on macOS Mojave systems and correlate them with \u003ccode\u003evmmap\u003c/code\u003e executions, using the \u003ccode\u003emacOS Mojave System Lockup via vmmap\u003c/code\u003e rule as a starting point.\u003c/li\u003e\n\u003cli\u003eConsider blocking execution of \u003ccode\u003evmmap\u003c/code\u003e with PID 1 as an argument via endpoint detection and response (EDR) tools, preventing the vulnerability from being triggered.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-vmmap-mojave-lockup/","summary":"A bug in macOS Mojave causes a system lockup when the vmmap utility is executed against process ID 1 (launchd), due to a deadlock triggered by XPC calls during symbolication.","title":"macOS Mojave System Lockup via vmmap Utility Targeting PID 1","url":"https://feed.craftedsignal.io/briefs/2024-01-vmmap-mojave-lockup/"}],"language":"en","title":"CraftedSignal Threat Feed — Vmmap","version":"https://jsonfeed.org/version/1.1"}