PoC Exploit Releases for Critical Symlink Flaw in Apple’s iOS – CVE-2024-44258

CVE-2024-44258 - symlink vulnerability

In a recent analysis, cybersecurity researchers Hichem Maloufi and Christian Mina detailed CVE-2024-44258, a symlink vulnerability affecting Apple’s ManagedConfiguration framework and the profiled daemon. This vulnerability allows attackers to manipulate the backup restoration process to access restricted areas, potentially exposing sensitive system files.

CVE-2024-44258, identified in Apple devices running certain iOS versions, reveals a flaw in handling symbolic links (symlinks) during backup restoration. When restoring a crafted backup, the migration fails to verify if the destination folder is a symlink, allowing files to be redirected to protected locations. Maloufi explains that “the migration process fails to validate whether the destination folder is a symbolic link,” which can lead to the modification of otherwise protected system files.

The vulnerability permits unauthorized file migration, enabling attackers to leverage symlinks in backup files to bypass sandbox restrictions. Unauthorized data access, privilege escalation, and even the potential exploitation of services depend on the affected configurations. According to Maloufi, “this flaw can potentially allow unauthorized data access, privilege escalation, or exploitation of other services dependent on the modified configuration.”

The vulnerability has reportedly been observed in the wild for several months, with attackers actively exploiting it. However, Apple has not yet confirmed active exploitation in its security bulletins.

Maloufi and Mina’s research offers a detailed proof-of-concept, demonstrating the creation of a crafted backup that exploits this symlink flaw. The researchers illustrate how to insert files into Apple’s protected directories via a crafted symlink: “Due to the crafted symlink, the files are migrated into a restricted folder that can contain sensitive or protected data.”

Here’s a sample code snippet illustrating the process of crafting a backup to exploit the vulnerability. This code shows how to add a symlink and files to the backup, simulating the exploitation steps without including the actual crafted backup file.

unsigned char* plist_data = NULL;
file_read("/path/to/your/test-outofsandbox.plist", &plist_data, &plist_size); // THIS NEED TO BE CHANGED TO THE FILE PATH

backup_add_directory(backup, "HomeDomain", "Library/ConfigurationProfiles", 0755, 501, 501);
backup_add_file_with_data(backup, "HomeDomain", "Library/ConfigurationProfiles/test.plist", 0755, 501, 501, 4, plist_data, plist_size); // WE ADD OUR FILES

backup_add_directory(backup, "SysSharedContainerDomain-systemgroup.com.apple.configurationprofiles", NULL, 0755, 501, 501);
backup_add_symlink(backup, "SysSharedContainerDomain-systemgroup.com.apple.configurationprofiles", "Library", "/private/var/mobile/Library", 501, 501); // CHANGE THE PATH TO THE SANDBOXED FOLDER YOU WANT TO WRITE IN YOUR FILES

backup_write_mbdb(backup); // SAVE THE BACKUP
backup_free(backup);

To mitigate this vulnerability, Apple’s iOS 18.1 beta5 introduced a function, _MCDestinationPathIsSafeFromSymlinkAttacks, specifically targeting this issue. The function performs a safety check on the destination path to prevent unauthorized file migration. This check has been incorporated into the MCMigrator_copyAlmostAtomicallyItemAtPath:toPath:error: function, addressing the risk by verifying the safety of destination paths.

Related Post: