Full Report
Inspired by Kevin Backhouse’s great work on finding XNU remote vulnerabilities I decided to spend some time looking at CodeQL and performing some variant analysis. This lead to the discovery of a local root to kernel (although documented by Apple as remote) vulnerability within the 6LowPAN code of macOS 10.15.4.
Analysis Summary
# Vulnerability: Local Kernel Privilege Escalation via 6LowPAN Mbuf Handling
## CVE Details
- CVE ID: CVE-2020-9967
- CVSS Score: Not explicitly provided in the text; however, given the outcome (Local Root to Kernel), it is likely **High Severity (9.0+)**.
- CWE: Insufficient Validation of Array/Buffer Size (Related to memory corruption)
## Affected Systems
- Products: Apple macOS
- Versions: macOS 10.15.4 (and potentially others prior to the patch)
- Configurations: Systems utilizing the 6LowPAN networking stack within the XNU kernel. The vulnerability was discovered as a 'local root' issue, although Apple documented it differently.
## Vulnerability Description
The vulnerability exists within the 6LowPAN code in the XNU kernel, specifically related to how network packets stored in `mbuf` structures are processed during decompression (likely in `sixxlowpan_uncompress`). The researcher used CodeQL variant analysis targeting memory functions where the size argument (`len`) could be tainted by untrusted network data (`m_mtod` as the source for size), flowing into a memory copy (`__builtin___memmove_chk`). This unchecked flow allows an attacker to control the size parameter of a memory operation, leading to an out-of-bounds write into the kernel memory area containing chained `mbuf` structures. This results in corruption of subsequent adjacent `mbuf` structures, achieving heap corruption and potential kernel code execution (Local Root).
## Exploitation
- Status: PoC available (demonstrated via custom CodeQL query and subsequent crash/heap corruption analysis).
- Complexity: Low to Medium (Requires local access, but the memory corruption primitive looks powerful).
- Attack Vector: Local (The description explicitly states "local root to kernel").
## Impact
- Confidentiality: High (Kernel compromise allows access to all system data).
- Integrity: High (Kernel memory manipulation allows arbitrary system modification).
- Availability: High (Kernel panic/crash possible).
## Remediation
### Patches
- The fix was included in Apple security updates issued after the report (May 11, 2020).
- **macOS Big Sur Update:** Referenced in Apple's advisory concerning this CVE (specific version number not listed in the text, refer to official Apple advisories).
### Workarounds
- No specific workarounds were detailed in the provided summary text. Disabling the 6LowPAN/802.15.4 networking stack if not required might serve as a theoretical mitigation if system configuration allows.
## Detection
- **Indicators of Compromise:** Kernel panics referencing functions like `sixxlowpan_uncompress`, improper `mbuf` chaining/pointers, or heap corruption patterns in kernel memory regions (e.g., KASAN warnings about modified buffers after free).
- **Detection Methods and Tools:** Monitoring for Kernel Panic tracebacks related to 6LowPAN processing. Utilizing security monitoring tools capable of detecting internal kernel heap corruption, such as KASAN (if applicable during debugging/testing).
## References
- Vendor Advisory: Refer to Apple Security Update regarding CVE-2020-9967.
- Blog Post: hxxps://alexplaskett.github.io/