Full Report
MacOS has two many things going on for its own good. It has way too many things to analyze statically. So, the author creates a tool to pick up FDA entitled apps and run a syscall trace on them. When looking for items reading files and env variables, he noticed some scary hits. The article is about a scan that led into a bug. The ENV variable MTL_DUMP_PIPELINES_TO_JSON_FILE is a Metal framework variable used by various MacOS programs. It opens a file on the current application and writes data to it. Pretty simple! How does this work? Courtesy of the fs_usage command: A file will be opened using the open() syscall on a temporary file. write() is called to write to this file. rename() is called on the temporary file to name it back to the path we control. rename() in place is not a safe function. But why? There's a race condition that occurs between the open and copying of data. There is a classic time of check vs. time of use (TOCTOU) bug on this call. By changing the file to a symlink to something else at the right time, we can cause major havoc! Even better, we can control the log data being written by catching the tempfile creation when it occurs. So, when the renaming occurs, we control the data being written in the file. Between the data controlling and the renaming TOCTOU issue, we can write to an arbitrary location with arbitrary data. Pretty neat! How does the author go about exploiting this? Create a symlink that points to the Apple TCC directory. Create a directory at an attacker controlled location. Set the vulnerable ENV var to a file in our temporary directory with the vulnerable app running. Catch the open() of the temporary file in the directory and write our malicious TCC database to it. Switch the information in the symlink over and over again until the execution occurs. Wait and see if we successfully won the race. With some luck, the TCC.db file was overwritten with our own! It's a pretty slick bug that exploits complexity within the rename syscall. Apple fixed this by removing most of the Metal ENV variables.
Analysis Summary
# Vulnerability: Arbitrary File Write via Metal Framework TOCTOU (lateralus)
## CVE Details
- **CVE ID:** CVE-2023-32407
- **CVSS Score:** 7.8 (High) - *Estimated based on local privilege escalation/TCC bypass impact*
- **CWE:** CWE-367 (Time-of-Check to Time-of-Use / TOCTOU)
## Affected Systems
- **Products:** Apple macOS (Ventura and earlier)
- **Versions:** Affected versions prior to macOS 13.4
- **Configurations:** Applications with Full Disk Access (FDA) entitlements that utilize the Metal framework (e.g., the `Music` app).
## Vulnerability Description
The Metal framework utilizes an environment variable, `MTL_DUMP_PIPELINES_TO_JSON_FILE`, for debugging purposes. When set, the framework uses `NSFileManager`'s `createFileAtPath()` to write data to a user-specified path.
The underlying process involves creating a temporary file (`.dat.nosyncXXXX.XXXXXX`), writing data to it, and then calling `rename()` to move it to the final destination. Because the kernel resolves the "source" and "destination" paths of a `rename()` call separately, a race condition exists. An attacker can swap the destination directory for a symbolic link between the time the kernel resolves the source file and the time it resolves the destination path. This allows the attacker to redirect the final write to an arbitrary location.
## Exploitation
- **Status:** PoC documented; fixed by vendor.
- **Complexity:** Medium (Requires winning a filesystem race condition).
- **Attack Vector:** Local (Requires the ability to set environment variables and execute a vulnerable FDA-entitled application).
### Exploitation Step-by-Step:
1. Identify an app with Full Disk Access (FDA) that loads the Metal framework (e.g., `Music`).
2. Set `MTL_DUMP_PIPELINES_TO_JSON_FILE` to a path within an attacker-controlled directory.
3. Use a script to monitor for the creation of the temporary `.dat.nosync` file.
4. Once created, overwrite the contents of the temporary file with a malicious TCC database.
5. Rapidly swap the parent directory with a symlink pointing to `/Users/Shared/Library/Application Support/com.apple.TCC/` (or similar).
6. If the race is won, the system `TCC.db` is overwritten, granting the attacker broad permissions.
## Impact
- **Confidentiality:** High (Access to all user data via TCC bypass).
- **Integrity:** High (Ability to overwrite system configuration files and databases).
- **Availability:** High (Potential to corrupt critical system files).
## Remediation
### Patches
- **macOS Ventura 13.4:** Apple addressed the issue by restricting or removing several Metal environment variables and improving the handling of path resolutions.
- **AMFI Updates:** General improvements to Apple Mobile File Integrity (AMFI) were rolled out to limit environment variable injection as an attack vector.
### Workarounds
- Revoke Full Disk Access (FDA) from applications that do not strictly require it.
- Restrict the ability of untrusted processes to set environment variables for entitled binaries.
## Detection
- **Indicators of Compromise:**
- Presence of unexpected `.dat.nosyncXXXX.XXXXXX` files in user-writable directories.
- System logs showing frequent or rapid `rename()` calls in temporary directories.
- Unauthorized modifications to the `TCC.db` file.
- **Detection Methods:** Monitor for the use of `MTL_DUMP_PIPELINES_TO_JSON_FILE` in production environments via EDR or `eslogger`.
## References
- **Vendor Advisory:** [https://support.apple.com/en-us/HT213758](https://support.apple.com/en-us/HT213758)
- **Researcher Blog:** [https://gergelykalman.com/lateralus-CVE-2023-32407-a-macOS-TCC-bypass.html](https://gergelykalman.com/lateralus-CVE-2023-32407-a-macOS-TCC-bypass.html)