New Local Root Vulnerability Exploit for MacOS CVE-2024-27822

A security researcher, Mykola Grymalyuk, has published details and a proof-of-concept (PoC) code for a macOS vulnerability, CVE-2024-27822, which allows attackers to gain root privileges on macOS devices. This vulnerability affects Apple’s Installer.app and PackageKit.framework, which spawns installation scripts embedded in PKGs (package files) as root within the current user’s environment.

The Vulnerability

The vulnerability lies within Apple’s Installer.app and the PackageKit.framework. These components handle the installation of PKG (package) files, which often contain scripts that run during the installation process. The problem arises when these scripts, particularly those with the #!/bin/zsh shebang, load the user’s .zshenv file while running with root privileges.

This allows a malicious attacker to insert a malicious payload into the .zshenv file, which is then executed as root user when a ZSH-based PKG is installed by the system user.

The Attack Vector

The primary attack vector for this vulnerability is a logic bomb-based payload. This payload lies hidden within the .zshenv file, waiting for the user to install any ZSH-based PKG. Once the installation begins, the payload is executed, granting the attacker full root access to the system.

Example Payload For CVE-2024-27822:

/usr/bin/osascript -e "display dialog \"Hello from malware!

Current user: $(/usr/bin/whoami)
UID:  $UID
EUID: $EUID\""

Mykola Grymalyuk has released a POC written in python to demonstrate this attack. The script will create a dummy PKG and inject a payload into the .zshenv file.

Protecting Against the Vulnerability

To protect against this vulnerability, users and administrators should ensure their systems are updated to the latest macOS versions that address this issue: