The Nightmare of Apple's OTA Update: Bypassing the Signature Verification and Pwning the Kernel

Presented at Objective by the Sea version 6.0 (2023), Oct. 13, 2023, 2:40 p.m. (40 minutes).

Ding~ A new software update is available for your Mac! System updates are always considered a silver bullet to protect users against the latest security vulnerabilities. As is common practice, Apple keeps publishing monthly updates, sometimes even within a few weeks. And end users have been continuously educated to keep their devices up to date. Once they see Apple's system update notification, they may blindly click on the update. \n\n But wait, are you sure you're getting the right system update? During my research, I discovered a few critical vulnerabilities in the Apple OTA (over-the-air) update process. Apple had addressed them as CVE-2022-42791, CVE-2022-46722, and more. CVE-2022-42791 is the one that can bypass the update package signature verification and infect the new OS kernel. On Intel Macs without the T2 Chip, they can be exploited to bypass the SIP protection and SSV (Signed System Volume) protection, infect the OS kernel, and execute arbitrary kernel code in Ring 0! \n\n And there is one more vulnerability that can infect the OS firmware and execute arbitrary code before the kernel boots! During this session, I'd like to share with you how a crafted system update can infect your device and inject malicious code into your OS kernel, dominating your device completely without your awareness. At last, I will also demonstrate how to get arbitrary kernel code execution via a SIP-bypass primitive.

Presenters:

  • Mickey Jin - Independent Security Researcher
    Mickey Jin is an independent security researcher with a keen interest in malware analysis, threat campaign research, and vulnerability research. In the past two years, he has received over 100 CVEs from Apple, Inc.

Links:

Similar Presentations: