A vulnerability CVE-2019-8561 impacting macOS that was found and patched in March 2019 has been found to be exploitable recently, researchers found. The time-of-check-to-time-of-use (TOCTTOU) issue gets triggered after installing an Apple-signed PKG file.
History of CVE-2019-8561
On March 25, 2019, Apple issued a patch for the vulnerability. This bug could lead to root privilege escalation, signature bypassing, and ultimately, the bypassing of Apple’s System Integrity Protection (SIP). This could facilitate running malicious scripts in the unsigned PKG file. This high severity vulnerability had a score of 7.8.
In June 2019, researcher Jaron Bradley talked about this vulnerability at the second Objective by the Sea security conference. His presentation, titled “Bad Things in Small Packages,” detailed the ways in which the vulnerability could pose future threats.
Researchers at TrendMicro recently explored such a possibility and found that CVE-2019-8561 is still open to exploitation despite the patch. “Apple patched it again in October this year after the researchers alerted the company,” said the TrendMicro report.
The exploitation of TOCTTOU
SIP is a security feature introduced in OS X EI Capitan, which is designed to protect the Mac operating system from potentially malicious software that can modify protected files and folders. It restricts the root user account, which is also referred to as ‘rootless,’ and limits the actions that the root user can perform on protected parts of the operating system,” said the TrendMicro report.
The software bug TOCTTOU often shows errors in the results of checks looking for a value. First, when an Apple-signed PKG file with pre-install or post-install scripts is installed, the system would verify the signature.
Upon finding that the package was not signed by Apple, the installation would be stopped. When the service passed the verification process, the PKG file was open to being replaced with a malicious variant. Further, it would offer root privileges and also the script would be run bypassing the SIP security.
To reach the offset value to its required condition, Python script was used to build a new PKG file in a dead loop. It was found that the time frame taken for exploiting this vulnerability was reduced as compared to its previous exploitation.