var img = document.createElement('img'); img.src = "https://calabrone.net/piwik.php?idsite=2&rec=1&url=https://stinger.io" + location.pathname; img.style = "border:0"; img.alt = "tracker"; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(img,s);
Skip to main content

Kernel Vulnerabilities

Privilege escalation via unpatched kernel bugs and misconfigurations in kernel extensions (kexts) is one of the most advanced and risky techniques in penetration testing and red teaming, but it is highly effective when successful. macOS, like other Unix-based operating systems, has several kernel-level security mechanisms to prevent unauthorized access and tampering, but flaws in these mechanisms can still lead to privilege escalation.

Let’s break this down into two major components: unpatched kernel bugs and misconfigurations in kernel extensions.

Discovering Privilege Escalation via Unpatched Kernel Bugs

Kernel bugs are critical vulnerabilities in the core part of the OS, often relating to memory handling, device drivers, or low-level process management. These vulnerabilities can be used by attackers to bypass security controls, gain unauthorized access to kernel-level resources, or execute arbitrary code in kernel mode (which can lead to full system compromise).

Identifying the Kernel Version

To begin looking for kernel vulnerabilities, you need to determine the exact kernel version running on the macOS system.

The following command will provide just the version number:

uname -r

Example output:

23.6.0

In this case, the kernel version is 23.6.0 (macOS 14.7).

Searching for Known Exploits for Kernel Version

Once you have identified the kernel version, you can search for known vulnerabilities. Various public exploit databases like Exploit-DB, CVE repositories, and security mailing lists often have up-to-date information about bugs and vulnerabilities specific to certain kernel versions.

You can look for the kernel version in the CVE database or Exploit-DB. For example, use searchsploit to look for kernel vulnerabilities:

searchsploit kernel macOS 19.2.0

Example output:

-----------------------------------------------------------------
Exploit Title                            |  Path      
-----------------------------------------------------------------
macOS 10.15 (CVE-2019-8553) - Kernel     | osx/local/46856.py
macOS 10.15 - IOKit kernel vulnerability | osx/local/12345.py
-----------------------------------------------------------------

These results indicate a couple of kernel vulnerabilities for the specified macOS version.

Privilege Escalation via Unpatched Kernel Bugs

If an unpatched vulnerability is found for the current kernel, an attacker can potentially escalate their privileges. Kernel bugs that can be exploited for privilege escalation typically fall into one of these categories:

  • Buffer Overflow in Kernel Space: Overwriting critical data in kernel memory.

  • Race Conditions: Exploiting timing issues in kernel operations that may result in unauthorized access to kernel resources.

  • Improper Input Validation: Allowing user-supplied data to reach the kernel without proper validation.

  • Out-of-Bounds Memory Access: Accessing memory areas that should not be accessible.

If a specific exploit exists for the kernel version in question, you can often compile and execute it directly on the target system.

Example of using an exploit:

Example of an exploit that is a Python script for CVE-2019-8553, you can download or copy the script from Exploit-DB and run it directly:

python3 46856.py

If successful, this exploit will give you root or system level access.

Patching and Testing Vulnerabilities

After discovering a vulnerability and performing the privilege escalation attack (either by using a public exploit or writing your own), the next step is to test whether the kernel is fully patched. Always check the macOS Security Update page to verify whether a particular vulnerability has been patched or mitigated in the latest updates.

Misconfigurations in Kernel Extensions (KEXTs)

Kernel extensions (kexts) are dynamic loadable modules that extend the functionality of the macOS kernel. A misconfigured or insecure kext can provide an attacker with the opportunity to escalate privileges, as these modules often run with kernel-level privileges.

Identifying Loaded Kernel Extensions

To check for loaded kernel extensions, you can use the kextstat command, which shows a list of all kexts currently loaded into the system.

List all loaded kernel extensions:

kextstat

Example output:

Index Refs Address            Size       Wired      Name (Version) <Linked Against>
  68    0 0xffffff7f8243c000 0x14000    0x14000    com.apple.iokit.IOGraphicsFamily (2.4.1) <58 43 6 5 4 3>
  70    0 0xffffff7f8265e000 0x5000     0x5000     com.apple.driver.AppleUSBCDC (5.2.1) <50 49 5 4 3 2>
  ...

Look for kexts that may be third-party or have unusual names, as they could represent vulnerable or misconfigured modules.

Checking Permissions on Kernel Extensions

Misconfigurations often involve incorrect file or directory permissions on kexts. If a kernel extension is installed with insecure permissions (e.g., world-writable), attackers can modify or replace it.

  • Inspect file permissions for kernel extensions:

    ls -l /System/Library/Extensions/

  • Expected output:

    -rwxr-xr-x  1 root  wheel  1234567 Jun 15  2023 AppleACPIPlatform.kext
    -rw-r--r--  1 root  wheel  7891234 May 10  2023 com.myvendor.MyKext.kext

If you see third-party kexts with weak file permissions (e.g., rw-r--r-- or rwxrwxrwx), these kexts may be vulnerable to modification.

Exploiting Misconfigured Kernel Extensions

  • Replace or Modify Kernel Extensions:

  • If you find that a kernel extension has weak permissions, you could modify it to execute arbitrary code with kernel privileges.

  • For instance, if you have write access to a vulnerable kext, you could replace its binary with a malicious payload that, when loaded by the kernel, will execute your code as root.

Example:

First, move the legitimate kext to a backup location:

sudo mv /System/Library/Extensions/MyKext.kext /tmp/BackupMyKext.kext

Then, replace it with a malicious kext (for example, a kext that spawns a root shell):

sudo cp /path/to/malicious/kext.kext /System/Library/Extensions/

Reboot the machine or trigger the kext loading mechanism to activate the malicious kext.

Known Kext Vulnerabilities

In some cases, there are known vulnerabilities that can be exploited in specific kernel extensions. These vulnerabilities could allow for arbitrary code execution, escalation of privileges, or denial-of-service.

Some examples include:

IOKit Vulnerabilities: Many of macOS’s kernel extensions are built using IOKit, which has had several privilege escalation vulnerabilities in the past.

Third-Party Kext Exploits: Many third-party developers fail to securely configure or validate input to their kernel extensions, which can be exploited.

You can find such vulnerabilities by searching in CVE repositories or using the searchsploit command to check if there are any known exploits for a specific kext.

Keeping Track of Security Updates

Keep track of any updates or patches to kernel extensions provided by Apple or third-party vendors. Apple frequently releases security updates that patch kernel vulnerabilities or address misconfigurations in kernel extensions.

Check for updates regularly:

sudo softwareupdate --list					# To list updates
sudo softwareupdate --install --all		# To install updates

Privilege escalation via unpatched kernel bugs and misconfigurations in kernel extensions can be highly effective, but it requires detailed knowledge of the kernel, kernel extensions, and exploit techniques. While kernel vulnerabilities may have public exploits that can be used, exploiting misconfigured kernel extensions often requires manual intervention, such as modifying kexts or replacing them with malicious versions.