WorkflowKit Race Vulnerability (CVE-2024-27821): Researcher Reveals Exploit that Let Malicious Apps Hijack Shortcuts

WorkflowKit, CVE-2024-27821

Security researcher Snoolie K has published an in-depth analysis of a significant security flaw in WorkflowKit, which has been assigned CVE-2024-27821. This vulnerability, dubbed the “WorkflowKit Race Vulnerability,” targets the extraction and signing processes of shortcuts within WorkflowKit, potentially allowing a malicious app to intercept and modify shortcut files during import.

According to Snoolie K, “a race condition that a malicious app can potentially exploit to intercept shortcut files a user imports while running in the background” was identified in WorkflowKit’s shortcut extraction process. The flaw lies in the method responsible for extracting signed shortcuts, named -[WFShortcutPackageFile preformShortcutDataExtractionWithCompletion:]. This method contains a critical race condition that could be exploited to alter the shortcut files during extraction.

The method in question extracts a signed Apple Encrypted Archive and attempts to convert it into an unsigned .wflow shortcut file. The vulnerability exists because WorkflowKit does not sufficiently protect against race conditions during the extraction process, creating a window for malicious actors to replace files. As Snoolie noted, “The temporary Shortcuts directory is also able to be modified by any unsandboxed process, no permissions needed. This means that a malicious app is able to modify the directory/file in time and it imports.”

Moreover, Snoolie K pointed out a clever method to increase the exploit’s reliability, saying, “What if I told you that we actually only have to be between AAExtractArchiveOutputStreamOpen and the WFFileRepresentation?” This so-called “trick” makes it easier for an attacker to intercept and replace shortcuts reliably, thereby effectively bypassing WorkflowKit’s protections and importing the modified file.

The implications of this vulnerability are significant. Successful exploitation would allow a malicious app running in the background to modify shortcuts without user consent. This means that an attacker could inject arbitrary code into any shortcut the user tries to sign or open, potentially leading to data exposure or remote code execution. As Snoolie K explained, “This means that a malicious app can potentially run in the background, and whenever the user attempts to contact sign any shortcuts, ex to share with a contact, it instead without the user’s knowledge intercepts it and potentially makes the user sign a different shortcut, ex injects malicious code in all Shortcuts the user tries to sign with innocent intentions.”

Snoolie published a proof-of-concept exploit code for CVE-2024-27821 on Github.

Apple has patched this vulnerability in macOS 14.5 by adding additional sandbox restrictions, preventing unsanctioned access to the temporary directories used by WorkflowKit. As of now, users are strongly encouraged to update to macOS 14.5 or later to protect against this exploit. “Apple seems to have patched this by additional sandbox restrictions,” noted Snoolie K. The patch effectively prevents unauthorized processes from modifying shortcut files during extraction.

Related Posts: