GoKawiilTL;DR: I accidentally discovered 2 vulnerabilities in macOS Recovery Mode's Safari: one allowing arbitrary writes to system partitions and root persistence (CVSS 8.5), the other allowing unrestricted file reads (CVSS 4.6). Technical write-ups HERE and HERE.
It started like any other day with my M1 Macbook Air dying due to the hundreds if not thousands of Chrome tabs I had open, so I did what every normal human does and long pressed the touch id button to force a force restart (which I personally find to be more effective than normal shutdown). However I wasn't really paying attention and ended up holding the button for too long which led me to discover this screen.
NOTE: This first vulnerability is for MacOS Sequoia and older while the second vulnerability is for MacOS Tahoe.
generic photo of Sequoia recovery screen
This got me very interested because why is there a Safari on Mac Recovery? so being the very curious person I am I decided to press on it which takes you to something that looks like this:
this photo is taken post vulnerability fix but gets the point across
I then realized that you could connect to the WiFi so I did, and then attempted to lookup google.com which worked fine. I think they allow connecting to the wifi and searching up arbitrary websites so you can fix issues on your laptop that the built-in help guide doesn't have.
this photo is also taken latest Tahoe version where this vulnerability doesn't exist, however up till now everything is fine
Afterwards I tried searching up an image on Google and tried to save it (just for fun)
However clicking Download Image would fail with something along the lines of insufficient permissions: failed to write to disk . However I then remembered this funny Safari setting where you can choose where to save any file.
... continue reading