Full Report
Entitlements are privilege capabilities on application within MacOS. These are stored as key-value pairs embedded within the code signature of the application. In MacOS, apps will have a UI defined with a NIB file. For whatever reason, Gatekeeper doesn't invalidate access to an app if the NIB file has been swapped. Why is this a big deal? A modified NIB file is trivial to get code execution with. In particular, this allows for the usage of the entitlements of the application that is running. By design this creates a pretty horrible privilege escalation. The author demonstrates how to do this using XCode. With MacOS Ventura, a new mitigation called Launch Constraints made this much, much harder. An application can be constraints on what can be done to it, such as copying with the same permissions as before. The previous POC didn't work because of the launch constraints on the binary. They found a new candidate binary which was vulnerable to the same attack as before. And then another bypass on a later version. Apparently, they tried reporting this to Apple in 2021 but things just never got fixed. This seems like such a simple vulnerability; it's crazy this hasn't been fixed yet.
Analysis Summary
# Vulnerability: "DirtyNIB" Entitlement Hijacking
## CVE Details
- **CVE ID:** CVE-2022-48505 (Note: The researcher states this CVE was assigned during the disclosure process, though its exact scope is unclear as the underlying issue remains functional).
- **CVSS Score:** Not officially rated for the 0-day state (Estimated: 7.8 High - AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- **CWE:** CWE-353: Missing Support for Integrity Check
## Affected Systems
- **Products:** Apple macOS
- **Versions:** macOS Monterey, macOS Ventura, and macOS Sonoma (Current 0-day status).
- **Configurations:** Systems running applications with high-privilege entitlements (e.g., Apple platform binaries, CarPlay Simulator, Pages) that utilize NIB files for UI definition.
## Vulnerability Description
The "DirtyNIB" vulnerability exists because Gatekeeper and the macOS code-signing machinery fail to invalidate an application's execution or its entitlements if the NIB (compiled UI) files within the application bundle are modified or swapped after the initial security scan.
NIB files can be manipulated to include `NSAppleScript` objects. By using "User Defined Runtime Attributes," an attacker can embed arbitrary AppleScript and bind it to UI events (like a button click or menu selection). When the application executes, it runs the malicious script with the full set of entitlements granted to that specific application, effectively bypassing TCC (Transparency, Consent, and Control) prompts for resources like the microphone, photos, or keychain.
## Exploitation
- **Status:** PoC available; researcher claims it remains functional as a 0-day.
- **Complexity:** Low (requires basic knowledge of Xcode and macOS bundle structures).
- **Attack Vector:** Local (attacker must be able to copy the application bundle to a writable directory like `/tmp`).
## Impact
- **Confidentiality:** High (Access to user photos, microphone, keychain, and private data via hijacked entitlements).
- **Integrity:** High (Execution of arbitrary code/scripts within the context of a trusted Apple process).
- **Availability:** Low (Primary focus is data theft and privilege escalation).
## Remediation
### Patches
- **No definitive patch:** While Apple released "Launch Constraints" in Ventura to prevent running modified platform binaries from `/tmp`, the researcher identified bypasses (e.g., using the `CarPlay Simulator.app` or renaming bundle directories to evade detection).
### Workarounds
- **Strict Execution Policies:** Restrict the execution of applications from world-writable directories like `/tmp` or `/Users/Shared/`.
- **Endpoint Security:** Monitor for unusual modifications to `.nib` or `.plist` files within application bundles.
## Detection
- **Indicators of Compromise:**
- Presence of duplicated Apple platform binaries in `/tmp`.
- Modification of NIB files (e.g., `MainMenu.nib`, `TMAAboutPanel.nib`) within signed application bundles.
- Unexpected `osascript` or AppleScript activity originating from official Apple applications (e.g., Pages, CarPlay Simulator).
- **Detection Methods:** Use macOS Endpoint Security Framework (ESF) to monitor file rename/move operations involving `.app/Contents` directories, especially followed by application execution.
## References
- **Researcher Blog:** hxxps[://]blog[.]xpnsec[.]com/dirty-nib/
- **PoC XIB/NIB:** hxxps[://]gist[.]github[.]com/xpn/16bfbe5a3f64fedfcc1822d0562636b4
- **TrustCache Research:** hxxps[://]gist[.]github[.]com/sbingner/ (Referenced via Linus Henze)
- **X/Twitter Thread:** hxxps[://]x[.]com/_xpn_/status/1673403955634905095?s=20