CVE-2024-2787: Apple Archive Flaw Enables Arbitrary File Write and Gatekeeper Bypass, PoC Releases
Ddos 
A newly disclosed vulnerability in Apple’s proprietary libAppleArchive library, tracked as CVE-2024-27876, enables attackers to achieve arbitrary file writes on macOS and iOS systems, with the added potential of bypassing Apple’s Gatekeeper protections. This critical flaw—rated 8.1 CVSS—was uncovered and weaponized by security researcher Snoolie Keffaber, who revealed it through an insightful technical breakdown and proof-of-concept.
Initially exploring Apple Archive’s internal behaviors, Keffaber developed libNeoAppleArchive, an open-source Linux-compatible parser for .aar files. While working with symlink extraction logic in Apple Archive files, he noticed a flaw in how symbolic links were handled:
“I successfully had an archive extract with a symlink to a completely different directory on my system!”
This discovery prompted deeper experimentation with header formatting, eventually leading to a realization: by exploiting a race condition during Apple Archive extraction, attackers could create a symlink just after a directory check but before the corresponding directory is created. As a result, any subsequent write to that location would go through the symlink, effectively redirecting data to a destination of the attacker’s choice.
“LibAppleArchive will try to extract both of them at the same time… there is around a 15% chance… the mkdir() call will fail… [but] libAppleArchive will think the directory was created even though a symlink is there instead.”
By replicating the symlink-file sequence multiple times in the archive, Keffaber dramatically improved the reliability of the exploit.
Building on the exploit, Keffaber aimed for a Gatekeeper bypass by targeting Archive Utility, which extracts files to a temporary directory and then applies quarantine attributes:
“With this libAppleArchive exploit, we can have ArchiveService extract the file outside the directory… but not quarantine it, thus bypassing Gatekeeper!”
While the method demands prior knowledge of the target system’s $TMPDIR and includes extra steps, it demonstrates that security boundaries once thought to be robust can be undermined using subtle, system-level race conditions.
CVE-2024-27876 doesn’t just threaten macOS desktop environments. It also endangers any process or service using libAppleArchive, including:
- WorkflowKit, which handles Shortcuts (AEA files)
- FlexMusicKit and potentially ClipServices
- Files app on iOS, which can extract .aar files
Even when validation checks like pathIsValid() are in place, the vulnerability bypasses them entirely via race timing:
“This means that when it tries to write to the file, it instead writes it to the symlink pointing at our arbitrary file! Holy cow!”
An exploit creator using libNeoAppleArchive was shared in a ZIP file called GatekeeperV3.zip. While it still requires knowledge of system variables like $TMPDIR, it confirms the feasibility of the attack in real-world conditions.
Apple has since patched this vulnerability across its platforms:
- macOS 13.7, 14.7, and 15
- iOS 17.7 and 18
- visionOS 2
Related Posts:
- Kubernetes Policy Enforcement at Risk: OPA Gatekeeper Bypass Exposes Security Flaws
- Internet Archive Under Siege: DDoS Attacks and a Mysterious Data Breach
- PoC Exploit Releases for Critical Symlink Flaw in Apple’s iOS – CVE-2024-44258
- Critical Vulnerability Found in Flatpak: CVE-2024-42472 (CVSS 10) Exposes Files Outside Sandbox
- CVE-2025-31334: WinRAR Flaw Enables Mark-of-the-Web Bypass and Arbitrary Code Execution