Root Persistence via macOS Recovery Mode Safari
3 hours ago
- #Recovery Mode Vulnerabilities
- #macOS Security
- #Physical Access Exploits
- Two vulnerabilities were discovered in macOS Recovery Mode's Safari: one allows arbitrary writes to system partitions and root persistence (CVSS 8.5), while the other allows unrestricted file reads (CVSS 4.6).
- The first vulnerability, affecting macOS Sequoia and older, exploited Safari's download location setting in Recovery Mode to save malicious files (e.g., .plist launch daemons) to the system disk without authentication, enabling root persistence.
- The second vulnerability, present in macOS Tahoe's 'Web Browser' in Recovery Mode, allowed reading arbitrary files via the 'Open File' dialog (Cmd+O) to preview documents and images, though modifications were not possible.
- Both vulnerabilities required physical access (AV:P) and no user interaction or prior privileges, with Apple closing the reports after minimal engagement, citing FileVault as a mitigation, though fixes were later silently implemented in Tahoe 26.3.