Kandji’s Threat Research team has discovered a critical vulnerability (CVE-2024-40855) in Apple’s macOS diskarbitrationd, allowing attackers to escape the sandbox and bypass TCC by exploiting directory traversal. Apple has been notified, and the vulnerabilities are now patched. This post details the vulnerability, exploitation methods, and Apple’s subsequent fix. Affected: macOS, diskarbitrationd, TCC
Keypoints :
- Kandji’s Threat Research team audited macOS system daemons: diskarbitrationd and storagekitd.
- They discovered a vulnerability (CVE-2024-40855) allowing directory traversal attacks.
- This vulnerability enables escape from the sandbox and complete bypass of TCC (Transparency, Consent, and Control).
- Apple was informed through a responsible disclosure program and has since patched the vulnerabilities.
- The exploitation method involves manipulating mount paths to bypass sandbox checks.
- Apple’s fix includes moving path resolution to the daemon side and enhancing sandbox checks.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Manipulated diskarbitrationd to execute malicious mount requests.
- T1068 – Execution through Application Layer Protocol: Abused TCC check to execute code with escalated privileges.
- T1069 – Permission Issues: Bypassed security checks to manipulate system environments and configurations.
Indicator of Compromise :
- [Domain] apple.com
- [CVE] CVE-2024-40855
- [Path] /private/tmp/starthere/../../../Users/crab/Library/Application Support/com.apple.TCC
- [Executable] diskarbitrationd
- [Function] DADiskMountWithArgumentsCommon
Full Story: https://blog.kandji.io/macos-audit-story-part2