Task_T: Google identified major vulnerability in Apple’s OS and iOS cores
Wed 26 Oct 2016
Google’s Project Zero team, established two years ago as a task-force against zero day exploits, identified a coding exploit in the underlying kernel of Apple’s OSX and it’s mobile operating system iOS, which could allow for root-level escalation of privileges for an attacker in a non-updated version of the OS.
The exploit was reported to Apple in June by PZ member Ian Beer, after which Apple requested a 60-day period of grace to address the problem before it went public. Google initially refused the request, but eventually agreed a deadline of September 21st to disclose the exploit.
However, the fix that Apple created for the problem directly prior to disclosure was unsuccessful, and that deadline was allowed to pass. In effect Apple got nearly five months to address the issue – which it has now done, with this week’s release of OSX 10.12.1 and last week’s release of iOS 10.1, which also featured a remedy for the kernel vulnerability.
Apple’s previous ‘emergency fix’ for the weakness, described as ‘short-term mitigation’, featured in Mac OS 10.12, released on September 20th – one day ahead of Google’s September 21st deadline. But since the fix could be bypassed, that deadline passed without publication.
On 3rd October Apple trialled a more successful version of a solution in beta 3 of Mac OS 10.12.1, which was released to market two days ago.
The exploit stems from the possibility of hijacking a thread launched by the task_t process type in Apple’s XNU kernel. What caught Ian Beer’s eye was the naming of a task_t thread called ‘OwningTask’, generated when a new IOKit user client is created from the IOKitLib library:
‘OwningTask implies an ownership relationship which might lead kernel extension developers to believe that behind the scenes IOKit is actually maintaining an ownership relationship which will ensure that the lifetime of this userclient will always be dominated by the lifetime of the owningTask. This is a dangerous assumption, and this blog post is really the fallout from questioning this assumption.’
Task ports allow complete control over other API requests, so any method which can ‘orphan’ an OwningTask thread and use it as a passport of privilege around the kernel will have the capability to break processes out of sandboxes, such as the rendering processes behind Google Chrome or Safari:
‘In reality IOSurfaces are just wrappers around shared memory buffers. On OS X we can talk to the IOSurface kernel extension from inside the Safari renderer sandbox and the Chrome GPU sandbox, amongst others.’
Beer’s report observes that since the task_t bug allows the user to gain any entitlements they may want, it could also nullify kernel code signing, which would allow unauthorised programs to run with elevated privileges on a Mac system.
Any current OSX or iOS user who has applied the latest system updates is not susceptible to the task_t vulnerability.