Apple once again received the news due to its vulnerability-time in its Libapplearchive library, used to work with .aar archive documents. Researcher Snuli Keffabert has found an important distance (CVE-2024-27876, CVSS 8.1), allowing not only to record files in arbitrary disk positions, but also ignore the gatekeeper.
It all started with the fact that Keffababer wrote his own syntax analysis – LibNeoaplearchive – to study the behavior of Apple storage on Linux.
Working with the logic of simultaneous handling, he noticed the strange: Archives can be extracted so that one of the output files turned out to be … Simlylka in any other folder on the system.
The next experiment ShowThat during the decompression process, there is a “racial condition). The library first checks if the directory of the desired folder exists, and only then tries to create it.
If at this time put a Simlink on another folder, Libapplearchive will still think that the portfolio has been created and will continue to write the files there. Therefore, the data will fall into the address designated by Simlink – completely under the control of the attacker.
By repeating the structure from SIMS and files in the storage many times, Keffaber significantly increased the success percentage of the attack.
He did not stop there: the next purpose was to ignore the gatekeeper. Turns out, the first standard storage utility has decompressed the files into the temporary folder and only then hangs the quarantine marks on them. If, with the help of the gap, the Libapplearchive force to extract the file outside this folder, it will go around quarantine and will be able to start without warning – of course, this is very dangerous.
The gap not only affects macOS. Libapplearchive is used at work (shortcut), flexmusickit, clipService, as well as in iOS files, can also extract .aar. Even when monitoring tests like Pathisvalid () are included, the race still allows them to travel.
Keffaber published POC, proving that the attack is quite realistic, although it requires knowledge of details like $ TMPDIR.
Apple has closed a gap in new updates, so emergency updates – the gap is serious and the exploitation is available online.