XProtectRemediatorDubRobber infoleak on macOS (CVE-2024-40842)
Posted on 2026-07-11 in blog
JBO reached out to me, and as it turns out we have collided on the bug I was about to publish, so I won't be doing that until this is cleared up.
Instead of that, I will post about a few other things that were already fixed
by Apple. The first one of these is an info-leak in XProtectRemediatorDubRobber.
This is a fairly trivial (and lame) bug, but it's ideal for a quick blogpost so here it is.
Background
XProtectRemediatorDubRobber as the name suggests is the remediator binary for
the DubRobber malware family. Basically this binary is invoked when a DubRobber
infection is detected. I think. The details don't matter all that much, what we
need to know is this: It has the entitlement com.apple.private.tcc.allow with
kTCCServiceSystemPolicyAllFiles. In case you're unfamiliar, this is the coveted
Full Disk Access (FDA) entitlement that is equivalent to a TCC bypass.
The bug
The bug is dead simple. This privileged binary relies on libmagic and
Launch Constraints allow us to run it. Since libmagic uses an environment
variable (if present) to locate its database, now the attacker can point
it to any malicious database file.
Obviously this is bad, since an attacker can attack libmagic itself with
a malicious file, but since libmagic has been around for a long time it
has been heavily audited and fuzzed. Because of that I didn't want to
invest a large amount of time into that, and unsurprisingly I got no
quick results while fuzzing it myself.
However, there's a funny thing libmagic does when it encounters a file that
is invalid: it will print out the lines that failed to parse in error messages :)
This is a quite nice info leak, with the limitation that binary files will
not be leaked fully. This is not as powerful as I'd like it to be, but
it is what it is. At least it could leak full text files, which is valuable.
Since this is an old bug - and an unimportant one - I did not go through the effort to retest and rerecord the video, so here's the original one I submitted to Apple:
XProtectRemediatorDubRobber info leak demo
The fix
Apple fixed the bug by removing the MAGIC environment variable when
XProtectRemediatorDubRobber is invoked. MAGIC works fine when you run
file, which also relies on libmagic, but the getenv("MAGIC") call
is missing from dtrace when XProtectRemediatorDubRobber is ran.
I suspect libmagic now checks if it's running in a privileged process
and if it is it won't honor MAGIC.
Ignoring MAGIC is the correct way to fix, well done Apple.
The bounty
Apple paid $6.5k for this bug, which is nice. In the previous post
I talked about the fact that partial TCC bugs were overpriced, and
even in this case I'd have gone lower. Sure, it can leak arbitrary
text files, but that's too weak in my opinion: it can't
leak sqlite dbs, binary plists, images, etc... and that's where a lot
of important stuff lives.
If it could leak
arbitrary binary files as well, this would be worth 10k in my
opinion, easily, since that would get you every private file that is
TCC-protected. Without that though, I still think this bug was a
little overpriced.
Apple took ~134 days for the fix which could be better, but it's fine, the bug is not super serious. Luckily it was an easy things to fix.