According to a report from the information security company Computest , the vulnerability in MacOS allows for a process injection attack in macOS and read every file on the Mac, as well as elevate privileges to the root user.
With this vulnerability, Computest researcher Tijs Alkemade was able to get out of the macOS sandbox and then bypass System Integrity Protection (SIP), the primary protection to prevent unauthorized code from accessing sensitive files on a Mac.
Alkemade, who gave a talk at the Black Hat conference in Las Vegas , first discovered the vulnerability in December 2020 and reported the issue to Apple through the Bug Bounty program. Since then, Apple has released 2 updates to fix this vulnerability, the first in April 2021 and again in October 2021 .
The CVE-2021-30873 bug could allow malicious applications to gather sensitive user information and elevate the attacker's privileges to root to move around the system.
The vulnerability resides in a "serialized" object in the saved state system, which saves the applications and windows you open when you turn off your Mac. This system can also work while using a Mac in the App Nap process .
When the application starts, it reads some files and tries to load them using the insecure version of the "serialized" object. An attacker could create these files in a location where another application would download them. Essentially, a malicious "serialized" object is created that can make the system behave the way the cybercriminal wants.
From here, the expert was able to exit the Mac app's sandbox. By injecting the code into another application, you can expand the scope of the attack. In addition, the specialist was able to bypass SIP protection and read almost all files on the disk, as well as modify certain system files.
At the moment, there are no cases of exploitation of the vulnerability. The vulnerability shows how an attacker can get through the entire OS, gaining access to more data. As local security in macOS increasingly approaches the iOS model, it highlights the need to rethink several parts of the system, Alkemade said.