A Technical Analysis of CVE-2022-22583 and CVE-2022-32800<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800.html\"><br \/>\n<meta property=\"og:title\" content=\"A Technical Analysis of CVE-2022-22583 and CVE-2022-32800\"><br \/>\n<meta property=\"og:description\" content=\"This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report. \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/macos-sip-3-641.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"A Technical Analysis of CVE-2022-22583 and CVE-2022-32800\"><br \/>\n<meta name=\"twitter:description\" content=\"This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report. \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/macos-sip-3-641.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.680521045102\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"2067049033\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10.261964735516\">\n<div class=\"article-details\" role=\"heading\" readability=\"40.070528967254\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Exploits & Vulnerabilities<\/p>\n<p class=\"article-details__description\">This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report. <\/p>\n<p class=\"article-details__author-by\">By: Mickey Jin <time class=\"article-details__date\">December 21, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"50.648085822465\">\n<div readability=\"50.183424484645\">\n<p>On Jan. 26, 2022, Apple patched a <a href=\"https:\/\/support.apple.com\/en-us\/HT204899\">System Integrity Protection (SIP)<\/a>-bypass vulnerability in the PackageKit framework, identified as <a href=\"https:\/\/support.apple.com\/en-hk\/HT213054\">CVE-2022-22583<\/a>. Apple shared the credit for this CVE between researchers Ron Hass (<a href=\"https:\/\/www.twitter.com\/ronhass7\">@ronhass7<\/a>) of Perception Point and Mickey Jin (<a href=\"https:\/\/www.twitter.com\/patch1t\">@patch1t<\/a>) of Trend Micro.<\/p>\n<p>After Perception Point posted a comprehensive <a href=\"https:\/\/perception-point.io\/blog\/technical-analysis-cve-2022-22583\/\">blog entry<\/a> about the vulnerability and its exploitation details, we determined that the method we used to exploit the vulnerability was different from theirs. We also discovered a new vulnerability, CVE-2022-32800, after digging deeper into CVE-2022-22583.<\/p>\n<p>This blog entry discusses the technical details of how we exploited <a href=\"https:\/\/support.apple.com\/en-hk\/HT213054\">CVE-2022-22583<\/a> using a different method. We also tackle the technical details of <a href=\"https:\/\/support.apple.com\/en-hk\/HT213345\">CVE-2022-32800<\/a>, another SIP-bypass that we discovered more recently, in this report.<\/p>\n<p>This is the third and final entry of a series of blog entries where we discuss our SIP-related vulnerability discoveries. More details about <a href=\"https:\/\/support.apple.com\/en-us\/HT204899\">SIP<\/a> and the special daemon services\u2019 entitlements can be found in our previous <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/cve-2019-8561-a-hard-to-banish-packagekit-framework-vulnerabilit.html\">blog entry<\/a> last month. We also talked about several of the more than 15 critical SIP-bypass vulnerabilities that we disclosed to Apple during the <a href=\"https:\/\/powerofcommunity.net\/speaker_main.htm\">Power of Community 2022 Security Conference (POC2022)<\/a>.<\/p>\n<h2><span class=\"body-subhead-title\">CVE-2022-22583<\/span><\/h2>\n<h3><span class=\"body-subhead-title\"><\/span><\/h3>\n<p>We discovered this vulnerability via process monitoring. When we installed an Apple-signed software installer package (PKG) file to the root volume, we noticed that the following scripts were spawned by the privileged \u201csystem_installd\u201d service:<\/p>\n<p><span class=\"blockquote\">\/tmp\/PKInstallSandbox.l57ygT\/Scripts\/com.apple.pkg.MXFPlugIns.yJpaxP\/preinstall<br \/>\/tmp\/PKInstallSandbox.l57ygT\/Scripts\/com.apple.pkg.MXFPlugIns.yJpaxP\/postinstall<\/span><\/p>\n<p>Because the \u201csystem_installd\u201d service has the special \u201ccom.apple.rootless.install.heritable\u201d entitlement, these two scripts will be executed in a SIP-bypass context.<\/p>\n<p>After seeing that these two scripts were inside the \u201c\/tmp\/PKInstallSandbox.l57ygT\u201d directory, the following questions came to mind:<\/p>\n<ol>\n<li>Can we modify the scripts inside the temporary location?<\/li>\n<li>Who created the temporary folder \u201cPKInstallSandbox\u201d with a random suffix?<\/li>\n<li>Is the newly created folder protected by SIP?<\/li>\n<\/ol>\n<p>Guided by these questions, we started our investigation.<\/p>\n<p>Through reversing and debugging, we found that the temporary folder was created by the \u201c-[PKInstallSandbox prepareForCommitReturningError:]\u201d function: <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"4c01d0\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-1.