cbcvebase.
CVE-2018-4237
published 2018-06-08

CVE-2018-4237: An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before…

PriorityP277high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.92%
96.1th percentile
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "libxpc" component. It allows attackers to gain privileges via a crafted app that leverages a logic error.

Affected

9 ranges
VendorProductVersion rangeFixed in
apachespamassassin>= 0 < 3.4.2-0ubuntu0.14.04.1+esm13.4.2-0ubuntu0.14.04.1+esm1
appleios
appleiphone_os< 11.411.4
applemac_os_x< 10.13.510.13.5
applemacos_high_sierra_10.13.5_security_update_2018-003_sierra_security_update_2018-0
appletvos< 11.411.4
appletvos
applewatchos< 4.3.14.3.1
applewatchos

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/CVE-2018-4237/ssudo
filenamessudo
  • Monitor for processes spawned from /tmp (or other writable directories) with randomized 6–12 character alpha-lowercase names, which is the exploit's payload/exploit-file naming pattern.
  • Detect use of task_set_special_port to overwrite the bootstrap port, which is the core primitive used to MITM launchd communication in this exploit.
  • Alert on processes intercepting XPC/opendirectoryd replies, particularly when a non-root process forks sudo and sits between it and opendirectoryd to forge credential validation responses.
  • Flag execution of a Metasploit osx/x64/meterpreter/reverse_tcp payload dropped to a writable directory (e.g. /tmp) and executed by a short-named parent process — consistent with this module's default payload and delivery chain.
  • ·The Metasploit module targets macOS <= 10.13.3 only; systems running 10.13.4 or later are marked Safe by the module's check method.
  • ·The exploit requires an existing non-root session on the target; it will abort if the session already has root privileges.
  • ·The exploit requires a writable directory on the target (default /tmp) to stage both the ssudo exploit binary and the payload executable.
  • ·Apple's advisories describe the vulnerability inconsistently across products: NVD and the Metasploit module attribute it to libxpc/logic error, while Apple's own security pages for iOS, macOS, tvOS, and watchOS describe it as a memory corruption / buffer overflow in the Kernel component.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.7MEDIUM
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.