CVE-2025-24118 Exploit (Python)
Overview
This repository contains a Proof of Concept (PoC) for CVE-2025-24118, a race condition vulnerability discovered in macOS's kernel. The vulnerability arises due to non-atomic updates to a process's credentials, specifically in the kauth_cred_proc_update function, which handles updates to the proc_ro.p_ucred field. This PoC demonstrates how the bug can be triggered by exploiting a race condition between a thread that updates the credentials and another that reads them, potentially leading to crashes or credential corruption.
Exploit Details
The exploit works by creating two threads:
- Writer thread: This thread rapidly switches the process's group ID between the real and effective GID using the
setgid system call.
- Reader thread: This thread continuously reads the current group ID with
getgid, which simulates the concurrent read of proc_ro.p_ucred.
By racing the two threads, the exploit can cause the reader to observe an inconsistent or partially updated credential pointer. This can lead to a kernel panic or silent corruption of process credentials.
How to Run
Set up the environment:
- Ensure that the Python program is running on macOS (ideally on an Intel-based system).
- The program should be compiled with
setgid privileges to toggle between different GIDs and trigger the credential update.
Run the script:
Observe the behavior:
- The script will run the race condition between the two threads. After some time, the kernel may panic due to an invalid pointer reference, or the process's credentials could become corrupted.
Key Code Details
toggle_cred: This function rapidly switches the real and effective group IDs by calling setgid in a loop.reference_cred: This function continuously calls getgid to read the current group ID, simulating the reading of the p_ucred pointer.- Race Condition: The bug arises because
kauth_cred_proc_update is non-atomic, allowing for an inconsistent state to be read by the second thread.
Mitigation
Atomic Operations: The most effective way to mitigate this vulnerability is to ensure that updates to sensitive data structures like p_ucred are performed atomically. This can be achieved by using appropriate atomic update functions, such as zalloc_ro_mut_atomic, to replace non-atomic operations.
Proper Synchronization: Implementing proper synchronization mechanisms (such as locks or memory barriers) when updating or reading shared data structures can prevent such race conditions.
SMR Protection: For systems relying on SMR (Safe Memory Reclamation), ensuring that any updates to SMR-protected data structures are properly serialized is essential. This includes ensuring that non-atomic write operations are avoided.
Kernel Patches: As of macOS 15.3, this bug has been fixed, so updating the operating system is the most straightforward solution to prevent exploitation of this issue.
Disclaimer
This exploit is provided for educational purposes and ethical hacking only, within controlled environments such as CTF competitions or penetration testing labs. Unauthorized use of this exploit on systems without permission is illegal and unethical. Always ensure you have explicit permission before testing any exploits.
Link to the exploit
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
