A newly disclosed vulnerability in Appleβs proprietary libAppleArchive library, tracked as CVE-2024-27876, enables attackers to achieve arbitrary file writes on macOS and iOS systems, with the added potential of bypassing Appleβs Gatekeeper protections. This critical flawβrated 8.1 CVSSβwas uncovered and weaponized by security researcher Snoolie Keffaber, who revealed it through an insightful technical breakdown and proof-of-concept.
Initially exploring Apple Archiveβs internal behaviors, Keffaber developed libNeoAppleArchive, an open-source Linux-compatible parser for .aar files. While working with symlink extraction logic in Apple Archive files, he noticed a flaw in how symbolic links were handled:
This discovery prompted deeper experimentation with header formatting, eventually leading to a realization: by exploiting a race condition during Apple Archive extraction, attackers could create a symlink just after a directory check but before the corresponding directory is created. As a result, any subsequent write to that location would go through the symlink, effectively redirecting data to a destination of the attackerβs choice.
By replicating the symlink-file sequence multiple times in the archive, Keffaber dramatically improved the reliability of the exploit.
Building on the exploit, Keffaber aimed for a Gatekeeper bypass by targeting Archive Utility, which extracts files to a temporary directory and then applies quarantine attributes:
While the method demands prior knowledge of the target systemβs $TMPDIR and includes extra steps, it demonstrates that security boundaries once thought to be robust can be undermined using subtle, system-level race conditions.
CVE-2024-27876 doesnβt just threaten macOS desktop environments. It also endangers any process or service using libAppleArchive, including:
WorkflowKit, which handles Shortcuts (AEA files)
FlexMusicKit and potentially ClipServices
Files app on iOS, which can extract .aar files
Even when validation checks like pathIsValid() are in place, the vulnerability bypasses them entirely via race timing:
An exploit creator using libNeoAppleArchive was shared in a ZIP file called GatekeeperV3.zip. While it still requires knowledge of system variables like $TMPDIR, it confirms the feasibility of the attack in real-world conditions.
Apple has since patched this vulnerability across its platforms:
macOS 13.7, 14.7, and 15
iOS 17.7 and 18
visionOS 2