Summary: Cybersecurity researchers have identified CVE-2024-44258, a symlink vulnerability in Apple’s ManagedConfiguration framework that allows attackers to exploit the backup restoration process, potentially exposing sensitive system files. This flaw can lead to unauthorized data access and privilege escalation on affected iOS devices.
Threat Actor: Unknown | unknown
Victim: Apple | Apple
Key Point :
- The vulnerability allows attackers to manipulate backup restoration, bypassing sandbox restrictions.
- Active exploitation of this flaw has been observed, although Apple has not confirmed it in their security bulletins.
- Apple’s iOS 18.1 beta5 introduces a safety check function to mitigate the risk of unauthorized file migration.
In a recent analysis, cybersecurity researchers Hichem Maloufi and Christian Mina detailed CVE-2024-44258, a symlink vulnerability affecting Apple’s ManagedConfiguration framework and the profiled daemon. This vulnerability allows attackers to manipulate the backup restoration process to access restricted areas, potentially exposing sensitive system files.
CVE-2024-44258, identified in Apple devices running certain iOS versions, reveals a flaw in handling symbolic links (symlinks) during backup restoration. When restoring a crafted backup, the migration fails to verify if the destination folder is a symlink, allowing files to be redirected to protected locations. Maloufi explains that “the migration process fails to validate whether the destination folder is a symbolic link,” which can lead to the modification of otherwise protected system files.
The vulnerability permits unauthorized file migration, enabling attackers to leverage symlinks in backup files to bypass sandbox restrictions. Unauthorized data access, privilege escalation, and even the potential exploitation of services depend on the affected configurations. According to Maloufi, “this flaw can potentially allow unauthorized data access, privilege escalation, or exploitation of other services dependent on the modified configuration.”
The vulnerability has reportedly been observed in the wild for several months, with attackers actively exploiting it. However, Apple has not yet confirmed active exploitation in its security bulletins.
Maloufi and Mina’s research offers a detailed proof-of-concept, demonstrating the creation of a crafted backup that exploits this symlink flaw. The researchers illustrate how to insert files into Apple’s protected directories via a crafted symlink: “Due to the crafted symlink, the files are migrated into a restricted folder that can contain sensitive or protected data.”
Here’s a sample code snippet illustrating the process of crafting a backup to exploit the vulnerability. This code shows how to add a symlink and files to the backup, simulating the exploitation steps without including the actual crafted backup file.
To mitigate this vulnerability, Apple’s iOS 18.1 beta5 introduced a function, _MCDestinationPathIsSafeFromSymlinkAttacks, specifically targeting this issue. The function performs a safety check on the destination path to prevent unauthorized file migration. This check has been incorporated into the MCMigrator_copyAlmostAtomicallyItemAtPath:toPath:error: function, addressing the risk by verifying the safety of destination paths.