Security researchers have discovered a new class of bugs that could have allowed bypassing the code signing mechanisms that protect Apple iOS and macOS from malicious code execution.
The severity of the flaws ranges between medium and high and could lead to privilege escalation or sandbox escape on either of Apple’s platforms.
Trellix notified Apple of the vulnerabilities before their disclosure, and the tech giant fixed them with the release of macOS 13.2 and iOS 16.3, currently the latest available versions.
Apple has been following a rather aggressive protection system for iOS that only permits applications signed by a verified developer certificate to run.
Moreover, the ability to dynamically execute code has been almost completely stripped, so running malicious code on iOS is virtually impossible.
Aspects of this security system have been passed to macOS, which has started to enforce similar code-signing restrictions with more vigor in recent years.
“Go Around” bugs
Trellix’s analysts discovered the possibility of running unsigned code on macOS and iOS after exploring the potential to bypass NSPredicate and NSPredicateVisitor mitigations.
The two were vulnerable classes that NSO’s Pegasus malware abused in attacks against iPhone devices involving the FORCEDENTRY zero-click remote code execution exploit.
For example, NSPredicate is a class that allows developers to filter lists of objects, but attackers found a way to abuse it to dynamically execute arbitrary code in another process.
Abusing NSPredicate for unsigned code execution was reported to Apple back in 2019 and then extensively detailed in a blog post published in January 2021.
Apple’s responded to these revelations by applying mitigations in the form of creating large denylists to prevent class abuse. Trellix, however, says that its analysts have found a way to empty these lists, essentially nullifying the mitigations. Apple assigned this bypass the identifier CVE-2023-23530.
For NSPredicateVisitor, Trellix has found a similar bypassing possibility, exploiting an exclusion for the “expressionType” property to execute arbitrary code and gain access to sensitive information. This bypass was assigned CVE-2023-23531.
Finding New Attacks
These two bypasses helped Trellix’s analysts uncover a new class of bugs, starting with one in “coreduetd,” a process that collects data about device behavior.
An attacker meeting the prerequisites for exploitation in a sensitive process such as Safari or Messages can send a malicious NSPredicate and access the user’s calendar, address book, photos, and more.
Similar vulnerabilities were also found in “contextstored,” which is related to CoreDuet, and in “appstored” and “appstoreagent” on macOS. An attacker with access to a process that communicates with these daemons could exploit the flaws to install arbitrary apps on macOS.
Trellix has found that OSLogService XPC service can also be abused for reading information from the syslog, which typically contains sensitive data. To make matters worse, this is a service that is accessible by any app on macOS, so no special privileges are required for the exploitation of this bug.
Finally, Trellix’s analysts found a flaw in UIKitCore on the iPadOS, where an app can achieve code execution inside of SpringBoard. This highly privileged app can access location data, camera and microphone, call history, photos, or even wipe the device by setting malicious scene activation rules.
In conclusion, Apple’s mitigations to flaws known since 2019 and actively exploited until at least 2021 were inadequate and continued to be bypassable well into 2023.
iPhone and Mac users are recommended to apply the available OS updates and upgrade to macOS 13.2 and iOS 16.3 or later to address these security flaws.