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-1.png\" alt=\"Figure 1. The implementation of the \u201cprepareForCommitXXX\u201d function\"> <\/a><figcaption>Figure 1. The implementation of the \u201cprepareForCommitXXX\u201d function<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>At line 16, it calls another function, \u201c-[PKInstallSandbox _createDirectory:uniquifying:error:]\u201d, which internally calls the API \u201cmkdtemp\u201d to create the folder without any restrictions.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"28aaa0\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-2.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-2.png\" alt=\"Figure 2. The implementation of the \u201c_createDirectory:uniquifying:\u201d function\"> <\/a><figcaption>Figure 2. The implementation of the \u201c_createDirectory:uniquifying:\u201d function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.660948536831\">\n<div readability=\"28.765893037336\">\n<p>After seeing that the \u201cPKInstallSandbox.XXXXXX\u201d folder was unprotected, we initially thought that it can be exploited and manipulated. However, we failed to directly modify the scripts inside the folder. This was because the subfolder \u201cScripts\u201d was restricted, and it was moved from the restricted sandbox path, as we can see at line 25 in Figure 1.<\/p>\n<p>There are at least two different methods to overcome this particular challenge and exploit this security issue.<\/p>\n<h4><span class=\"body-subhead-title\"><\/span><\/h4>\n<p>The first exploit uses the mount trick. Perception Point discussed this in detail in its <a href=\"https:\/\/perception-point.io\/technical-analysis-cve-2022-22583\/\">blog entry<\/a>. Based on the investigation there, the mount trick can be done via the following steps:<\/p>\n<ol>\n<li>Create a virtual image file and mount it onto \u201c\/private\/tmp\u201d.<\/li>\n<li>Install an Apple-signed package with post-install scripts.<\/li>\n<li>Wait for the installer to finish the extraction of the scripts\u2019 directory and gather the random parts of the extracted path.<\/li>\n<li>Unmount the image file. This will revert to the contents of \u201c\/private\/tmp\u201d before the extraction.<\/li>\n<li>Create the scripts directory (using the random path we obtained earlier) and deposit any script that we would want inside it.<\/li>\n<\/ol>\n<p>Perception Point\u2019s blog post also pointed out that the exploit discussed there is dependent on timing and might not succeed at all times.<\/p>\n<h4><span class=\"body-subhead-title\"><\/span><\/h4>\n<p>Our exploit uses a different method: a symlink. This exploit can be done via the following steps:<\/p>\n<ol>\n<li>Monitor the creation of the \u201c\/tmp\/PKInstallSandbox.XXXXXX\u201d directory and replace it with a symlink to another \u201c\/tmp\/fakebox\u201d location to redirect the restricted scripts there.<\/li>\n<li>Once the scripts are located inside the \u201c\/tmp\/fakebox\u201d, remove the symlink and recreate the same \u201c\/tmp\/PKInstallSandbox.XXXXXX\u201d directory, then place the payload script in the \u201c\/tmp\/PKInstallSandbox.XXXXXX\/Scripts\/pkgid.XXXXXX\/\u201d directory.<\/li>\n<li>Wait for the payload script to execute.<\/li>\n<\/ol>\n<p>The full proof of concept for this exploit is uploaded on <a href=\"https:\/\/github.com\/jhftss\/POC\/tree\/main\/CVE-2022-22583\">GitHub<\/a>. Our proof-of-concept demonstration can also be seen in Figure 3.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"81f488\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-3.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-3.png\" alt=\"Figure 3. Our exploit demonstration that uses symlink\"> <\/a><figcaption>Figure 3. Our exploit demonstration that uses symlink<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p>Even though we are root, we can\u2019t create a file in the restricted directory \u201c\/Library\/Apple\u201d because the SIP status is enabled. But with the help of the exploit program, we can execute arbitrary commands in a SIP-bypass context and successfully create a file in the restricted directory.<\/p>\n<h2><span class=\"body-subhead-title\">Apple\u2019s patch for CVE-2022-22583<\/span><\/h2>\n<p>There is a bit of a confusion about how the \u201cinstalld\u201d service and the \u201csystem_installd\u201d service operate. In Figure 4, we can see that the patch code, which can be seen at lines 17 and 18, makes the distinction between these two services:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"e2e6fb\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-4.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-4.png\" alt=\"Figure 4. The patch for CVE-2022-22583\"> <\/a><figcaption>Figure 4. The patch for CVE-2022-22583<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.5\">\n<div readability=\"20\">\n<p>For Apple-signed packages, the patch uses \u201cOpenPath\u201d along with its own restricted sandbox path. For other packages, it still uses a random path inside the \u201c\/tmp\u201d directory.