A critical vulnerability in macOS WorkflowKit, the framework underpinning Apple’s Shortcuts app, has been disclosed.
This vulnerability allows malicious applications to intercept and modify user-imported shortcuts.
Identified as CVE-2024-27821, this race condition in WorkflowKit poses a serious security risk, potentially enabling attackers to tamper with shortcut files without proper detection.
macOS WorkflowKit Race Vulnerability
The issue stems from a race condition in the method -[WFShortcutPackageFile preformShortcutDataExtractionWithCompletion:], responsible for extracting signed shortcut files.
Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar
This method processes Apple Encrypted Archives (AEA) to extract unsigned shortcut files (Shortcut.wflow).
However, during execution, a critical window exists where a malicious app can modify the extracted files or the temporary directory used in the process.
Shortcuts typically validate the signature of imported shortcuts to ensure authenticity. However, CVE-2024-27821 circumvents this safeguard by exploiting the race condition, allowing the import of unsigned shortcuts.
This opens the door for attackers to replace legitimate shortcuts with malicious ones, potentially compromising user data or executing unauthorized actions.
The researchers noted that the temporary directory used by WorkflowKit lacks sufficient protection, allowing unsandboxed processes to manipulate its contents.
This oversight makes it possible for attackers to modify files mid-extraction, effectively hijacking the process.
The exploit can be triggered by manipulating symlinks during the extraction process. Specifically, attackers can redirect the extraction stream (AAExtractArchiveOutputStreamOpen) to a directory of their choice by altering symlinks before and after the process begins.
This trick significantly increases the reliability of the exploit, particularly for larger shortcuts that take longer to extract. Once the malicious shortcut is in place, it bypasses signature validation and is imported by Shortcuts without raising any alarms.
This could lead to the execution of harmful workflows, such as data exfiltration, device reconfiguration, or unauthorized network requests.
The vulnerability isn’t limited to shortcut extraction. A similar race condition was identified in the method used for generating signed shortcut files, suggesting systemic issues within the WFShortcutPackageFile class of WorkflowKit.
These findings highlight the need for Apple to strengthen its handling of temporary files and implement stricter validation mechanisms.
While Apple has not yet released a patch for CVE-2024-27821, users are advised to avoid importing shortcuts from unknown sources.
Developers working with Shortcuts should also exercise caution and monitor for updates from Apple addressing this vulnerability.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free