Exploitation for Priv-Esc × Apple macOS

A publicly-reported instance of Exploitation for Priv-Esc bypassing Apple macOS, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Apple macOS

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

High

Status

poc

Disclosed

2024-05-11

Config / version noted

Yes

Provenance

github.com
disclosed 2024-05-11 · original source · via exa

Reported as

The exploit creates a symbolic link... defeating SIP protections.

Mechanism

The exploit creates a symbolic link in /Applications/ named 'Install macOS Ventura.app' pointing to a SIP-protected directory before running the 'installer' command on InstallAssistant.pkg. During package extraction, system_installd follows the symlink and removes the 'restricted' flag from the target directory, defeating SIP protections.

Detection & mitigation

Monitor for creation of symbolic links in /Applications/ with names matching macOS installer patterns (e.g., 'Install macOS Ventura.app') pointing to SIP-protected directories, and alert on subsequent execution of 'installer' targeting InstallAssistant.pkg. Mitigation includes applying macOS updates beyond 14.0 and restricting execution of the installer utility to authorized processes.

Exploitation for Priv-Esc has also been recorded against

Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google HitmanPro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.