Bypass Record

Code-Signing Abuse × Apple iOS CoreTrust kernel extension

A publicly-reported instance of Code-Signing Abuse bypassing Apple iOS CoreTrust kernel extension, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Apple iOS CoreTrust kernel extension

Technique

Code-Signing Abuse

MITRE ATT&CK

T1553.002

Confidence

High

Severity

Critical

Status

poc

Disclosed

2023-10-25

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-10-25 · original source · via exa
github.com
disclosed 2023-10-25 · original source · via exa

Reported as

The vulnerability allows bypassing Apple's CoreTrust code-signing checks, enabling unsigned binaries to appear as App Store-signed and gain arbitrary entitlements.

Mechanism

The exploit manipulates MachO code signatures by inserting two SignerInfo structures into the CMS blob: one with a valid signature from an untrusted identity, and another with an invalid signature from an App Store identity. CoreTrust incorrectly trusts the binary as App Store-signed, allowing execution with arbitrary entitlements.

Detection & mitigation

Monitor for processes with anomalous code-signing attributes, such as binaries that appear Apple-signed but request entitlements inconsistent with their bundle ID or origin. Enforce application control policies that validate certificate chains and flag discrepancies in CMS signature structures.

Code-Signing Abuse has also been recorded against

DigiCert Kaseya Microsoft

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.