July 14, 2022

Microsoft has released exploit code for a Sandbox Escape vulnerability in macOS. The vulnerability tracked as CVE-2022-26706 could allow attackers to bypass sandbox restrictions and execute code on the system.

The technical details of Microsoft explain how to avoid the macOS App Sandbox rules to allow malicious macro code in Word documents to execute commands on the machine.

Microsoft’s researchers discovered that using Launch Services to execute an open “-stdin” command on a special Python file with the prefix allows them to escape the App Sandbox on macOS, leading to system compromises.

The proof-of-concept (PoC) of the researchers uses the option “-stdin” for the open Command on a Python file to bypass the “com.apple quarantine” extended attribute restriction.

“Despite the security restrictions imposed by the App Sandbox’s rules on applications, it’s possible for attackers to bypass the said rules and let malicious codes “escape” the sandbox and execute arbitrary commands on an affected device,” Microsoft said.

According to Jonathan Bar Or of the Microsoft 365 Defender Research Team, the vulnerability was discovered when investigating methods to execute and detect malicious macros in Microsoft Office documents on macOS.

The vulnerability was reported to Apple in 2021, and a fix was delivered with the macOS security updates in May 2022 (Big Sur 11.6.6).

The sources for this piece include an article in BleepingComputer.