Thursday, November 21, 2024
Latest:

macOS WorkflowKit Race Vulnerability Let Malicious Apps Intercept Shortcuts


macOS WorkflowKit Race Vulnerability Let Malicious Apps Intercept Shortcuts

A important vulnerability in macOS WorkflowKit, the framework underpinning Apple’s Shortcuts app, has been disclosed.

This vulnerability permits malicious functions to intercept and modify user-imported shortcuts.


SIEM as a Service

Recognized as CVE-2024-27821, this race situation in WorkflowKit poses a severe security risk, doubtlessly enabling attackers to tamper with shortcut information with out correct detection.

macOS WorkflowKit Race Vulnerability

The problem stems from a race situation within the methodology -[WFShortcutPackageFile preformShortcutDataExtractionWithCompletion:], chargeable for extracting signed shortcut information.

Maximizing Cybersecurity ROI: Skilled Suggestions for SME & MSP Leaders – Attend Free Webinar

This methodology processes Apple Encrypted Archives (AEA) to extract unsigned shortcut information (Shortcut.wflow).

Nevertheless, throughout execution, a important window exists the place a malicious app can modify the extracted information or the momentary listing used within the course of.

Shortcuts usually validate the signature of imported shortcuts to make sure authenticity. Nevertheless, CVE-2024-27821 circumvents this safeguard by exploiting the race situation, permitting the import of unsigned shortcuts.

This opens the door for attackers to switch professional shortcuts with malicious ones, doubtlessly compromising person information or executing unauthorized actions.

The researchers famous that the momentary listing utilized by WorkflowKit lacks enough safety, permitting unsandboxed processes to control its contents.

This oversight makes it attainable for attackers to change information mid-extraction, successfully hijacking the method.

The exploit could be triggered by manipulating symlinks through the extraction course of. Particularly, attackers can redirect the extraction stream (AAExtractArchiveOutputStreamOpen) to a listing of their selection by altering symlinks earlier than and after the method begins.

This trick considerably will increase the reliability of the exploit, significantly for bigger shortcuts that take longer to extract. As soon as the malicious shortcut is in place, it bypasses signature validation and is imported by Shortcuts with out elevating any alarms.

This might result in the execution of dangerous workflows, corresponding to information exfiltration, system reconfiguration, or unauthorized community requests.

The vulnerability isn’t restricted to shortcut extraction. An identical race situation was recognized within the methodology used for producing signed shortcut information, suggesting systemic points inside the WFShortcutPackageFile class of WorkflowKit.

These findings spotlight the necessity for Apple to strengthen its dealing with of momentary information and implement stricter validation mechanisms.

Whereas Apple has not but launched a patch for CVE-2024-27821, customers are suggested to keep away from importing shortcuts from unknown sources.

Builders working with Shortcuts also needs to train warning and monitor for updates from Apple addressing this vulnerability.

Are you from SOC/DFIR Groups? – Analyse Malware Information & Hyperlinks with ANY.RUN -> Try for Free



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *