A researcher has released details and proof-of-concept (PoC) code for the high-severity macOS Sandbox escape vulnerability tracked as CVE-2022-26696.
SecuRing researcher Wojciech Reguła (@_r3ggi) has published technical details and proof-of-concept (PoC) code for a macOS sandbox escape vulnerability tracked as CVE-2022-26696 (CVSS score 7.8 ).
In a review published by Regula, the researcher observed that the problem is caused by a strange behavior he observed in a sandboxed macOS application that can launch any application that will not inherit the sandbox profile. from the main application.
According to ZDI, this vulnerability allows remote attackers to evade the sandbox on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privilege code on the target system in order to exploit this vulnerability.
“A sandboxed process may be able to circumvent sandbox restrictions.” reads the advisory published by Apple which fixed the flaw with better environment sanitization.
According to ZDI, a remote attacker can trigger the sandbox evasion flaw on vulnerable Apple macOS installations. ZDI pointed out that an attacker can only exploit the bug if they have first gained the ability to execute low-privilege code on the target system.
“This vulnerability allows remote attackers to evade the sandbox on affected installations of Apple macOS. An attacker must first gain the ability to execute low-privilege code on the target system in order to exploit this vulnerability. reads the report published by ZDI. “The specific flaw exists in the handling of XPC messages in the LaunchServices component. A crafted message can trigger the execution of a privileged operation. An attacker can exploit this vulnerability to elevate privileges and execute arbitrary code in the context of the current user.
The issue was reported to the vendor on December 22, 2021 and disclosed on August 15, 2022.
Regula focused its analysis on an Objective-C method of Terminal.app.
“+[TTApplication isRunningInInstallEnvironment] will return YES when the __OSINSTALL_ENVIRONMENT environment variable has been set. writes the expert. “So when Terminal.app starts, some of the environment variables weren’t cleared when +[TTApplication isRunningInInstallEnvironment] returned YES. Awesome, with a simple command injection I was able to run code in the Terminal.app context without a sandbox!
The expert was able to weaponize the flaw by embedding the exploit in a Word document and loading Mythic’s JXA payload.
“Running code in the Terminal.app context can be very dangerous because some TCC permissions may also already be granted.” Regula explained.
Reguła shared a PoC video that demonstrates how to weaponize a Word document to escape the sandbox and run code in the terminal.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(Security cases – hacking, macOS Sandbox Escape)
Share on
