New Privilege Escalation Bug Class Found in macOS/iOS

This new bug class circumvents code signing by exploiting NSPredicate, a feature developers use to filter code. Trellix researchers found that mitigations Apple implemented after the "FORCEDENTRY" exploit, which was used to deploy the Pegasus spyware, were insufficient and could be bypassed. This older exploit was famously used in a zero-click attack against a Saudi activist's iPhone. The vulnerabilities are tracked as CVE-2023-23530 and CVE-2023-23531, with CVSS scores ranging from 5.1 to 7.1, indicating medium to high severity. Exploitation could grant access to sensitive user data, including messages, location information, call history, and photos. An attacker could also potentially wipe the device. Unlike a zero-click attack, an attacker must first achieve a low level of code execution on the device to leverage these bugs. The vulnerability then allows them to escalate privileges, break out of the application sandbox, and execute arbitrary code with the permissions of other applications or system processes. Trellix demonstrated exploits against several processes, including `coreduetd`, which runs as root on macOS and handles data collection about device behavior. By sending a malicious NSPredicate to this process from an app like Messages or Safari, an attacker could gain access to the user's calendar, address book, and photos. Another vulnerability was found in UIKitCore on the iPad, which could allow a malicious app to execute code inside SpringBoard, the home screen management app. Apple addressed these security flaws by releasing patches in iOS 16.3 and macOS 13.2. The fixes involved improved memory handling and additional validation to prevent the bypass of the NSPredicateVisitor protocol that was designed to make predicate evaluation safer.