Unveiling the Apple's CVE-2024-40834 - A "shortcut" to the bypass road
2024-09-28 , Main Track

DISCLAIMER: This particular vulnerability was responsibly disclosed to Apple's Security Team in February 2024 and is presently under patch progression. The update to rectify this security loophole is expected to be ready by summer 2024 (June-September).

During my research endeavors in early 2024, I explored one of Apple's built-in application, universally deployed across their operational systems: iOS, WatchOS, MacOS, and VisionOS platforms. An intriguing discovery was made upon manipulating certain functionalities and applying unconventional methods within this application.

The application vulnerability permitted execution of arbitrary commands on MacOSX systems, circumventing the in-built security features designed to prohibit such arbitrary code or script execution. Furthermore, it is also possible reading of arbitrary files across all Apple operating systems, enabling leakage of file contents to any remote host.

A critical point of concern with this attack vector stems from abusing Apple's native infrastructure to disseminate malicious payloads to unsuspecting victims. Rendering it a potent tool for drive-by-download phishing attacks. The payload is legitimely signed by Apple and can be set into motion without any security alerts. Unwary users who fall prey to such attacks subsequently face serious security risks.

This presentation aims to publicise the intricacies of this vulnerability and encourage a discourse on potential exploitations within the Apple ecosystem that might give rise to novel attacks. We seek to cast light on this vulnerability to encourage the development of protective measures and reinforce user safety.

Marcio Almeida is one of the Co-Founders and the Director of Technical Services at Tanto Security. He has worked in cyber security for over 15 years and has experience with Penetration Testing, Code Review, Exploit Development, Secure Development, DevSecOps and Red Team Operations. You can connect with him on LinkedIn (marcioalma), X (marcioalm) or get in touch via marcio@tantosec.com.