After Apple failed to release a patch within 90 days of being notified, a Google Project Zero researcher disclosed details and a proof-of-concept exploit of a high-severity security vulnerability in the macOS operating system.
The vulnerability was discovered by Project Zero researcher Jann Horn and demonstrated by Ian Beer. It resides in the way in which the macOS XNU kernel allows an attacker to manipulate filesystem images without notifying the operating system.
The flaw could eventually allow an attacker or malicious program to circumvent the copy-on-write (COW) functionality and cause unexpected changes in the shared memory between processes, resulting in memory corruption attacks.
Copy-On-Write, also known as COW, is an optimization strategy for resource management used in computer programming.
In general, if a process (destination) requires a file or data that is already in memory but was created by another process (source), both processes can share the same resource instead of creating a new copy of it, thereby significantly reducing the resource consumption of unmodified copies.
Nonetheless, if the sourcing process needs to modify the data, the copy-on-write (COW) function creates a copy of it in memory so that the destination process can still access the data.
According to the Project Zero researcher, on Apple’s macOS operating system, this copy-on-write behavior handles page tables and memory mappings efficiently in addition to anonymous memory.
“This means that, after the destination process has begun reading from the transferred memory area, memory pressure may cause the pages containing the transferred memory to be evicted from the page cache,” the advisory describing the vulnerability states.
When the evicted pages are required again in the future, they can be reloaded from the backing filesystem.
When a mounted filesystem image is modified directly (for example, by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem, according to a Google researcher.
Thus, a malicious program or an attacker can modify evicted disk pages without informing the virtual management subsystem, deceiving the destination processes into loading the manipulated malicious content into memory.
“It is crucial that the copied memory is protected against later modifications by the sourcing process; otherwise, the sourcing process could exploit double-reads in the destination process,” says the researcher.
In addition to this vulnerability, the Project Zero researcher discovered a similar copy-on-write behavior bypass (CVE-2019-6208) in the macOS operating system by abusing a different function.
In November 2018, the researcher informed Apple of both vulnerabilities, and the company privately acknowledged their existence. While Apple patched the second flaw in its January 2019 update, the first flaw remains unpatched 90 days after Project Zero’s deadline.
Therefore, the researchers made the vulnerability public with a “high severity” label and released the proof-of-concept code that demonstrates the bug, which, at the time of writing, has not yet been patched.
Apple is currently collaborating with the Project Zero team on a fix for the vulnerability, which will be included in a future release of macOS.