<\/p>\n<h3><span class=\"body-subhead-title\"><\/span><\/h3>\n<p>Before introducing CVE-2022-32800, we need to understand some concepts related to \u201cInstall Sandbox.\u201d<\/p>\n<h4><span class=\"body-subhead-title\"><\/span><\/h4>\n<p>First, let\u2019s take a look at \u201cSandbox Repository,\u201d a directory returned and created by the \u201c-[PKInstallSandboxManager _sandboxRepositoryForDestination:forSystemSoftware:create:error:]\u201d function.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"e302bf\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-5.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-5.png\" alt=\"Figure 5. The implementation of the \u201c_sandboxRepositoryForDestination:XXX\u201d function\"> <\/a><figcaption>Figure 5. The implementation of the \u201c_sandboxRepositoryForDestination:XXX\u201d function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>To summarize, there are four kinds of sandbox repositories:<\/p>\n<ol>\n<li>The installation target is the root volume \u201c\/\u201d:<br \/>a. For Apple-signed PKGs: \/Library\/Apple\/System\/Library\/InstallerSandboxes\/.PKInstallSandboxManager-SystemSoftware<br \/>b. For other PKGs: \/Library\/InstallerSandboxes\/.PKInstallSandboxManager<\/li>\n<li>The installation target is not the root volume:<br \/>a. For Apple-signed PKGs: $targetVolume\/.PKInstallSandboxManager-SystemSoftware<br \/>b. For other PKGs: $targetVolume\/.PKInstallSandboxManager<\/li>\n<\/ol>\n<p>It should be noted that it is only when Apple-signed packages are installed to the root volume that the \u201cSandbox Repository\u201d becomes restricted.<\/p>\n<h4><span class=\"body-subhead-title\"><\/span><\/h4>\n<p>The \u201cSandbox Path\u201d is used to store files such as scripts and payloads during installation.<\/p>\n<p>It is a directory inside the \u201cSandbox Repository,\u201d created by the \u201c[PKInstallSandboxManager addSandboxPathForDestination:forSystemSoftware:]_block_invoke\u201d method:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"34a908\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-6.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-6.png\" alt=\"Figure 6. The implementation of the \u201caddSandboxPathForDestination:XXX\u201d function\"> <\/a><figcaption>Figure 6. The implementation of the \u201caddSandboxPathForDestination:XXX\u201d function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.5\">\n<div readability=\"24\">\n<p>There are four kinds of sandbox paths, each with a universally unique identifier (UUID) name that indicates their specific sandbox state:<\/p>\n<ol>\n<li>UUID.sandbox: the first state created<\/li>\n<li>UUID.activeSandbox: the activated state; in use<\/li>\n<li>UUID.trashedSandbox: the deactivated state; to be trashed<\/li>\n<li>UUID.orphanedSandbox: the orphaned state; if the disk space is not enough, it will be cleaned up<br \/> <\/li>\n<\/ol>\n<h4><span class=\"body-subhead-title\"><\/span><\/h4>\n<p>\u201cPKInstallSandbox\u201d is an Objective-C class name for abstraction and encapsulation:<\/p>\n<p><span class=\"blockquote\">@interface PKInstallSandbox : NSObject <NSSecureCoding><br \/>{<br \/>@public<br \/> NSString *_sandboxPath;<br \/> PKInstallRequest *_installRequest;<br \/> NSString *_scriptsPath;<br \/> NSString *_temporaryPath;<br \/> NSNumber *_stagedSize;<br \/> NSDate *_stageDate;<br \/> NSMutableDictionary *_scriptDirsByPackageSpecifier;<br \/> NSMutableDictionary *_bomPathsByPackageSpecifier;<br \/> NSMutableArray *_cleanupPaths;<br \/> NSDictionary *_scriptsAttributes;<br \/> NSDictionary *_temporaryAttributes;<br \/> NSSet *_previousPackageIdentifiersSharingGroupsWithSandbox;<br \/> long long _relevance;<br \/> BOOL _safeToReset;<br \/>}<br \/>+ (BOOL)supportsSecureCoding;<br \/>– (id)initWithCoder:(id)arg1;<br \/>– (id)initWithSandboxPath:(id)arg1 installRequest:(id)arg2 error:(id *)arg3;<br \/>@end<\/span><\/p>\n<p>A new instance of \u201cPKInstallSandbox\u201d is initialized via the \u201c-[PKInstallSandbox initWithSandboxPath:installRequest:error:]\u201d method. This is according to a sandbox path and an install request.<\/p>\n<p>Note that the instance is serializable and that the class implemented the \u201cNSSecureCoding\u201d protocol. The \u201csystem_installd\u201d service can save or serialize an instance into a file named \u201cSandboxState\u201d inside the sandbox path via the \u201c-[PKInstallSandboxManager saveSandboxAsStaged:]\u201d method:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"f0aef9\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-7.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-7.png\" alt=\"Figure 7. The implementation of the \u201csaveSandboxAsStaged\u201d function\"> <\/a><figcaption>Figure 7. The implementation of the \u201csaveSandboxAsStaged\u201d function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The \u201cPKInstallSandbox\u201d instance can also be restored or deserialized from the \u201cSandboxState\u201d file later via the \u201c-[PKInstallSandboxManager _sandboxAtPath:matchingRequest:forUse:]\u201d method: <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"831897\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-8.