CVE-2017-7004
Description
A race condition in Apple's Security component allows a crafted app to bypass entitlement checks and send XPC messages to privileged services.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Apple's Security component allows a crafted app to bypass entitlement checks and send XPC messages to privileged services.
Vulnerability
The vulnerability resides in the Security component's use of SecTaskCreateWithAuditToken, which only uses the PID (not the PID generation number) to build a SecTaskRef. This allows a race condition where an attacker can send an XPC message and then quickly exec a binary with the required entitlement, causing the service to check the new binary's entitlements. Affected versions: iOS before 10.3.2 and macOS before 10.12.5 [3].
Exploitation
An attacker needs to run a crafted app on the device. The app sends an XPC message to a service that checks entitlements, then immediately executes a binary that possesses the required entitlement (e.g., a system binary). Due to the race window, the service may see the PID of the new binary and grant access. Alternatively, if the app cannot exec, it can crash and be re-executed by launchd with a different binary [3].
Impact
Successful exploitation allows the attacker to bypass entitlement restrictions and send XPC messages to privileged services, potentially leading to privilege escalation or access to sensitive functionality. The attacker gains the entitlements of the binary that is exec'd or re-launched [3].
Mitigation
Apple addressed this in iOS 10.3.2 and macOS 10.12.5, released May 15, 2017. Users should update to these versions or later. No workaround is available [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <10.12.5
- Range: <10.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"SecTaskCreateWithAuditToken uses only the PID (ignoring the PID generation number) to look up entitlements, enabling a PID-reuse race condition."
Attack vector
An attacker crafts an app that sends an XPC message to a privileged Mach service (e.g., `com.apple.corecaptured`) which checks the sender's entitlement via `SecTaskCreateWithAuditToken`. Immediately after sending the message, the attacker's process execs a system binary that possesses the required entitlement (e.g., `cctool`), causing the same PID to now map to the entitled binary. The service's entitlement check, which only looks up the PID, resolves the attacker's original PID to the newly exec'd entitled binary, passing the check [ref_id=1]. The race window can be widened by flooding the target service's Mach port queue with many large messages before sending the exploit payload [ref_id=1].
Affected code
The vulnerability lies in the `SecTaskCreateWithAuditToken` function within Apple's Security framework. The researcher's write-up shows that this function calls `SecTaskCreateWithPID` using only the PID extracted from the audit token, ignoring the PID generation number (`p_idversion`) that the kernel appends to every Mach message's audit token [ref_id=1]. This means the entitlement lookup is bound to a PID that can be reused by a different process.
What the fix does
The advisory does not include a patch diff, but the fix is implied by the root cause: `SecTaskCreateWithAuditToken` must use both the PID and the PID generation number from the audit token when constructing the `SecTaskRef`, rather than calling `SecTaskCreateWithPID` which only uses the PID [ref_id=1]. By incorporating the generation number, the entitlement lookup becomes bound to a specific process instance, preventing a PID-reuse race where an attacker execs an entitled binary after sending the message. Apple addressed this in iOS 10.3.2 and macOS 10.12.5 [ref_id=1].
Preconditions
- inputAttacker must be able to run a crafted app on the affected system
- inputAttacker must be able to exec a binary that possesses the target entitlement (or force PID reuse via process crashing/wrapping)
- configTarget Mach service must use SecTaskCreateWithAuditToken for entitlement checking
Reproduction
The public PoC [ref_id=1] demonstrates the attack against `com.apple.corecaptured`, which expects clients to have the `com.apple.corecapture.manager-access` entitlement. The PoC sends an XPC message to that service, then immediately execs `/System/Library/PrivateFrameworks/CoreCaptureControl.framework/Versions/A/Resources/cctool` (a binary with the required entitlement) while blocking its stdout/stderr with a full pipe to prevent it from exiting. The researcher notes that attaching lldb to `corecaptured` artificially widens the race window, and that sending many large bogus messages beforehand can make the race more winnable [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/42145/mitreexploitx_refsource_EXPLOIT-DB
- support.apple.com/HT207797mitrex_refsource_CONFIRM
- support.apple.com/HT207798mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.