Unpatched vulnerability affect all versions of macOS, allows code execution and Root access

A security researcher (@s1guza) has published the details of an unpatched vulnerability in macOS that can be exploited to gain full control of a system.

The bug is a critical local privilege escalation (LPE) affects IOHIDFamily, which is a kernel extension designed for human interface devices (HID) (e.g. the touchscreen, buttons, accelerometer, etc.). The bug could enable an unprivileged user (hacker) to obtain root permissions and execute malicious code on the affected system.

The researcher was checking the iOS code searching for bugs in the iOS kernel when he found that the component IOHIDSystem exists only on macOS.

According to the researcher:
“I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability discussed herein.”

The researcher wrote a proof of concept code, called IOHIDeous, that works for Sierra and High Sierra (up to 10.13.1,) and is capable to disable both the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI).

Siguza (the researcher) believes that the flaw has been around since at least 2002, but some signs suggest it could really be a decade older than that. He said “One tiny, ugly bug. Fifteen years. Full system compromise,”