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-8.png\" alt=\"Figure 8. The implementation of the \u201csandboxAtPath:matchingRequest:XXX\u201d function\"> <\/a><figcaption>Figure 8. The implementation of the \u201csandboxAtPath:matchingRequest:XXX\u201d function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38\">\n<div readability=\"21\">\n<p>Note that there is a check at line 57, which requires that restored install requests be deeply equal to the install request passed from the installation client. This check brings a small challenge to our exploitation procedure.<\/p>\n<p>Before installation, the \u201csystem_installd\u201d service needs to get an instance of the \u201cPKInstallSandbox\u201d according to the install request in the \u201c-[PKInstallSandboxManager sandboxForRequest:created:error:]\u201d function.<\/p>\n<p>The function\u2019s core logic is as follows:<\/p>\n<p>First, it will enumerate all the folders with the \u201c.sandbox\u201d suffix from the \u201cSandbox Repository\u201d and then restore the \u201cPKInstallSandbox\u201d instance from the \u201cSandboxState\u201d file inside.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"740770\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-9.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-9.png\" alt=\"Figure 9. Enumerating all the folders with the \u201c.sandbox\u201d suffix\"> <\/a><figcaption>Figure 9. Enumerating all the folders with the \u201c.sandbox\u201d suffix<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Next, if it can\u2019t find a \u201cPKInstallSandbox\u201d instance matching the install request, then it would enumerate all the folders with the \u201c.activeSandbox\u201d suffix and try to restore them from those locations.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"4170c7\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-10.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-10.png\" alt=\"Figure 10. Enumerating all the folders with the \u201c.activeSandbox\u201d suffix\"> <\/a><figcaption>Figure 10. Enumerating all the folders with the \u201c.activeSandbox\u201d suffix<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Finally, if it still cannot match such a sandbox, it will create a new \u201cSandbox Path\u201d and construct a new \u201cPKInstallSandbox\u201d instance.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"c9de2d\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-11.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-11.png\" alt=\"Figure 11. Create a new \u201cSandbox Path\u201d and instance\"> <\/a><figcaption>Figure 11. Create a new \u201cSandbox Path\u201d and instance<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"44\">\n<div readability=\"33\">\n<h2><span class=\"body-subhead-title\">CVE-2022-32800<\/span><\/h2>\n<h3><span class=\"body-subhead-title\"><\/span><\/h3>\n<p>The CVE-2022-32800 vulnerability allows an attacker to hijack the \u201cSandboxState\u201d file to get a SIP-bypass primitive.<\/p>\n<p>The \u201cSandboxState\u201d file is stored in the \u201cSandbox Path,\u201d which is inside the \u201cSandbox Repository.\u201d In a normal scenario, the \u201cSandbox Repository\u201d is restricted for Apple-signed packages.<\/p>\n<p>However, if the installation destination is a DMG (disk image) volume, the \u201cSandbox Repository\u201d is not restricted at all. The same is true for the \u201cSandboxState\u201d file. Thus, we can make a crafted \u201cSandboxState\u201d file to hijack the new \u201cPKInstallSandbox\u201d instance during the deserialization process. All the member variables of the \u201cPKInstallSandbox\u201d instance can then be controlled.<\/p>\n<h3><span class=\"body-subhead-title\"><\/span><\/h3>\n<p>There are different ways to exploit the issue. In Figure 12, for example, we hijacked the member \u201c_cleanupPaths\u201d to get a primitive to remove arbitrary SIP-protected paths.<\/p>\n<p>When the installation is finished, no matter whether it is successful or not, it will call the \u201c-[PKInstallSandboxManager _removeSandbox:]\u201d function to remove the sandbox and delete all the files and folders specified by the \u201c_cleanupPaths\u201d member.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"b7fbf3\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-12.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-12.png\" alt=\"Figure 12. The implementation of the \u201c_removeSandbox\u201d function\"> <\/a><figcaption>Figure 12. The implementation of the \u201c_removeSandbox\u201d function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.252442996743\">\n<div readability=\"13.087947882736\">\n<p>The full proof of concept for this exploit can be found on <a href=\"https:\/\/github.com\/jhftss\/POC\/tree\/main\/CVE-2022-32800\">GitHub<\/a>, and a video of the demonstration can be viewed <a href=\"https:\/\/youtu.be\/rN930wlKg90\">here<\/a>.<\/p>\n<h2><span class=\"body-subhead-title\">Apple\u2019s patch for CVE-2022-32800<\/span><\/h2>\n<p>Apple addressed this security issue in <a href=\"https:\/\/support.apple.com\/en-hk\/HT213345\">macOS 12.5<\/a>.<\/p>\n<p>The patch is in the \u201c-[PKInstallSandboxManager _sandboxAtPath:matchingRequest:forUse:]\u201d function:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"85e296\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-13.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-13.png\" alt=\"Figure 13. The patch for CVE-2022-32800\"> <\/a><figcaption>Figure 13. The patch for CVE-2022-32800<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>As we can see in the check at line 38, it calls the \u201cPKSIPFullyProtectedPath\u201d function internally:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"08ac88\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-14.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/macos-sip-3-14.png\" alt=\"Figure 14. The implementation of the \u201cPKSIPFullyProtectedPath\u201d function\"> <\/a><figcaption>Figure 14. The implementation of the \u201cPKSIPFullyProtectedPath\u201d function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.458333333333\">\n<div readability=\"16.5\">\n<p>For Apple-signed packages, the \u201cSandboxState\u201d file is required to be trusted or restricted.<\/p>\n<h2><span class=\"body-subhead-title\">Security recommendations<\/span><\/h2>\n<p>To successfully protect systems against vulnerabilities, users must regularly update their operating systems. Regularly applying security patches will hinder malicious actors from exploiting vulnerabilities to elevate privileges and launch malicious attacks. As for the vulnerabilities discussed here, CVE-2022-22583 was patched in January 2022 and CVE-2022-32800 was patched in July 2022.<\/p>\n<p>End users can benefit from security solutions such as the <a href=\"https:\/\/www.trendmicro.com\/en_us\/forHome\/products\/antivirus-for-mac.html\">Trend Micro Antivirus for Mac<\/a> and <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection.html\">Trend Micro Protection Suites<\/a> that help detect and block attacks that exploit such flaws.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/l\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":49826,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9555,9509],"class_list":["post-49825","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-research"],"yoast_head":"\n<title>A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-12-21T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/macos-sip-3-641.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"A Technical Analysis of CVE-2022-22583 and CVE-2022-32800\",\"datePublished\":\"2022-12-21T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\\\/\"},\"wordCount\":1858,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Exploits&Vulnerabilities\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\\\/\",\"name\":\"A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800.png\",\"datePublished\":\"2022-12-21T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800.png\",\"width\":1576,\"height\":596},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"A Technical Analysis of CVE-2022-22583 and CVE-2022-32800\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/","og_locale":"en_US","og_type":"article","og_title":"A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-12-21T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/macos-sip-3-641.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"A Technical Analysis of CVE-2022-22583 and CVE-2022-32800","datePublished":"2022-12-21T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/"},"wordCount":1858,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Exploits&Vulnerabilities","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/","url":"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/","name":"A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800.png","datePublished":"2022-12-21T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800.png","width":1576,"height":596},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"A Technical Analysis of CVE-2022-22583 and CVE-2022-32800"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49825","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=49825"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49825\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/49826"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=49825"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=49825"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=49825"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":49825,"date":"2022-12-21T00:00:00","date_gmt":"2022-12-21T00:00:00","guid":{"rendered":"urn:uuid:4c44f10b-04eb-3641-fa5a-1272d54cf405"},"modified":"2022-12-21T00:00:00","modified_gmt":"2022-12-21T00:00:00","slug":"a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800\/","title":{"rendered":"A Technical Analysis of CVE-2022-22583 and CVE-2022-32800"},"content":{"rendered":"