skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
Apple Addresses Security Vulnerability in Memory Allocation Framework

Apple Addresses Security Vulnerability in Memory Allocation Framework

/ 4 min read

stories , security vulnerabilities , macos , local privilege escalation , cve-2023-32428 , memory allocation

Quick take - Apple has addressed a security vulnerability in its memory allocation debugging framework, badmalloc, which was discovered in March 2023 and fixed in October 2023, although concerns about potential exploitation and communication issues during the bounty process were raised by the researcher who identified the flaw.

Fast Facts

  • A security vulnerability in Apple’s badmalloc memory allocation debugging framework was discovered in March 2023 and fixed by October 2023.
  • The badmalloc framework, part of macOS for nearly 20 years, can be dynamically loaded without special privileges, affecting both entitled and suid root binaries.
  • Apple implemented several mitigations, including syscall checks, preventing file overwrites, and randomizing log file names, but vulnerabilities still exist.
  • An exploit was identified involving a privileged application that could lead to file descriptor leakage, with a demonstration available on GitHub.
  • The author received a $22,500 bounty for the discovery, expressing disappointment over the amount and communication issues with Apple during the process.

Apple Addresses Security Vulnerability in badmalloc Framework

Overview of the Vulnerability

A recently identified security vulnerability in Apple’s memory allocation debugging framework, known as badmalloc, has been addressed by the company. The bug was first discovered in March 2023 and was subsequently fixed with a release in October 2023. The badmalloc framework has been a component of macOS for nearly 20 years and can be dynamically loaded into any process by the system’s dynamic loader, dyld, upon detecting a specific environment variable. This loading process does not require special privileges and extends to both entitled and suid root binaries.

Security Measures and Exploitation Risks

A significant aspect of the framework involves MallocStackLogging environment variables, one of which allows logging to a specified directory. The logging process occurs without the awareness of the target process, meaning the log file is created with the privileges of that process. To mitigate potential security risks, Apple implemented several measures, including:

  • Checking the destination directory using a syscall.
  • Preventing file overwrites and restricting symlink following.
  • Setting appropriate permission bits and randomizing the filename used for log files.

Despite these mitigations, vulnerabilities remain. The syscall check is ineffective for securing filesystem operations, and the restriction against following symlinks applies only to the last component of the file path. Exploiting these weaknesses could allow an attacker to write files to directories where the application has write access.

The author of the report attempted to manipulate the log file content but faced challenges due to the complexity of heap allocation structures. An analysis of the random filename generation revealed exploitable patterns, including instances where the generator produced truncated filenames, potentially allowing attackers to bypass randomness.

Apple’s Response and Bounty Experience

After initial exploit attempts were unsuccessful, the author shifted focus to other vulnerabilities, identifying a potential exploit involving a privileged application capable of executing user-controlled scripts, which could lead to file descriptor leakage. A demonstration video and code for this exploit were made available on GitHub.

Apple responded swiftly to the vulnerability, deploying a fix within three weeks. Improvements included enhanced path normalization to thwart symlink exploitation, bug fixes within the random filename generator, and corrections to address file truncation issues. The author expressed concerns regarding the existence of such a feature and highlighted the potential risks associated with privileged applications.

The author also explored the vulnerability’s relevance to iOS, concluding that exploitation would be less likely on that platform due to the absence of suid binaries and sudo. Reflecting on the research process, the author underscored the importance of methodical approaches to vulnerability discovery. In terms of recognition, the author received a bounty of $22,500 for the discovery, which was met with disappointment compared to previous bounties. Communication challenges with Apple throughout the bounty adjudication process were cited, including delays and a lack of updates. A detailed timeline of events related to the bug report and bounty proceedings was provided, documenting interactions with Apple from March to October 2023.

Original Source: Read the Full Article Here

Check out what's latest

Newsletter 17 January 2025
Newsletter 17 January 2025
Meta-UAD: New Scheme for Network Traffic Anomaly Detection
Meta-UAD: New Scheme for Network Traffic Anomaly Detection
FlowID Framework Enhances Network Traffic Detection Capabilities
FlowID Framework Enhances Network Traffic Detection Capabilities