This article discusses vulnerabilities in macOS’s storagekitd daemon that allowed privilege escalation to root and bypassing of Transparency, Consent, and Control (TCC) protections. Despite Apple’s attempts to patch these vulnerabilities with CVE-2024-27848 and CVE-2024-44210, the issues showcased the complexity and risks associated with system daemons in macOS. Affected: macOS, storagekitd, diskarbitrationd
Keypoints :
- Vulnerabilities in macOS’s storagekitd enable privilege escalation to root.
- The initial patch for CVE-2024-27848 was insufficient, leading to the discovery of CVE-2024-44210.
- Exploiting the vulnerability involves creating a new APFS volume and manipulating configuration files.
- Storagekitd’s unsandboxed nature complicates ownership and privilege checks.
- A race condition exists in the verification process, allowing attackers to exploit symlinks.
- The patching process required balancing conflicting requirements regarding path resolution.
- The final fix, implemented in macOS Sequoia 15.1, prevents symbolic link exploitation in the context of disk mounting.
MITRE Techniques :
- T1068: Execution through Vulnerable Service – Exploiting storagekitd to escalate privileges without sufficient security checks.
- T1071: Application Layer Protocol – Utilizing diskutil and storagekitd during the mount operation to bypass security checks.
- T1027: Obfuscated Files or Information – Modifying system files such as cups-files.conf to achieve elevated access.
Indicator of Compromise :
- [File] /etc/cups/cups-files.conf
- [File] /etc/sudoers.d/lpe
- [Directory] /tmp/mnt
- [Directory] /tmp/mnt2
- [Directory] /etc/cups
Full Story: https://blog.kandji.io/macos-audit-story-part3