Microsoft uncovered exploit for macOS sandbox escape bug


Microsoft claims that the vulnerability could allow specially crafted codes to run unrestricted on Apple’s operating system.

The bug, identified as CVE-2022-26706, could allow threat actors to bypass App Sandbox restrictions. App Sandbox is Apple’s access control feature developers must adopt to distribute their apps via the Mac App Store.

According to researchers at Microsoft, attackers could abuse the exploit to gain elevated privileges on the affected device or execute malicious commands.

The bug was discovered when Microsoft’s researchers played with potential ways to run and detect malicious macros in Microsoft Office, running on macOS.

Microsoft found macOS vulnerability
Sample minimal PoC exploit code. Image by Microsoft.

App Sandbox restrictions could be bypassed using a specially crafted Word macro. Microsoft noted that the access point is particularly important as threat actors prefer using macros to deploy malware on Windows OS devices.

“Our findings revealed that it was possible to escape the sandbox by leveraging macOS’s Launch Services to run an open –stdin command on a specially crafted Python file with the said prefix,” said Microsoft’s blog post.

The company’s researchers created a proof-of-concept bypassing a rule that prevents macOS from running files with ‘com.apple.quarantine’ extended attribute.

“However, –stdin bypassed the ‘com.apple.quarantine’ extended attribute restriction, as there was no way for Python to know that the contents from its standard input originated from a quarantined file,” reads the blog post.