Researchers have discovered a vulnerability in MacOS that allows interception of Apple’s applications. This vulnerability, known as DIRTYNIB, was found in MacOS Monterey, and despite efforts to address it, it still persists.
Graphic applications in MacOS typically rely on NIB files to determine their user interface. However, it has been determined that replacing NIB files in packages does not revoke access rights even after Gatekeeper application verification. This means that attackers can modify applications even after they have been deployed. This poses a significant risk, particularly considering that Apple grants privileged rights to its applications.
The DIRTYNIB method enables the execution of arbitrary code from the NIB file. To exploit this, a new NIB file is created using Xcode, an object is added to the interface, and a class for NSApplescript is defined. By associating a button with the created Applescript object, the Applescript can be triggered.
To demonstrate the vulnerability, researchers targeted the Apple Pages application. By replacing the existing NIB file with their DIRTYNIB file, they were able to take control of code execution.
In subsequent versions of MacOS, new restrictions were implemented to mitigate this exploit. However, researchers have discovered ways to bypass these restrictions by leveraging other Apple applications with similar permissions, such as Carplay Simulator.
Conclusion
This vulnerability was initially reported to Apple in November 2021. Despite assurances that it would be addressed, the issue remains uncorrected. The researchers have expressed their disappointment with the reward program for reporting Apple’s vulnerabilities, highlighting the challenges they encountered throughout the process.
Note: The researchers acted responsibly by disclosing this vulnerability and actively working towards its resolution.