Expert released CVE-2022-26763 PoC for macOS execute arbitrary code flaw
Security researchers released CVE-2022-26763 PoC exploit code for a critical execute arbitrary code vulnerability affecting multiple Apple products. An out-of-bounds access issue was addressed with improved bounds checking. A malicious application may be able to execute arbitrary code with system privileges.
Apple warned that a threat actor can exploit the CVE-2022-26763 flaw (CVSSv3 base score of 7.8) to execute arbitrary code with system privileges and urges users to install patches immediately. The company acknowledged Linus Henze of Pinauten GmbH (pinauten.de) for the discovery of the flaw.
Recently, researcher @zhuowei publicly released on GitHub CVE-2022-26763 PoC exploit code for a macOS execute arbitrary code flaw addressed by Apple in May. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, Security Update 2022-004 Catalina, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4.
Apple did not provide technical details about the flaw, then @zhuowei researchers performed an analysis of the patch. Reads the analysis published by the researchers:
- build our DriverKit extension and accompanying app without signing
- manually sign it
- copy it to /Applications (if developer mode is disabled)
- launch app: /Applications/PCICrashApp.app/Contents/MacOS/PCICrashApp
- go to System Preferences and allow the Driver Extension to load
- run ./pcicrash_userclient 1235 to tell our DriverKit to make the _MemoryAccess call
In light of the release of the PoC, users that use vulnerable tvOS/iPadOS/iOS/macOS versions are recommended to prioritize the patches to mitigate active exploitation attempts.
