The Nightmare of Apple's OTA Update: Bypassing the Signature Verification and Pwning the Kernel

Presented at DEF CON 31 (2023), Aug. 11, 2023, 11 a.m. (45 minutes)

Ding~ A new software update is available for your Mac! System updates are always considered a silver bullet to protect users against the latest security vulnerabilities. As is common practice, Apple keeps publishing monthly updates, sometimes even within a few weeks. And end users have been continuously educated to keep their devices up to date. Once they see Apple's system update notification, they may blindly click on the update. But wait, are you sure you're getting the right system update? During my research, I discovered a few critical vulnerabilities in the Apple OTA (over-the-air) update process. Apple had addressed them as CVE-2022-42791, CVE-2022-46722, and more. CVE-2022-42791 is the one that can bypass the update package signature verification and infect the new OS kernel. On Intel Macs without the T2 Chip, they can be exploited to bypass the SIP protection and SSV (Signed System Volume) protection, infect the OS kernel, and execute arbitrary kernel code in Ring 0! And there is one more vulnerability that can infect the OS firmware and execute arbitrary code before the kernel boots! During this session, I'd like to share with you how a crafted system update can infect your device and inject malicious code into your OS kernel, dominating your device completely without your awareness. REFERENCES: https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/web https://support.apple.com/guide/security/secure-software-updates-secf683e0b36/web https://www.theiphonewiki.com/wiki/Software_Update_Service https://www.theiphonewiki.com/wiki/OTA_Updates http://newosxbook.com/articles/OTA.html http://newosxbook.com/articles/OTA2.html http://newosxbook.com/articles/OTA3.html http://newosxbook.com/articles/OTA4.html http://newosxbook.com/articles/OTA5.html http://newosxbook.com/articles/OTA6.html http://newosxbook.com/articles/OTA7.html http://newosxbook.com/articles/OTA8.html https://support.apple.com/en-gb/HT213488

Presenters:

• Mickey Jin - Security Researcher at Trend Micro
  Mickey Jin (@patch1t) works for Trend Micro as a security researcher with a keen interest in malware analysis, threat campaign research, and vulnerability research. In the past two years, he has received over 100 CVEs from Apple, Inc.

Links:

• https://forum.defcon.org/node/245753

Similar Presentations:

• DEF CON 31 (2023) / Legend of Zelda: Use After Free (TASBot glitches the future into OoT)
• AppSec USA 2016 / Lightning Talk - WAF Evolution, or How I Stopped Worrying About Vulnerabilities
• DEF CON 29 (2021) / Caught you - reveal and exploit IPC logic bugs inside Apple