来源

关联漏洞

介绍

# CVE-2025-24118 Exploit (Python)

## Overview

This repository contains a **Proof of Concept (PoC)** for **CVE-2025-24118**, a race condition vulnerability discovered in macOS's kernel. The vulnerability arises due to non-atomic updates to a process's credentials, specifically in the `kauth_cred_proc_update` function, which handles updates to the `proc_ro.p_ucred` field. This PoC demonstrates how the bug can be triggered by exploiting a race condition between a thread that updates the credentials and another that reads them, potentially leading to crashes or credential corruption.

### Exploit Details

The exploit works by creating two threads:
1. **Writer thread**: This thread rapidly switches the process's group ID between the real and effective GID using the `setgid` system call.
2. **Reader thread**: This thread continuously reads the current group ID with `getgid`, which simulates the concurrent read of `proc_ro.p_ucred`.

By racing the two threads, the exploit can cause the reader to observe an inconsistent or partially updated credential pointer. This can lead to a **kernel panic** or **silent corruption** of process credentials.

### How to Run

1. **Set up the environment**:
   - Ensure that the Python program is running on macOS (ideally on an Intel-based system).
   - The program should be compiled with `setgid` privileges to toggle between different GIDs and trigger the credential update.

2. **Run the script**:
   - If you're running the script in an environment with different **real** and **effective** GIDs, the race condition will be triggered.
   
   ```bash
   python3 exp.py
   ```

3. **Observe the behavior**:
   - The script will run the race condition between the two threads. After some time, the kernel may panic due to an invalid pointer reference, or the process's credentials could become corrupted.

### Key Code Details

- **`toggle_cred`**: This function rapidly switches the real and effective group IDs by calling `setgid` in a loop.
- **`reference_cred`**: This function continuously calls `getgid` to read the current group ID, simulating the reading of the `p_ucred` pointer.
- **Race Condition**: The bug arises because `kauth_cred_proc_update` is non-atomic, allowing for an inconsistent state to be read by the second thread.

### Mitigation

- **Atomic Operations**: The most effective way to mitigate this vulnerability is to ensure that updates to sensitive data structures like `p_ucred` are performed atomically. This can be achieved by using appropriate atomic update functions, such as `zalloc_ro_mut_atomic`, to replace non-atomic operations.
  
- **Proper Synchronization**: Implementing proper synchronization mechanisms (such as locks or memory barriers) when updating or reading shared data structures can prevent such race conditions.

- **SMR Protection**: For systems relying on SMR (Safe Memory Reclamation), ensuring that any updates to SMR-protected data structures are properly serialized is essential. This includes ensuring that non-atomic write operations are avoided.

- **Kernel Patches**: As of macOS 15.3, this bug has been fixed, so updating the operating system is the most straightforward solution to prevent exploitation of this issue.

### Disclaimer

This exploit is provided for educational purposes and ethical hacking only, within controlled environments such as CTF competitions or penetration testing labs. Unauthorized use of this exploit on systems without permission is illegal and unethical. Always ensure you have explicit permission before testing any exploits.

文件快照

 [4.0K]  /data/pocs/59e903d83f5fdcabfcf053b1c98a093749b56f51
├── [ 994]  exp.py
└── [3.5K]  README.md

0 directories, 2 files

备注