A security vulnerability, identified as CVE-2024-27822, has been discovered in macOS. This vulnerability allows unauthorized root access and has raised serious concerns among cybersecurity experts and macOS users alike.

The release of a Proof-of-Concept (PoC) exploit code has intensified the urgency to address this critical issue.

CVE-2024-27822 is a newly identified security flaw in macOS that permits attackers to gain root access without proper authorization.

Root access grants the highest level of control over a system, allowing the execution of any command and access to all files. This level of access can lead to severe consequences, including data theft, system manipulation, and the installation of malicious software.

According to a detailed report by Khronokernel, the vulnerability stems from a flaw in the macOS kernel, which fails to validate certain user inputs properly.

Security researcher Mykola Grymalyuk has identified a critical vulnerability, CVE-2024-27822, which affects Apple’s Installer.app and the PackageKit.framework.

This vulnerability is rooted in how installation scripts embedded in PKGs (package files) are executed as root within the current user’s environment. Specifically, scripts with the #!/bin/zsh shebang load the user’s .zshenv file while running with root permissions.

The core issue lies in the potential to insert a malicious payload into the .zshenv file. When a user installs a ZSH-based PKG, the installation script runs with root privileges and loads the .zshenv file, thereby executing any embedded malicious code as root. This poses a significant security risk, particularly when users manually install PKGs.

The primary attack vector involves a logic bomb-based payload that can remain dormant within the .zshenv file. This payload activates when the user installs a ZSH-based PKG, executing with root privileges and granting the attacker root access. This vulnerability is especially dangerous in environments where users frequently install PKGs from various sources.

Mykola Grymalyuk has provided a proof of concept to demonstrate the exploitation of CVE-2024-27822. The process is straightforward and underscores the severity of the vulnerability:

Inject a malicious payload into the .zshenv file.

Install a PKG with the #!/bin/zsh shebang (e.g., Generic-ZSH.pkg).

Observe the execution of the payload with root privileges upon PKG installation.

This proof of concept highlights the ease with which this vulnerability can be exploited, emphasizing the need for immediate attention and remediation.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

This oversight can be exploited to escalate privileges from a standard user to the root level. The vulnerability affects multiple versions of macOS, making it a widespread concern.

PoC Exploit Code Released

The PoC exploit code for CVE-2024-27822. The PoC code demonstrates how the vulnerability can be exploited to gain root access to a macOS system.

The availability of this code in the public domain significantly increases the risk of exploitation, as it provides a blueprint for attackers to follow.

The PoC exploit code was developed by a security researcher who discovered the vulnerability. While releasing the PoC code aims to raise awareness and prompt a swift response from Apple, it also poses a risk by potentially enabling malicious actors to exploit the vulnerability before a patch is available.

The cybersecurity community has reacted swiftly to the news of the PoC exploit release. Experts are urging macOS users to take immediate precautions to mitigate the risk of exploitation. Recommended actions include:

Resolved versions:

macOS 14.5 Beta 2 (23F5059e) and newer

macOS 13.6.7 (22G720) and newer

macOS 12.7.5 (21H1222) and newer

Affected versions:

macOS 14.5 Beta 1 (23F5049f) and older

macOS 13.6.6 (22G630) and older

macOS 12.7.4 (21H1123) and older

Any version of macOS 11 or older

Update Software: Ensure that all software, including macOS, is up to date with the latest security patches. Apple is expected to release a patch soon to address CVE-2024-27822.

Limit User Privileges: Restrict user accounts to the minimum necessary privileges. Avoid using accounts with root or administrative access for daily tasks.

Monitor Systems: Implement robust monitoring solutions to detect any unusual activity that may indicate an attempted exploitation of the vulnerability.

Backup Data: Regularly back up important data to mitigate the impact of a potential security breach.

Apple’s Response

As of the time of writing, Apple has acknowledged the vulnerability and is actively working on a patch. In a statement, Apple emphasized its commitment to user security and assured that a fix would be released as soon as possible.

Users are advised to stay tuned for updates and apply the patch immediately once it becomes available.

The release of the PoC exploit code for CVE-2024-27822 has highlighted a critical security vulnerability in macOS, underscoring the importance of timely updates and vigilant security practices.

Looking for Full Data Breach Protection? Try Cynet’s All-in-One Cybersecurity Platform for MSPs: Try Free Demo