It turns out that even with SIP enabled a regular root user can write to the swapfile under /private/var/vm/swapfile0 on MacOS.
b4a5ae1e05cc0033bf98b39a84490ae7a0a1f8afb83c82d664cc8ddd98121f80 MacOS uses an insecure swap file
CVE-2017-2494
This came out of a discussion with Jann Horn this afternoon; credit is his.
It turns out that even with SIP enabled a regular root user can write to the swapfile under /private/var/vm/swapfile0.
That file is created on demand when the system starts to swap; if you can't see it increase system load.
Then as root (with SIP enabled) do:
cat /dev/urandom > /private/var/vm/swapfile0
We observed multiple interesting-looking kernel panics including in the swapfile decompression code and also the intel GPU driver doing something with GPU pages.
Found by: ianbeer
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed