New Local Root Vulnerability Exploit for MacOS CVE-2024-27822

Estimated read time 2 min read

A security researcher, Mykola Grymalyuk, has published details and a proof-of-concept (PoC) code for a macOS vulnerability, CVE-2024-27822, which allows attackers to gain root privileges on macOS devices. This vulnerability affects Apple’s and PackageKit.framework, which spawns installation scripts embedded in PKGs (package files) as root within the current user’s environment.

The Vulnerability

The vulnerability lies within Apple’s and the PackageKit.framework. These components handle the installation of PKG (package) files, which often contain scripts that run during the installation process. The problem arises when these scripts, particularly those with the #!/bin/zsh shebang, load the user’s .zshenv file while running with root privileges.

(C) Mykola Grymalyuk

This allows a malicious attacker to insert a malicious payload into the .zshenv file, which is then executed as root user when a ZSH-based PKG is installed by the system user.

The Attack Vector

The primary attack vector for this vulnerability is a logic bomb-based payload. This payload lies hidden within the .zshenv file, waiting for the user to install any ZSH-based PKG. Once the installation begins, the payload is executed, granting the attacker full root access to the system.

Example Payload For CVE-2024-27822:

/usr/bin/osascript -e "display dialog \"Hello from malware!

Current user: $(/usr/bin/whoami)

Mykola Grymalyuk has released a POC written in python to demonstrate this attack. The script will create a dummy PKG and inject a payload into the .zshenv file.

Protecting Against the Vulnerability

To protect against this vulnerability, users and administrators should ensure their systems are updated to the latest macOS versions that address this issue:

  • Update to macOS 14.5 Beta 2 (23F5059e) or newer
  • Update to macOS 13.6.7 (22G720) or newer
  • Update to macOS 12.7.5 (21H1222) or newer

Also, macOS users should exercise caution when installing PKGs from untrusted sources and regularly review and secure their local .zshenv files.

Mohamed Nabil Ali

A Trailblazing IT Expert, Technology Geek, and Bughunter.
Follow me on Twitter

You May Also Like

More From Author