XProtectRemediatorDubRobber infoleak on macOS (CVE-2024-40842)

Posted on 2026-07-11 in blog

JBO reached out to me, and as it turns out we have collided on the bug I was about to publish, so I won't be doing that until this is cleared up.

Instead of that, I will post about a few other things that were already fixed by Apple. The first one of these is an info-leak in XProtectRemediatorDubRobber.

This is a fairly trivial (and lame) bug, but it's ideal for a quick blogpost so here it is.

Background

XProtectRemediatorDubRobber as the name suggests is the remediator binary for the DubRobber malware family. Basically this binary is invoked when a DubRobber infection is detected. I think. The details don't matter all that much, what we need to know is this: It has the entitlement com.apple.private.tcc.allow with kTCCServiceSystemPolicyAllFiles. In case you're unfamiliar, this is the coveted Full Disk Access (FDA) entitlement that is equivalent to a TCC bypass.

The bug

The bug is dead simple. This privileged binary relies on libmagic and Launch Constraints allow us to run it. Since libmagic uses an environment variable (if present) to locate its database, now the attacker can point it to any malicious database file.

Obviously this is bad, since an attacker can attack libmagic itself with a malicious file, but since libmagic has been around for a long time it has been heavily audited and fuzzed. Because of that I didn't want to invest a large amount of time into that, and unsurprisingly I got no quick results while fuzzing it myself.

However, there's a funny thing libmagic does when it encounters a file that is invalid: it will print out the lines that failed to parse in error messages :) This is a quite nice info leak, with the limitation that binary files will not be leaked fully. This is not as powerful as I'd like it to be, but it is what it is. At least it could leak full text files, which is valuable.

Since this is an old bug - and an unimportant one - I did not go through the effort to retest and rerecord the video, so here's the original one I submitted to Apple:

XProtectRemediatorDubRobber info leak demo

The fix

Apple fixed the bug by removing the MAGIC environment variable when XProtectRemediatorDubRobber is invoked. MAGIC works fine when you run file, which also relies on libmagic, but the getenv("MAGIC") call is missing from dtrace when XProtectRemediatorDubRobber is ran.

I suspect libmagic now checks if it's running in a privileged process and if it is it won't honor MAGIC.

Ignoring MAGIC is the correct way to fix, well done Apple.

The bounty

Apple paid $6.5k for this bug, which is nice. In the previous post I talked about the fact that partial TCC bugs were overpriced, and even in this case I'd have gone lower. Sure, it can leak arbitrary text files, but that's too weak in my opinion: it can't leak sqlite dbs, binary plists, images, etc... and that's where a lot of important stuff lives.

If it could leak arbitrary binary files as well, this would be worth 10k in my opinion, easily, since that would get you every private file that is TCC-protected. Without that though, I still think this bug was a little overpriced.

Apple took ~134 days for the fix which could be better, but it's fine, the bug is not super serious. Luckily it was an easy things to fix.