iTunes is a media player which is developed by Apple Inc. and this application enables users to purchase, organize, and play digital music and videos.
It was launched in 2001 and revolutionized the way people accessed and managed their media collections with features like the “iTunes Store” for purchasing content and syncing with iPods and later devices.
Recently a cybersecurity researcher mhans (aka “mbog14”) identified iTunes 0-day (tracked as “CVE-2024-44193“) privilege escalation flaw that enables threat actors to hack Windows.
iTunes 0-day Privilege Escalation
CVE-2024-44193 represents a critical Local Privilege Escalation (LPE) vulnerability that was discovered in iTunes version “12.13.2.3.”
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
This 0-day flaw affects the ‘Apple Device Discovery Service’ (AppleMobileDeviceService.exe) that was located in “C:Program FilesCommon FilesAppleMobile” Device Support.
Apple patched the vulnerability on September 12, 2024, which stems from “improper permission management” in the “C: ProgramDataApple*” directory path.
Here in this patch members of the local Windows “Users” group can write arbitrary files.
The exploit leverages a combination of opportunistic locks (“oplocks”) and “NTFS junction points” to achieve privilege escalation.
When an unprivileged user triggers a service restart, they can exploit the vulnerable file deletion mechanism where the service runs with SYSTEM privileges and deletes files in “C:ProgramDataAppleLockdown*.”
Threat actors can create a sophisticated “folder/file” deletion first by using tools like “SetOpLock” for process manipulation and “FolderContentsDeleteToFolderDelete” for NTFS junction exploitation.
This process involves creating a folder structure by setting an “oplock” to pause the service’s execution, which helps them move files, and create NTFS junctions to target locations.
With the help of this, they achieve arbitrary code execution with “SYSTEM-level privileges,” effectively elevating from a standard user to “full system administrator access.”
NTFS junctions in Windows OS serve as directory links (similar to “symbolic links” or “symlinks” in Linux), which allow folders to be redirected to different locations.
This functionality can be exploited via the Apple Mobile Device Support service.
Using either PowerShell commands (“New-Item -Type Junction”) or ZDI’s “FilesystemEoPs” toolset (‘FolderContentsDeleteToFolderDelete.exe’), an attacker can create a junction pointing to a target folder on the Desktop.
When the service is restarted through the Windows GUI (‘Apps -> Installed apps -> Apple Mobile Device Support -> Modify -> Repair’), it executes a “CreateFile” operation with “DeleteOnClose” privileges running as SYSTEM.
According to the researcher, this high-privileged execution follows the junction and enables arbitrary file or folder deletion across the system.
The exploitation process involves several technical steps:-
- Setting up oplocks (“opportunistic locks”) to pause the process.
- Implementing an MSI rollback technique using “FolderOrFileDeleteToSystem.exe.”
- Carefully managing file path lengths (“requiring shortened constants like “C:d” and “e.txt” for reliable execution”).
The service repetition following junctions is combined with SYSTEM-level permissions that create a significant security vulnerability.
This allows unprivileged users to “delete system files” and achieve “system-level code execution” via a chain of precisely directed events.
Strategies to Protect Websites & APIs from Malware Attack => Free Webinar