Xpc — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/xpc/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 29 Jan 2024 12:00:00 +0000macOS Privilege Escalation via Feedback Assistant Race Condition (CVE-2019-8565)https://feed.craftedsignal.io/briefs/2024-01-rootpipe-reborn/Mon, 29 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rootpipe-reborn/A race condition vulnerability (CVE-2019-8565) exists in macOS where a privileged XPC service, com.apple.appleseed.fbahelperd, improperly validates XPC messages based on process ID, allowing an unprivileged process to escalate privileges to root.The vulnerability, CVE-2019-8565, resides in macOS versions prior to 10.14.4 and iOS versions prior to 12.2. It involves a race condition in the privileged XPC service com.apple.appleseed.fbahelperd, used by the Feedback Assistant application. This service incorrectly validates incoming XPC messages based on process IDs (PIDs) instead of more secure methods like audit tokens. An unprivileged or sandboxed process can exploit this by rapidly spawning processes to reuse PIDs, tricking the privileged service into accepting malicious requests. This allows attackers to bypass security checks and execute privileged operations, ultimately leading to privilege escalation to root. The original research was published in April 2019, highlighting the risks associated with PID-based security checks in inter-process communication.

Attack Chain

  1. An unprivileged process sends multiple XPC messages to com.apple.appleseed.fbahelperd to fill the message queue.
  2. The unprivileged process spawns a new process (using posix_spawn or NSTask) to reuse the PID while keeping the new process suspended.
  3. The FBAPrivilegedDaemon validates the XPC message based on the reused PID, incorrectly associating it with the trusted Feedback Assistant application.
  4. The attacker exploits the copyLogFiles: method to copy arbitrary files by bypassing path constraints using path traversal (e.g., “../../../”).
  5. Files are copied to attacker-controlled locations, bypassing intended permission restrictions.
  6. Alternatively, the attacker leverages runMobilityReportWithDestination: to trigger execution of /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Resources/get-mobility-info.
  7. The get-mobility-info script checks for /usr/local/bin/netdiagnose and executes it with root privileges if found.
  8. The attacker gains root privileges by executing a custom netdiagnose binary in /usr/local/bin.

Impact

Successful exploitation of CVE-2019-8565 allows a local attacker to gain root privileges on vulnerable macOS systems. This can lead to complete system compromise, including unauthorized access to sensitive data, installation of malware, and modification of system configurations. The vulnerability impacts systems running macOS 10.14.3 and earlier, as well as iOS 12.2 and earlier. In CTF scenarios, it was used to directly read flag files. If an attacker can plant a binary in a location like /usr/local/bin, they can achieve instant root access.

Recommendation

  • Upgrade to macOS 10.14.4 or later to patch CVE-2019-8565.
  • Deploy the Sigma rule “Detect Suspicious File Copy via FBAPrivilegedDaemon” to detect exploitation attempts targeting the copyLogFiles: method.
  • Deploy the Sigma rule “Detect Execution of netdiagnose from get-mobility-info” to detect attempts to exploit the runMobilityReportWithDestination: method.
  • Monitor process creations for suspicious binaries executing from /usr/local/bin as described in the Attack Chain.
]]>criticaladvisoryprivilege-escalationmacosxpcrace-condition