Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-44133 PoC — Apple macOS 安全漏洞

Source
https://github.com/yo-yo-yo-jbo/hm-surf
Associated Vulnerability
Title:Apple macOS 安全漏洞 (CVE-2024-44133)
Description:This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15. On MDM managed devices, an app may be able to bypass certain Privacy preferences.
Description
macOS CVE-2024-44133 evaluator of popular browsers
Readme
# HM-Surf evaluator
Evaluates susceptibility to [CVE-2024-44133](https://nvd.nist.gov/vuln/detail/CVE-2024-44133) of common macOS browsers.  
Also contains the HTML that takes a screenshot and downloads it along with location extraction.
![Screenshot](screenshot.png)

## Usage - evaluator
To run the evaluator, which evaluates [CVE-2024-44133](https://nvd.nist.gov/vuln/detail/CVE-2024-44133) on all common macOS browsers, run:

```shell
python3 -m pip install -r ./requirements.txt
./hm-surf-eval.py
```

Upon execution, the tool evaluates TCC bypassing capabilities of all common macOS browsers.

## Usage - HTML
The file [hm-surf.html](hm-surf.html) is an example HTML page that demontrates [CVE-2024-44133](https://nvd.nist.gov/vuln/detail/CVE-2024-44133).  
All it does is access the camera and location, presenting the location (with low accuracy, on purpose) and downloads the camera screenshot (but it could just as easily save it on a server).  
This file is *not* an exploit by itself, and requires Camera, Microphone and location access enabled for the browser, e.g. by a local attacker overriding the per-browser preferences.  
That capability can be assessed with the evaluator.  
To view the HTML page easily, you could use any tool, e.g. [htmlpreview](http://htmlpreview.github.io/?https://github.com/yo-yo-yo-jbo/hm-surf/blob/main/hm-surf.html).

## Coding
Coding an evaluator is quite easy - you inherit from `BrowserEvaluatorBase` and implement two methods:
- `get_browser_name` - retrieves a human-readable browser name.
- `evaluate` - gets the `username` and its `home_dir` and evaluates susceptibility. Returning `None` means browser is not susceptible, while returning a `BrowserResults` instance yields susceptible results.

Note there's also a `ChromiumEvaluatorBase` base class for Chromium-based browsers, which means you have to implement the usual `get_browser_name` and also a `get_preference_filepath` method that returns a preference file path for the given home directory. You do not have to implement `evaluate` for Chromium-based browsers, that's implemented by the base class.
File Snapshot

 [4.0K]  /data/pocs/1cae042dbf916d7417dd4d0b8112a9a66f1aea9f
├── [4.0K]  core
│   ├── [2.1K]  lib.py
│   ├── [7.2K]  printing.py
│   ├── [ 562]  singleton.py
│   ├── [2.5K]  sqlite_aux.py
│   └── [5.3K]  utils.py
├── [4.0K]  evaluators
│   ├── [3.3K]  apple_safari.py
│   ├── [ 594]  brave.py
│   ├── [2.1K]  chromium_base.py
│   ├── [ 603]  google_chrome.py
│   ├── [ 608]  microsoft_edge.py
│   ├── [2.7K]  mozilla_firefox.py
│   ├── [ 591]  opera.py
│   └── [ 577]  vivaldi.py
├── [2.4K]  hm-surf-eval.py
├── [2.8K]  hm-surf.html
├── [2.1K]  README.md
├── [  16]  requirements.txt
└── [511K]  screenshot.png

2 directories, 18 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →