{"uuid": "3d63c120-2ef9-49d7-8411-43c31d77c63d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-27822", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/packagekit_zshenv_privesc.rb", "content": "{\"actions\": [], \"aliases\": [], \"arch\": \"cmd\", \"author\": [\"Mykola Grymalyuk\", \"h00die\"], \"autofilter_ports\": [], \"autofilter_services\": [], \"check\": true, \"default_credential\": false, \"description\": \"This module exploits CVE-2024-27822, a vulnerability in macOS\\n          PackageKit.framework where PKG installer scripts using a ZSH shebang\\n          (#!/bin/zsh) are executed as root while inheriting the installing user's\\n          environment. This causes ZSH to load the user's ~/.zshenv with root\\n          privileges before the installer script body runs.\\n\\n          The module injects a payload into ~/.zshenv that only fires when EUID is 0,\\n          uploads a minimal PKG (from data/exploits/CVE-2024-27822/template.pkg) whose\\n          install script uses a #!/bin/zsh shebang, and opens it with Installer.app.\\n          When the user approves the installation dialog and authenticates, PackageKit\\n          runs the install script as root. ZSH sources ~/.zshenv before the script body\\n          executes, so the payload fires with root privileges. The original ~/.zshenv\\n          content is restored immediately after the payload runs.\\n\\n          Affected: macOS 14.4 and earlier, 13.6.6 and earlier, 12.7.4 and earlier,\\n          and all macOS 11 and older releases.\\n          Fixed in: macOS 14.5, 13.6.7, 12.7.5.\", \"disclosure_date\": \"2024-06-03\", \"fullname\": \"exploit/osx/local/packagekit_zshenv_privesc\", \"is_install_path\": true, \"mod_time\": \"2026-07-03 18:58:13 +0000\", \"name\": \"macOS PackageKit ZSH Environment Privilege Escalation\", \"needs_cleanup\": true, \"notes\": {\"Reliability\": [\"event-dependent\"], \"SideEffects\": [\"artifacts-on-disk\", \"config-changes\"], \"Stability\": [\"crash-safe\"]}, \"path\": \"/modules/exploits/osx/local/packagekit_zshenv_privesc.rb\", \"platform\": \"OSX,Unix\", \"post_auth\": false, \"rank\": 0, \"ref_name\": \"osx/local/packagekit_zshenv_privesc\", \"references\": [\"CVE-2024-27822\", \"URL-https://khronokernel.com/macos/2024/06/03/CVE-2024-27822.html\", \"ATT&amp;CK-T1068\", \"ATT&amp;CK-T1546.004\"], \"rport\": null, \"session_types\": [\"shell\", \"meterpreter\"], \"targets\": [\"macOS\"], \"type\": \"exploit\"}", "creation_timestamp": "2026-07-07T06:54:55.838358Z"}