This repository contains a Proof of Concept (PoC) for CVE-2025-24118, a race condition vulnerability discovered in macOS's kernel. The vulnerability arises due to non-atomic updates to a process's credentials, specifically in the kauth_cred_proc_update function, which handles updates to the proc_ro.p_ucred field. This PoC demonstrates how the bug can be triggered by exploiting a race condition between a thread that updates the credentials and another that reads them, potentially leading to crashes or credential corruption.
The exploit works by creating two threads:
- Writer thread: This thread rapidly switches the process's group ID between the real and effective GID using the
setgidsystem call. - Reader thread: This thread continuously reads the current group ID with
getgid, which simulates the concurrent read ofproc_ro.p_ucred.
By racing the two threads, the exploit can cause the reader to observe an inconsistent or partially updated credential pointer. This can lead to a kernel panic or silent corruption of process credentials.
-
Set up the environment:
- Ensure that the Python program is running on macOS (ideally on an Intel-based system).
- The program should be compiled with
setgidprivileges to toggle between different GIDs and trigger the credential update.
-
Run the script:
- If you're running the script in an environment with different real and effective GIDs, the race condition will be triggered.
python3 exp.py
-
Observe the behavior:
- The script will run the race condition between the two threads. After some time, the kernel may panic due to an invalid pointer reference, or the process's credentials could become corrupted.
toggle_cred: This function rapidly switches the real and effective group IDs by callingsetgidin a loop.reference_cred: This function continuously callsgetgidto read the current group ID, simulating the reading of thep_ucredpointer.- Race Condition: The bug arises because
kauth_cred_proc_updateis non-atomic, allowing for an inconsistent state to be read by the second thread.
-
Atomic Operations: The most effective way to mitigate this vulnerability is to ensure that updates to sensitive data structures like
p_ucredare performed atomically. This can be achieved by using appropriate atomic update functions, such aszalloc_ro_mut_atomic, to replace non-atomic operations. -
Proper Synchronization: Implementing proper synchronization mechanisms (such as locks or memory barriers) when updating or reading shared data structures can prevent such race conditions.
-
SMR Protection: For systems relying on SMR (Safe Memory Reclamation), ensuring that any updates to SMR-protected data structures are properly serialized is essential. This includes ensuring that non-atomic write operations are avoided.
-
Kernel Patches: As of macOS 15.3, this bug has been fixed, so updating the operating system is the most straightforward solution to prevent exploitation of this issue.
This exploit is provided for educational purposes and ethical hacking only, within controlled environments such as CTF competitions or penetration testing labs. Unauthorized use of this exploit on systems without permission is illegal and unethical. Always ensure you have explicit permission before testing any exploits.