Discovered by Project Zero researcher Jann Horn and demonstrated by Ian Beer, the vulnerability resides in the way macOS XNU kernel allows an attacker to manipulate filesystem images without informing the operating system.
The flaw could eventually allow an attacker or a malicious program to bypass the copy-on-write (COW) functionality to cause unexpected changes in the memory shared between processes, leading to memory corruption attacks.
Copy-On-Write, also referred to as COW, is a resource-management optimization strategy used in computer programming.
In general, if any process (destination) requires a file or data that is already in the memory but created by another process (source), both processes can share the same resource rather than creating a new copy of it, significantly reducing the resource consumption of unmodified copies.
However, if the source process needs to make some changes in the data, the copy-on-write (COW) function comes into play and creates a copy of it in the memory so that the destination process can still have access to the data.
According to the Project Zero researcher, on Apple's macOS operating system, this copy-on-write behavior works not only with the anonymous memory, but also efficiently handles the page tables and memory mappings.
"This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache," reads the advisory detailing the vulnerability.
"Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem."
Google researcher finds that when a mounted filesystem image is mutated directly (for example, by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem.
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
Thus, malicious program or an attacker can simply make changes to evicted pages stored on the disk without informing the virtual management subsystem, tricking the destination processes into loading manipulated malicious content into the memory.
"It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process," the resaercher says.
In addition to this vulnerability, the Project Zero researcher also found a similar copy-on-write behavior bypass (CVE-2019-6208) by abusing another function on macOS operating system.
The researcher notified Apple of both the vulnerabilities back in November 2018 and the company privately acknowledged the existence of the flaws. While Apple patched the latter flaw in January 2019 update, the former flaw remains unaddressed even after the 90-day deadline Project Zero provides the affected companies.
So, the researchers made the vulnerability public with a "high severity" label and also released the proof-of-concept code that demonstrates the bug, which remains unpatched at the time of writing.
Apple is currently working with the Project Zero team on a fix for the vulnerability, which is intended to be included in a future macOS release.