Threat Research

CrashOne – A Starbucks Story – CVE-2025-24277

Kandji.io
CrashOne – A Starbucks Story – CVE-2025-24277

A race in osanalyticshelperd’s crash-report creation allowed an attacker to combine sandbox-extension abuse, XPC message manipulation, and a non-atomic rename to place files (including a sudoers entry) as root on macOS, enabling local privilege escalation (CVE-2025-24277) and potential sandbox escape. The issue was fixed by restricting the XPC call with the entitlement com.apple.private.osanalytics.write-logs.allow. #osanalyticshelperd #CVE-2025-24277

Keypoints

  • osanalyticshelperd runs as root and writes crash reports into user-controlled directories, creating a privileged process that writes files into paths influenced by users.
  • A sandbox profile exception allowed files carrying the com.apple.osanalytics-sandbox.read-write sandbox extension to be read/written by osanalyticshelperd, enabling escalation of its file access.
  • Attackers can issue sandbox extensions to osanalyticshelperd via libsystem_sandbox private APIs and have the daemon consume them through OSASandboxConsumeExtension triggered from an XPC request.
  • The daemon uses a back-channel XPC callback that sends a file descriptor and requires a synchronous reply; implementing an XPC listener that replies with success is necessary to complete crash log creation.
  • A non-atomic rename (“DIR/.file” -> “DIR/file”) resolves DIR twice, producing a TOCTOU window where swapping DIR with a symlink can redirect the final target to arbitrary locations (e.g., /etc/sudoers.d/), enabling file placement as root.
  • Combining ACL inheritance (to retain write access to a root-owned file) with setting file-owner-uid=0 in the XPC message allowed the placed file to be root-owned yet writable by the attacker, enabling a sudoers-based LPE.
  • Apple mitigated the issue by requiring the entitlement com.apple.private.osanalytics.write-logs.allow for the XPC call, preventing unprivileged issuance of sandbox extensions and blocking the exploit chain.

MITRE Techniques

  • [T1040 ] Network Sniffing – Used to sniff and capture incoming XPC messages by attaching lldb and inspecting XPC dictionaries (“we decided to attach lldb to the process and sniffed incoming XPC messages”).
  • [T1204 ] User Execution – A crafted crashing helper binary was used to trigger the crash-report flow and invoke osanalyticshelperd (“we also built a tiny binary that crashes on launch”).
  • [T1218 ] Signed Binary Proxy Execution – Abuse of macOS sandbox extensions (signed tokens) to extend process privileges and allow osanalyticshelperd to read/write arbitrary filesystem paths (“if a file carries the com.apple.osanalytics-sandbox.read-write sandbox extension, osanalyticshelperd is allowed to read and write that file”).
  • [T1554 ] Compromise Client Software Supply Chain (abuse of system services) – Leveraging a privileged system helper (osanalyticshelperd) via crafted XPC messages and sandbox tokens to perform actions on behalf of the attacker (“OSASandboxConsumeExtension…the daemon consumes the extension here, then releases it later”).
  • [T1036 ] Masquerading (similar behavior) – Creating files that appear as legitimate crash logs (.crash-*.ips) to have osanalyticshelperd process and move them, enabling redirection into protected locations (“the helper creates a temporary crash log in ~/Library/Logs/DiagnosticReports/ with a leading dot…then renames that file”).
  • [T1078 ] Valid Accounts (use of root ownership) – The exploit forces the created file to be owned by root by setting file-owner-uid to 0 in the XPC message, ensuring root ownership after fchown (“xpc_dictionary_set_int64(options, “file-owner-uid”, 0);”).
  • [T1203 ] Exploitation for Client Execution – The final goal was privilege escalation and sandbox escape leading to code execution (dropping a DMG and running an unsandboxed app which then performs LPE and opens a bind shell on port 4444). (“The app runs the previously described LPE exploit and opens a bind shell on port 4444”).

Indicators of Compromise

  • [File path ] crash report directories – /Library/Logs/DiagnosticReports (system reports), /Users/USER/Library/Logs/DiagnosticReports (user reports)
  • [Filename pattern ] temporary and final crash files – .crash-YYYY-MM-DD-HHMMSS.ips (temporary), crash-YYYY-MM-DD-HHMMSS.ips (final)
  • [Sandbox extension token ] OSASandbox extension key in XPC – example token fragment “5b9d563288ed30916e04895f6208da02f0312497a30e321871826701073e4fbb;…;com.apple.osanalytics-sandbox.read-write;…;/users/tree/library/logs/diagnosticreports”
  • [XPC keys ] XPC message indicators used by the exploit – “OSASandboxExtensionKey”, “datawriter_endpoint”, “file-owner-uid”, “override-fileName”, “file-owner” (seen in captured XPC dump)
  • [Entitlement ] mitigation indicator – com.apple.private.osanalytics.write-logs.allow (required to send the harmful XPC request after the patch)

Read more: https://the-sequence.com/crashone-cve-2025-24277-macos-sandbox-escape

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint