Today at Nullcon Berlin, a researcher disclosed a macOS vulnerability (CVE-2025-24204) that allowed attackers to read the memory of any process, even with System Integrity Protection (SIP) enabled.
The issue stems from Apple mistakenly granting the /usr/bin/gcore utility the com.apple.system-task-ports.read entitlement in macOS 15.0 (Sequoia). Apple removed the entitlement in macOS 15.3.
Koh M. Nakagawa speaking at Nullcon Berlin 2025
This entitlement gave gcore the ability to read the memory of any process on the system. Security researcher Koh M. Nakagawa of FFRI Security discovered that this broke a key security boundary and exposed sensitive user data, including contents of the Keychain, data protected by Transparency, Consent, and Control (TCC), and even encrypted iOS app binaries.
Nakagawa told Help Net Security he stumbled across the issue in an unexpected way.
“I originally found this when Microsoft published ProcDump-for-Mac,” he explained.
“When I heard about this tool, I thought that this tool must be useless because it cannot dump almost all processes due to System Integrity Protection. So, it must be valid only when SIP is disabled. But after downloading this tool and trying it, I noticed something strange. I could dump the process memory, including system processes, even when SIP was enabled. I was shocked about it. After digging deeper, I found that ProcDump-for-Mac calls gcore internally, and gcore grants special entitlements. Probably Microsoft also noticed that this entitlement was added to gcore, and that is why they created and released ProcDump-for-Mac. However, they did not seem to think it was a vulnerability.”
What attackers could do
gcore is a legitimate macOS tool that generates core dumps of running processes for debugging. Under normal circumstances, it should not be able to read protected memory regions without specific conditions being met. However, with the new entitlement in place, gcore could dump memory from any process, including system services that handle encryption and credentials.
Nakagawa demonstrated that this included the securityd process, which manages the login keychain. He developed a method to search the resulting memory dump for the Master Key used to encrypt the login keychain file. Once obtained, this key allows an attacker to decrypt the login keychain without needing the user’s password.
He also showed how this vulnerability enabled bypassing TCC protections. Sensitive files opened by sandboxed apps (like PDFs in Preview or contact data in Contacts) are often loaded into memory. By dumping memory of those apps and mapping the content using the vmmap tool, the contents of protected files could be recovered.
The third impact area was FairPlay-encrypted iOS apps. Apple Silicon Macs allow iOS apps to run natively on macOS, but their binaries remain encrypted at rest. By using gcore to dump memory while the app was running, Nakagawa was able to recover decrypted versions of these binaries without needing a jailbroken iPhone.
Fix and detection
Apple removed the problematic entitlement from gcore in macOS 15.3. The issue can be detected using Apple’s Endpoint Security Framework (ESF), which provides the get_task_read event. Monitoring for calls to task_read_for_pid by gcore targeting sensitive processes can flag exploitation attempts.
When asked what steps enterprise defenders could take to monitor for entitlement changes at scale, Nakagawa was skeptical that it would be useful.
“I do not think that enterprise security defenders need to perform this task,” he said. “Even if they discover it, there is nothing they can do other than wait for the OS update.”
Lessons for defenders
This case highlights the risks of misconfigured entitlements. Even a legitimate debugging tool can become a serious liability when granted elevated privileges.
Nakagawa believes the problem is bigger than one utility. “I think it is highly likely that similar vulnerabilities exist,” he said.
“My vulnerability suggests that Apple does not conduct sufficient security reviews when granting strong entitlements to binaries. Based on this, similar cases are not unlikely. In fact, in a different binary from this vulnerability, the com.apple.system-task-ports.read entitlement was removed with a macOS update. This may indicate a similar vulnerability to gcore, which was removed as a result.”
Nakagawa added that identifying these cases is primarily the job of security researchers. “The method to monitor entitlement changes is shown in the shared slides, which is to execute the ipsw diff command every time the OS is updated,” he noted.
The vulnerability also shows that partial privilege escalation, such as read-only memory access, can be powerful. Attackers do not need write access or full control to exfiltrate critical data.
Finally, the research demonstrates that security boundaries like SIP and TCC are only as strong as their enforcement. A small lapse can expose broad attack surfaces across the system.
Source link
