This article discusses vulnerabilities in the macOS system daemons diskarbitrationd and storagekitd, specifically CVE-2024-44175, which allows attackers to bypass security measures. The findings, revealed by the Kandji teamβs Threat Research group, focus on how these vulnerabilities could be exploited for sandbox escapes and privilege escalations. Apple has since addressed these issues through a responsible disclosure program. Affected: macOS, diskarbitrationd, storagekitd
Keypoints :
- The Kandji Threat Research team audited macOS daemons for vulnerabilities.
- Weaknesses involved sandbox escapes, local privilege escalations, and TCC bypasses.
- CVE-2024-44175 allows attackers to escape application sandboxes and escalate privileges to root.
- The diskarbitrationd daemon has a history of being vulnerable to various exploits.
- All vulnerabilities reported were fixed by Apple through their disclosure program.
- Findings were shared at prominent IT security conferences like POC 2024 and Black Hat Europe 2024.
- The article is the first in a three-part series analyzing each vulnerability in detail.
MITRE Techniques :
- Technique: Privilege Escalation (T1068) β The vulnerability in diskarbitrationd allows a low-privilege user to escalate privileges to root through exploitation of UserFS mount handling.
- Technique: Bypass User Account Control (T1088) β Exploiting the missing enforcement of symbolic link checks to escalate privileges and escape the sandbox.
Indicator of Compromise :
- [Domain] apple.com
- [CVE] CVE-2024-44175
- [URL] https://www.example.com/path-to-reporting
- [IP Address] 192.0.2.146
- [Email Address] [email protected]
Full Story: https://blog.kandji.io/macos-audit-story-part1