macOS Flaw Lets Non-Admin Users Disable CrowdStrike and Kandji Security Tools

Post Views: 4

A vulnerability in macOS’s XPC framework allowed standard user accounts to disable essential security solutions from CrowdStrike and Kandji, exposing significant gaps in endpoint protection.

Overview of the Vulnerability

The flaw, identified by cybersecurity firm XM Cyber, was resolved after the company disclosed the issue to affected vendors. The security gap stemmed from a flaw in the XPC communication architecture, which facilitates interactions between application components.

Discovery and Disclosure

Researchers discovered that attackers could exploit a combination of CDHash cache manipulation and NIB payload injection to compromise trusted processes. This method enabled unprivileged users to impersonate legitimate applications, bypassing standard security checks.

Technical Details of the Exploit

By injecting malicious interface files into application bundles, adversaries leveraged JavaScript for Automation (JXA) to circumvent scripting restrictions and access low-level system memory. This allowed forged programs to mimic high-privilege components, tricking background services into executing unauthorized commands.

Specific Exploits

Specific functions such as runProcessWithCommand and terminateAppsAndAgents were exploited to disable security tools. CrowdStrike Falcon Sensor was successfully targeted using an unprotected XPC interface, with a standard user account (UID 502) removing the sensor’s detection capabilities. Similarly, the Kandji MDM Agent was compromised through a two-stage XPC chain, permanently deactivating the Endpoint Security Framework (ESF) extension. A third enterprise endpoint detection and response (EDR) vendor also fell victim to the same technique.

Attack Method and Evasion Techniques

The attack method relied on legitimate system behaviors, evading traditional security alerts and leaving minimal forensic evidence. Researchers emphasized the implications for insider threats and post-compromise scenarios, highlighting the need for updated endpoint security strategies.

Researchers emphasized the implications for insider threats and post-compromise scenarios, highlighting the need for updated endpoint security strategies.

Patches and Mitigation Efforts

Patches were implemented swiftly following disclosure. CrowdStrike addressed the issue immediately, offering a reward for the report and enhancing detection mechanisms. XM Cyber developed an open-source tool called XPC Hunter to identify and mitigate similar vulnerabilities across macOS environments. The framework will be presented at the Black Hat US security conference.

Implications and Recommendations

The flaw underscored the risks of relying on trust-based validation in system communication protocols. Organizations were advised to review their endpoint security configurations and adopt proactive measures to detect anomalous behavior. The incident also reinforced the importance of continuous monitoring and rapid response to emerging threats.