Conference:  Black Hat Asia 2023

Authors: Koh Nakagawa

2023-05-12

In recent years, Arm processors have become popular on laptops, not limited to embedded devices. For example, Apple announced the Mac transition from Intel to Arm-based Apple Silicon in 2020, which made a big splash. Apple Silicon Mac has Rosetta 2, which enables the execution of Intel-based apps by translating x64 code into Arm64 code. Several researchers have conducted research on Rosetta 2 from a performance perspective. However, to our best knowledge, there is no research on Rosetta 2 from a security perspective.In this talk, we present a new code injection vulnerability in Rosetta 2. Rosetta 2 stores binary translation results as Ahead-Of-Time (AOT) files, which are cached and reused for the next application launch. Since these files are SIP-protected, we cannot modify these files even as root users. However, we developed a new exploit that bypasses this SIP protection and injects arbitrary code into AOT files with user privileges. This code injection can be used to bypass macOS security and privacy mechanisms. Moreover, this technique enables us to make a stealthy backdoor by hiding a malicious payload in a SIP-protected location. Apple has fixed this vulnerability, but only partially. Therefore, an attacker can still exploit this vulnerability even for the latest macOS.Our journey does not end with this finding. Interestingly, we also discovered a similar issue in Arm-based Windows x86/x64 emulation and developed a similar code injection. Therefore, we believe this vulnerability is prevalent among these compatibility technologies and will affect similar technologies introduced in the future.This talk will show the vulnerabilities specific to these compatibility technologies in Arm-based OSs for the first time. New code injection techniques with PoC code benefit red teams. In addition, new exploit techniques and reverse engineering results will help future vulnerability research.