CVE-2019-8561 A Hard-to-Banish PackageKit Framework Vulnerability in macOS

At line 28, if the offset value of the payload subpath inside the PKG file is not equal to zero, the “-[PKLeopardPackage payloadExtractorWithDestination:externalRoot:error:]” function will call the “-[PKPayloadCopier initWithArchivePath:offset:destination:]” function. Similar to the second method, there is a “triple fetch” issue.

If the offset value is equal to zero, it will extract the payload from a special external root path, which seems to be unrestricted and can be controlled by an attacker. This means that an attacker could put malicious payloads in the external root path. However, as of writing, we are not able to find an Apple-signed PKG file with an external root path.

Exploit

Compared to the older exploitation, the time window for this race condition issue is smaller. We needed to restore the PKG file to the original Apple-signed one after the extraction to pass any possible verifications later. And there is one more challenge that needs to be overcome: The offset value of the scripts or payload subpath component inside the newly crafted PKG file must be equal to that of the original one.

To exploit the issue again, we first prepared a crafted PKG file that contains our payload. After expanding the original Apple-signed PKG file, we cleaned up the old scripts and put our payload into the post-install script.

pkgutil –expand /Volumes/Pro Video Formats/ProVideoFormats.pkg /tmp/ProVideoFormats
rm -rf /tmp/ProVideoFormats/MXFPlugIns.pkg/Scripts/*
echo ‘#!/bin/bash’ > /tmp/ProVideoFormats/MXFPlugIns.pkg/Scripts/postinstall
echo ‘touch /Library/Apple/sip_bypass’ >> /tmp/ProVideoFormats/MXFPlugIns.pkg/Scripts/postinstall
chmod +x /tmp/ProVideoFormats/MXFPlugIns.pkg/Scripts/postinstall

Next, to address the offset value of the scripts subpath component challenge, we wrote a Python script to build the new PKG file in a dead loop until the offset value met the demand.

while True:
os.system(‘pkgutil –flatten /tmp/ProVideoFormats /tmp/ProVideoFormats.fake.pkg’)
f=open(‘/tmp/ProVideoFormats.fake.pkg’, ‘rb’) 
f.seek(scriptsOffsetInPkg) # the offset value from the original PKG
if f.read(4)==’x1fx8bx08x00′: break
f.close()

Once the crafted PKG file was ready, it was time to exploit the vulnerability via the following steps:

1.        An Apple-signed PKG file with post-install scripts is installed.

2.        The system_installd daemon service will handle the install request.

3.        In the function “-[PKLeopardPackage scriptsExtractorWithDestination:error:]”, the PKG file will be replaced with a crafted one after line 8 and before line 16.

4.        After the service calls the API “BOMCopierCopyWithOptions” to extract the malicious scripts inside our crafted PKG file, the PKG file will be restored to the original one.

5.        The extracted malicious scripts will then be spawned by the system_installd in a SIP-Bypass context with root privilege.

Apple’s new patch on macOS Ventura

Apple patched the vulnerability again in macOS Ventura via the following steps:

First, the new patch code gets the expected checksum property of the PKG file’s subpath via the trusted XAR pointer, which is returned by the safe API “xar_open_digest_verify”.



Source link