Apple’s important XPC interface enables malware to obtain extended rights: A logic problem in the handling of XPC services by the central process launchd can be “easily exploited and with 100 Abuse percent reliability to expand rights “, as security researcher Zhipeng Huo now announced. It is also possible for malware to break out of the “most restrictive sandbox”.

Gap only in macOS 11 and iOS 14 removed The vulnerability was reported to Apple last year and, according to the manufacturer, is big in macOS 11 Sur and iOS 14 have been fixed – it has eliminated the logic problem “through an improved check”, writes Apple in a comment added. Also in iOS 13 5 countermeasures have already been taken, said the security researcher working for Tencent’s Security Xuanwu Lab. Older versions of the operating systems seem to remain vulnerable, at least Apple does not fix this vulnerability (CVE – 2020 – 9971) in its release notes for the security updates for macOS 10. 15 or 10. 14.

The CERT-Bund of the Federal Office for Information Security (BSI) ranks rate the risk as “very high”, although the vulnerability can apparently only be exploited by local attackers – and not easily from a distance. In contrast to macOS, developers in iOS cannot address the XPC services directly, Huo notes, but Apple uses them for various of its own processes with extended rights; it is accordingly easy to find “useful goals”.

As root from the sandbox The attacker is Due to the loophole, it is possible to subjugate a system service with its own XPC service, which then executes it with root rights. launchd is actually supposed to ensure that only certain, authorized processes are allowed to run the XPC service, but it is sloppy, as Huo explains in a detailed discussion of the bug.

Only from iOS and macOS 11 the system checks whether the requesting process is actually the owner of the corresponding process area – and launchd is therefore allowed to run the XPC service or not. The internal mechanism of the XPC services is so complex that “many other logic problems” lie dormant in it, according to the security researcher.

( lbe)