CVE-2024-27301 CVE-2024-27822 - Discovering Hundreds of Vulnerable MacOS Installers
macOS vulnerabilityCVE-2024-27822CVE-2024-27301On this page
Get Started with WorfklowsAs a pentester, whenever you discover a new type of vulnerability, you're always curious about its real impact. This was the case with the vulnerability CVE-2024-27822 I discovered, which affected hundreds of macOS installers.
This vulnerability allowed abuse of third-party installers to escalate privileges to root without needing the user's password.
To understand how widespread this issue was, I used the Trickest to build workflows and automate the discovery of vulnerable installers.
Fingerprinting Vulnerable macOS Installers
First, I needed a way to identify vulnerable macOS installers. The process was straightforward:
- Identify pre and post-install scripts: macOS installers execute these scripts (e.g.,
preinstall.sh
andpostinstall.sh
) with root privileges - Locate the scripts: These scripts are found in the installer package (
.pkg
) inside theScripts
folder - Identify the vulnerability: If these scripts used the shebang
#!/bin/zsh
, they could execute$HOME/.zshenv
as root, leading to arbitrary code execution
With this knowledge, I set out to find as many .pkg
macOS installers as possible, decompress them, and check for scripts using the shebang #!/bin/zsh
.
Method 1: Scraping GitHub
The first method involved scraping GitHub for macOS installers. Previously, I used Trickest to parse 10TB of GitHub logs and categorize millions of repositories.
Using these URLs, I created a Trickest workflow that utilized the GitHub GraphQL API to search for .pkg
files in releases and return their URLs.
The workflow:
- Downloads the list of GitHub repositories
- Splits the list into chunks and process them in parallel
- Uses the GitHub GraphQL API to find
.pkg
files and return their URLs
With 5 machines and the powerful scalable execution engine, it took only half an hour to gather URLs to .pkg
files from millions of GitHub repositories, resulting in a few dozen URLs.
Method 2: Scraping itunes.apple.com
This idea came from Nenad, the CEO of Trickest. He suggested scraping itunes.apple.com
for application URLs and then scraping these websites for .pkg
files.
We created a Trickest workflow to:
- Get application URLs from
itunes.apple.com
- Use tools like gau and katana to find paths
- Grep for
.pkg
files
Using 10 machines, we obtained a few hundred URLs to .pkg
files in 5 hours.
Searching for Vulnerable macOS Installers
With hundreds of .pkg
URLs, it was time to download, decompress, and search for scripts with the shebang #!/bin/zsh
. If found, the installer was vulnerable.
We created a simple Trickest workflow:
This workflow:
- Separates URLs into chunks
- Process them in parallel
- Download, decompress, and search for the scripts
Running this workflow with 6 machines in parallel took only about 6 minutes.
Findings & Conclusions
After running these workflows, we discovered over a hundred installers vulnerable to privilege escalation. This exercise and results demonstrated how Trickest can effectively uncover vulnerable assets.
I reported the identified vulnerability to the relevant companies and Apple. Initially, I directly contacted the companies, presuming it to be a misconfiguration that they could rectify autonomously. However, subsequent discussions led me to report the issue to Apple, in consideration of a potential OS-level resolution.
Several CVEs and advisories were released:
- Microsoft advisory
- First reported vulnerability: CVE-2024-27301
- Apple CVE: CVE-2024-27822
After Apple clarified they would fix the issue, no more advisories or CVEs were requested, and no more companies were contacted about the issue.
GET STARTED WITH TRICKEST TODAY
Complete our registration to elevate and automate your offensive security endeavors.
Get started