ClearanceKit File Access Bypass Vulnerability Impersonating Apple Processes
Vulnerability
A vulnerability in ClearanceKit prior to version 5.0.5 allows malicious software to impersonate Apple processes and bypass file access protections on macOS. The issue arises because ClearanceKit incorrectly identifies processes with an empty Team ID and a non-empty Signing ID as Apple platform binaries. This misclassification enables unauthorized access to protected files by exploiting the global allowlist for Apple processes.
Impact
Exploiting this vulnerability allows a local attacker to create an ad-hoc signed binary that impersonates an Apple process, bypassing ClearanceKit's file access protections and accessing all protected files associated with the allowlisted process.
Reproduction
To reproduce this vulnerability, create a C program that reads a file and prints its contents to stdout. Compile the program and ad-hoc sign the binary with a Signing ID that is globally allowlisted, such as 'com.apple.mds'. Then, run the signed binary against a file path protected by ClearanceKit's file access rules. The contents of the protected file will be successfully accessed and printed, demonstrating the bypass of ClearanceKit's protections.
Remediation
Users should update to ClearanceKit version 5.0.5 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.