leminlimez
Back to Exploits

Understanding MacDirtyCow

CVE-2022-46689Ian Beer (Project Zero)

MacDirtyCow (CVE-2022-46689) is a race condition vulnerability in the XNU kernel's virtual memory subsystem. It allows an attacker with read-only access to a file to modify its contents in memory (RAM).

How it works

The exploit leverages the Copy-On-Write (COW) mechanism. When a process maps a file into memory as read-only, the kernel ensures it cannot verify it. However, MacDirtyCow races two operations:

  1. Mapping the memory as read-only.
  2. Modifying the underlying page using `vm_map_copy_overwrite`.

If timed correctly, the kernel writes the new data to the page *before* marking it as copy-on-write, bypassing the permission check.

Limitations

Since the changes are made to the cached memory page, they do not persist to disk (usually). When the device reboots or the kernel flushes the cache, the original file content is restored. This is why MDC tweaks are volatile.

However, developers found clever workarounds (like overwriting icon caches or using the exploit to replace system fonts) to achieve "semi-permanent" results. Tools like Cowabunga utilize these methods.