7.1 CVE-2024-40783

Privilege Escalation Buffer Overflow Path Traversal
 

The issue was addressed with improved restriction of data container access. This issue is fixed in macOS Sonoma 14.6, macOS Monterey 12.7.6, macOS Ventura 13.6.8. A malicious application may be able to bypass Privacy preferences.
https://nvd.nist.gov/vuln/detail/CVE-2024-40783

Categories

CWE-285 : Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. "AuthZ" is typically used as an abbreviation of "authorization" within the web application security community. It is distinct from "AuthN" (or, sometimes, "AuthC") which is an abbreviation of "authentication." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization. Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor. Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs. Go-based continuous deployment product does not check that a user has certain privileges to update or create an app, allowing adversaries to read sensitive repository information Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords. Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users. Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request. Terminal server does not check authorization for guest access. Database server does not use appropriate privileges for certain sensitive operations. Gateway uses default "Allow" configuration for its authorization settings. Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges. Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect. System monitoring software allows users to bypass authorization by creating custom forms. Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client. Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access. Content management system does not check access permissions for private files, allowing others to view those files. ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions. Product does not check the ACL of a page accessed using an "include" directive, allowing attackers to read unauthorized files. Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries. Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header. OS kernel does not check for a certain privilege before setting ACLs for files. Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied. Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.

References


 

CPE

cpe start end


REMEDIATION




EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
1 Accessing Functionality Not Properly Constrained by ACLs
High
104 Cross Zone Scripting
High
127 Directory Indexing
Medium
13 Subverting Environment Variable Values
Very High
17 Using Malicious Files
Very High
39 Manipulating Opaque Client-based Data Tokens
Medium
402 Bypassing ATA Password Security
45 Buffer Overflow via Symbolic Links
High
5 Blue Boxing
Very High
51 Poison Web Service Registry
Very High
59 Session Credential Falsification through Prediction
High
60 Reusing Session IDs (aka Session Replay)
High
647 Collect Data from Registries
Medium
668 Key Negotiation of Bluetooth Attack (KNOB)
High
76 Manipulating Web Input to File System Calls
Very High
77 Manipulating User-Controlled Variables
Very High
87 Forceful Browsing
High


MITRE


Techniques

id description
T1005 Data from Local System
T1012 Query Registry
T1083 File and Directory Discovery
T1134.001 Access Token Manipulation:Token Impersonation/Theft
T1550.004 Use Alternate Authentication Material:Web Session Cookie
T1552.002 Unsecured Credentials: Credentials in Registry
T1562.003 Impair Defenses:Impair Command History Logging
T1565.002 Data Manipulation: Transmitted Data Manipulation
T1574.005 Hijack Execution Flow: Executable Installer File Permissions Weakness
T1574.006 Hijack Execution Flow:Dynamic Linker Hijacking
T1574.007 Hijack Execution Flow:Path Interception by PATH Environment Variable
T1574.010 Hijack Execution Flow: ServicesFile Permissions Weakness
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id description
T1005 Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.
T1134.001 An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.
T1550.004 Configure browsers or tasks to regularly delete persistent cookies.
T1552.002 If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.
T1562.003 Make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredups” instead of “ignoreboth” or “ignorespace”.
T1565.002 Encrypt all important data flows to reduce the impact of tailored modifications on data in transit.
T1574.005 Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.
T1574.006 When System Integrity Protection (SIP) is enabled in macOS, the aforementioned environment variables are ignored when executing protected binaries. Third-party applications can also leverage Apple’s Hardened Runtime, ensuring these environment variables are subject to imposed restrictions. Admins can add restrictions to applications by setting the setuid and/or setgid bits, use entitlements, or have a __RESTRICT segment in the Mach-O binary.
T1574.007 Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory <code>C:</code> and system directories, such as <code>C:Windows</code>, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.
T1574.010 Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.