MacOS DirtyNIB vulnerability allows attackers to execute malicious code | spcilvly


A new zero-day vulnerability has been discovered in Apple’s macOS systems, allowing threat actors to execute code on behalf of a legitimate Apple application. This particular vulnerability was first discovered in macOS Monterey. However, the researcher was able to replicate the problem in Ventura and Sonoma.

According to reports shared with Cyber ​​Security News, Apple has addressed this vulnerability by assigning CVE-2022-48505 with a severity of 5.5 (Half). However, the researcher stated that the issue still exists with macOS and needs to be addressed accordingly.

Document

Free Trial

Implementing “Trustifi” AI-powered email security solutions can protect your business from today’s most dangerous email threats such as tracking, blocking, modification, phishing, account takeover, business email compromise, malware and ransomware.

MacOS “DirtyNIB” vulnerability

Apple uses NIB files to store application interfaces. The included NIB files are interchangeable, which does not invalidate access to these files once Gatekeeper verifies them.

Initially, a NIB file is created with a class such as NSApleScript and the source property is set using user-defined runtime attributes. In addition to this, a button is added and linked with Apple Script. This is also set to invoke runAndReturnError: selector. As part of the exploitation of this vulnerability, the DirtyNIB file is used.

As a proof of concept, the Apple-owned Pages application is pointed to. The application is copied to the /tmp folder and started by Gatekeeper. After this, the NIB file is overwritten with the DirtyNIB file, which triggers the code execution.

Executing code with DirtyNIB file overwriting
Code execution with DirtyNIB file overwriting (Source: xpnsec)

Additionally, this vulnerability had several limitations moving to the latest versions of macOS. The limitation to exploiting this in macOS Ventura was the inclusion of PkgKit, while, in macOS Sonoma, there were new restrictions on accessing application package content.

The security researcher has published a comprehensive report that provides detailed information on the exploitation of this vulnerability, the codes and tools used as part of the investigation.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the Free Trial to guarantee 100% security.


Leave a Reply

Your email address will not be published. Required fields are marked *