Apple fixes code execution flaw in Xcode

Apple released a update for its Xcode IDE which includes fixes for several security vulnerabilities, including one that leads to the execution of arbitrary code under certain circumstances.

Three of the four bugs fixed by Apple are in Git, including the remote code execution flaw. This vulnerability (CVE-2022-39260) is a heap overflow in the Git shell, which can be used as a login shell via SSH. For an attacker to achieve code execution using this bug, the victim must use the Git shell as their login shell.

“Before executing commands, git shell splits the string in an array with split_cmdline(). This function incorrectly uses an int to represent the number of entries (argc) in the argv array, allowing a malicious actor to intentionally exceed the return value, leading to arbitrary heap writes. As the resulting argv array is then passed to execv(), it is possible to leverage this attack to achieve remote code execution on a victim machine,” the bug description reads.

“Note that a victim must first allow access to git shell as a login shell and allow interactive mode by having the $HOME/git-shell-commands directory present in order to be vulnerable to this attack. “

Xcode is Apple’s integrated development environment for developing software on macOS.

One of the other vulnerabilities fixed by Apple is a separate issue in Git that may allow disclosure of sensitive information.

“When running a local clone (where clone source and target are on the same volume), Git copies the contents of the source $GIT_DIR/objects directory in the destination either by creating hard links to the source content or by copying them (if hard links are disabled via --no-hardlinks),” reads the description of the vulnerability.

“A malicious actor could convince a victim to clone a repository with a symbolic link pointing to sensitive information on the victim’s machine. This can be done either by asking the victim to clone a malicious repository on the same machine or by having them clone an embedded malicious repository as a bare repository via a submodule from any source, provided that he clones with the --recurse-submodules option.”

Apple also fixed a serious vulnerability in its Xcode server that could allow an application to gain root privileges. The fourth patch included in Xcode 14.1 resolves several other issues in Git.

Comments are closed.