Microsoft on Wednesday shed light on a now patched security vulnerability affecting Apple's operating systems that, if successfully exploited, could allow attackers to escalate device privileges and deploy malware.

微软周三披露了一个现已修复的影响苹果操作系统的安全漏洞，如果成功利用该漏洞，攻击者可能会提升设备权限并安装恶意软件。

"An attacker could take advantage of this sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing additional payloads," Jonathan Bar Or of the Microsoft 365 Defender Research Team said in a write-up.

Microsoft 365 Defender 研究团队的 Jonathan Bar Or在一篇文章中说： “攻击者可以利用这个沙盒逃逸漏洞在受影响的设备上获得提升的权限或执行恶意命令，例如安装有效的攻击载荷。”

Tracked as CVE-2022-26706 (CVSS score: 5.5), the security vulnerability impacts iOS, iPadOS, macOS, tvOS, and watchOS and was fixed by Apple in May 2022.

该安全漏洞的编号为CVE-2022-26706（CVSS 评分：5.5），影响 iOS、iPadOS、macOS、tvOS 和 watchOS，并于 2022 年 5 月由 Apple 修复。

Calling it an access issue affecting the LaunchServices (launchd) component, the tech giant noted that "A sandboxed process may be able to circumvent sandbox restrictions," adding it mitigates the issue with additional restrictions.

这家科技巨头称其为影响 LaunchServices (launchd) 组件的访问问题，并指出“沙盒进程或许能够规避沙盒限制”，不过这个问题可以利用其他措施进行缓解。

While Apple's App Sandbox is designed to tightly regulate a third-party app's access to system resources and user data, the vulnerability makes it possible to bypass these restrictions and compromise the machine.

虽然 Apple 的App Sandbox旨在严格监管第三方应用程序对系统资源和用户数据的访问，但该漏洞可以绕过这些限制并影响设备安全。

"The sandbox's primary function is to contain damage to the system and the user's data if the user executes a compromised app," Apple explains in its documentation.

“沙盒的主要功能是在用户执行受感染的应用程序时，防止系统和用户数据损坏”Apple在其文档中解释道。

"While the sandbox doesn't prevent attacks against your app, it does reduce the harm a successful attack can cause by restricting your app to the minimum set of privileges it requires to function properly."

“虽然沙盒不能阻止应用程序遭受攻击，但它确实可以将应用程序正常运行所需的权限最小化，以此减少成功攻击可能造成的危害。”

Microsoft said it discovered the flaw during its attempts to figure out a way to escape the sandbox and execute arbitrary commands on macOS by concealing the malicious code in a specially crafted Microsoft Office macro.

微软表示，它在试图找出一种方法来逃避沙箱，通过将恶意代码隐藏在特制的 Microsoft Office 宏中，然后在 macOS 上执行任意命令。

Specifically, the tweet-sized proof-of-concept (PoC) devised by the tech giant leverages Launch Services as a means to run an open command — a utility used to open files and launch apps — on a Python payload containing rogue instructions.

具体来说，微软在推特上发布的PoC，包含恶意指令的 Python payload用 Launch Services 运行（用于打开文件和启动应用程序的实用程序）的一种方式。

But it's worth noting that any file dropped by a sandboxed app is automatically attached to the "com.apple.quarantine" extended attribute so as to trigger a prompt requiring explicit user's consent prior to execution.

但值得注意的是，沙盒应用程序丢弃的任何文件都会自动附加到“ com.apple.quarantine ”扩展属性，这样在执行前就会触发需要用户明确同意的提示。

This constraint, however, can be eliminated by utilizing the -stdin option for the open command associated with the Python exploit file.

但是，这个可以通过与Python payload关联的打开命令 -stdin 选项来消除此限制。

"–stdin bypassed the 'com.apple.quarantine' extended attribute restriction, as there was no way for Python to know that the contents from its standard input originated from a quarantined file," Bar Or said.

“–stdin 绕过了 'com.apple.quarantine' 扩展属性限制，因为 Python 无法知道其标准输入的内容来自隔离文件”Bar Or 说。

道常无为，而无不为。

——《道德经.第三十七章》

本文翻译自：

https://thehackernews.com/2022/07/microsoft-details-app-sandbox-escape.html

如若转载，请注明原文地址