{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/xpc/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7,"id":"CVE-2019-8565"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS","iOS"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","macos","xpc","race-condition"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe vulnerability, CVE-2019-8565, resides in macOS versions prior to 10.14.4 and iOS versions prior to 12.2. It involves a race condition in the privileged XPC service \u003ccode\u003ecom.apple.appleseed.fbahelperd\u003c/code\u003e, used by the Feedback Assistant application. This service incorrectly validates incoming XPC messages based on process IDs (PIDs) instead of more secure methods like audit tokens. An unprivileged or sandboxed process can exploit this by rapidly spawning processes to reuse PIDs, tricking the privileged service into accepting malicious requests. This allows attackers to bypass security checks and execute privileged operations, ultimately leading to privilege escalation to root. The original research was published in April 2019, highlighting the risks associated with PID-based security checks in inter-process communication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged process sends multiple XPC messages to \u003ccode\u003ecom.apple.appleseed.fbahelperd\u003c/code\u003e to fill the message queue.\u003c/li\u003e\n\u003cli\u003eThe unprivileged process spawns a new process (using \u003ccode\u003eposix_spawn\u003c/code\u003e or \u003ccode\u003eNSTask\u003c/code\u003e) to reuse the PID while keeping the new process suspended.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eFBAPrivilegedDaemon\u003c/code\u003e validates the XPC message based on the reused PID, incorrectly associating it with the trusted Feedback Assistant application.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the \u003ccode\u003ecopyLogFiles:\u003c/code\u003e method to copy arbitrary files by bypassing path constraints using path traversal (e.g., \u0026ldquo;../../../\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eFiles are copied to attacker-controlled locations, bypassing intended permission restrictions.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker leverages \u003ccode\u003erunMobilityReportWithDestination:\u003c/code\u003e to trigger execution of \u003ccode\u003e/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Resources/get-mobility-info\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget-mobility-info\u003c/code\u003e script checks for \u003ccode\u003e/usr/local/bin/netdiagnose\u003c/code\u003e and executes it with root privileges if found.\u003c/li\u003e\n\u003cli\u003eThe attacker gains root privileges by executing a custom \u003ccode\u003enetdiagnose\u003c/code\u003e binary in \u003ccode\u003e/usr/local/bin\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2019-8565 allows a local attacker to gain root privileges on vulnerable macOS systems. This can lead to complete system compromise, including unauthorized access to sensitive data, installation of malware, and modification of system configurations. The vulnerability impacts systems running macOS 10.14.3 and earlier, as well as iOS 12.2 and earlier. In CTF scenarios, it was used to directly read flag files. If an attacker can plant a binary in a location like /usr/local/bin, they can achieve instant root access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to macOS 10.14.4 or later to patch CVE-2019-8565.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious File Copy via FBAPrivilegedDaemon\u0026rdquo; to detect exploitation attempts targeting the \u003ccode\u003ecopyLogFiles:\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Execution of netdiagnose from get-mobility-info\u0026rdquo; to detect attempts to exploit the \u003ccode\u003erunMobilityReportWithDestination:\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eMonitor process creations for suspicious binaries executing from \u003ccode\u003e/usr/local/bin\u003c/code\u003e as described in the Attack Chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-rootpipe-reborn/","summary":"A race condition vulnerability (CVE-2019-8565) exists in macOS where a privileged XPC service, com.apple.appleseed.fbahelperd, improperly validates XPC messages based on process ID, allowing an unprivileged process to escalate privileges to root.","title":"macOS Privilege Escalation via Feedback Assistant Race Condition (CVE-2019-8565)","url":"https://feed.craftedsignal.io/briefs/2024-01-rootpipe-reborn/"}],"language":"en","title":"CraftedSignal Threat Feed — Xpc","version":"https://jsonfeed.org/version/1.1"}