Bypassing macOS Sandboxing and TCC via Arbitrary Folder Creation

TLDR: Researchers at Black Hat 2024 demonstrated how to chain arbitrary folder creation and path traversal vulnerabilities to escape the macOS sandbox and bypass TCC protections. By manipulating container directory structures and abusing the way macOS handles file access, they achieved remote code execution and unauthorized access to sensitive user data. This research proves that seemingly minor logic flaws in system-level services can be weaponized to completely dismantle modern Apple security controls.

Security researchers often dismiss arbitrary folder creation as a low-impact bug, but the reality is that on macOS, it is a direct path to a full sandbox escape. The core of the issue lies in how the operating system manages application containers and the trust relationship between the system and the files within those containers. If you can control where a folder is created or how a path is traversed, you can trick the system into misapplying its security policies, effectively granting your process privileges it should never have.

The Mechanics of the Escape

At the heart of this research is the interaction between the macOS container manager and the Mandatory Access Control List (MACL). When an application is sandboxed, it is restricted to its own container. However, the system must occasionally grant access to files outside that container. The vulnerability arises when an attacker can manipulate the creation of these containers or the symbolic links pointing to them.

By exploiting a path traversal vulnerability in the container folder creation process, such as the one identified in CVE-2023-42947, an attacker can create a folder structure that the system does not properly quarantine. Because the system assumes these folders are legitimate application data, it fails to apply the necessary security attributes. Once you have a non-sandboxed folder that the system treats as a trusted container, you can place an executable there and launch it, bypassing the standard Gatekeeper checks.

The researchers demonstrated this by creating a malicious application that, when launched, triggers the container manager to create a directory. By injecting a payload into the path, they forced the system to create a folder that lacked the expected quarantine attributes. This is a classic Broken Access Control scenario where the system's logic for verifying the integrity of the file system is bypassed by a simple path manipulation.

Chaining Vulnerabilities for Full Control

Achieving remote code execution requires chaining these logic flaws. The researchers showed that you can abuse the way macOS handles file associations. If you can replace a default file handler, you can trick Finder into automatically granting your application access to any file it opens. This is particularly dangerous when targeting applications like Microsoft Word or Telegram, which often have broad permissions.

Consider the following flow:

1. Identify an application that declares broad entitlements, such as com.apple.security.files.downloads.read-write.
2. Use a vulnerability like CVE-2023-42932 to manipulate the container structure.
3. Inject a malicious payload into a document that the target application is likely to open.
4. When the user opens the document, the application, acting as a trusted process, performs the malicious operation on your behalf.

The researchers also highlighted the role of the clipboard in cross-device attacks. Because the clipboard component on macOS is not properly protected, any process can access the Universal Clipboard. By monitoring clipboard operations, an attacker can steal sensitive data, such as cryptocurrency wallet addresses or mnemonic phrases, and replace them with malicious alternatives. This is not just a sandbox escape; it is a bridge between the Mac and the user's iOS devices, extending the attack surface significantly.

Real-World Implications for Pentesters

For those of us conducting red team engagements, these findings are a goldmine. The primary takeaway is that you should stop looking for memory corruption bugs in every single target and start looking for logic flaws in how applications interact with the system's container manager. If you are testing an application on macOS, check its Info.plist for registered file types and entitlements. If it has broad access to the file system, it is a potential pivot point.

During an engagement, focus on the following:

• Does the application create temporary files or folders in predictable locations?
• Can you influence the path of these files using symbolic links?
• Does the application use outdated libraries that might be susceptible to known vulnerabilities like CVE-2024-23215?

The impact of these vulnerabilities is severe. An attacker who successfully chains these flaws can bypass TCC, access the camera, record the screen, and read arbitrary files, all without triggering a single user prompt. This is the definition of a silent, persistent compromise.

Defensive Considerations

Defending against these attacks is difficult because they exploit the intended design of the operating system. However, blue teams can implement better monitoring. By using tools that hook into system APIs, you can detect suspicious file operations, such as an application creating symbolic links in sensitive directories like ~/Library/Containers/. Monitoring for unexpected changes to the MACL attributes of files is also a viable strategy.

Ultimately, the best defense is keeping software updated. Many of the vulnerabilities discussed in this research, such as CVE-2024-27872, were patched by Apple after being reported. The risk is highest for users running outdated versions of third-party applications that have not been updated to account for the stricter container management policies introduced in recent versions of macOS. If you are a developer, ensure your application follows the principle of least privilege and does not request more entitlements than it absolutely needs. The era of trusting the sandbox is over; verify every interaction between your code and the underlying operating system.