CVE-2024-9062
📋 TL;DR
The Archify application on macOS contains a local privilege escalation vulnerability where any local process can connect to its privileged helper tool running as root. This allows unauthorized execution of privileged operations like arbitrary file deletion and permission changes. All macOS systems running vulnerable versions of Archify are affected.
💻 Affected Systems
- Archify
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via root-level arbitrary file operations, enabling persistence, data destruction, or installation of malware.
Likely Case
Local attackers escalate privileges to root, bypassing security controls to modify system files or access protected data.
If Mitigated
Limited impact if helper tool is removed or proper client validation is implemented.
🎯 Exploit Status
Exploitation requires local access but is straightforward once the XPC interface is understood. No authentication or special privileges needed to connect to the helper.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://pentraze.com/vulnerability-reports/
Restart Required: No
Instructions:
1. Check vendor website for security updates. 2. Update Archify to latest version if patch available. 3. Remove the helper tool if update not possible.
🔧 Temporary Workarounds
Remove Archify Helper Tool
allUninstall the vulnerable privileged helper tool to prevent exploitation
sudo rm -f /Library/PrivilegedHelperTools/com.oct4pie.archifyhelper
sudo launchctl unload /Library/LaunchDaemons/com.oct4pie.archifyhelper.plist 2>/dev/null || true
sudo rm -f /Library/LaunchDaemons/com.oct4pie.archifyhelper.plist
Uninstall Archify Application
allCompletely remove Archify and all associated components
sudo rm -rf /Applications/Archify.app
sudo rm -f /Library/PrivilegedHelperTools/com.oct4pie.archifyhelper
sudo rm -f /Library/LaunchDaemons/com.oct4pie.archifyhelper.plist
🧯 If You Can't Patch
- Uninstall Archify completely from affected systems
- Implement strict access controls to limit local user access to systems running Archify
🔍 How to Verify
Check if Vulnerable:
Check if Archify helper tool exists: ls -la /Library/PrivilegedHelperTools/com.oct4pie.archifyhelperCheck Version:
Check Archify version in application info or via: mdls -name kMDItemVersion /Applications/Archify.app 2>/dev/nullVerify Fix Applied:
Verify helper tool is removed: ls -la /Library/PrivilegedHelperTools/com.oct4pie.archifyhelper 2>/dev/null || echo 'Not found'📡 Detection & Monitoring
Log Indicators:
- Connections to com.oct4pie.archifyhelper in system logs
- Unexpected privilege escalation events
- File deletion or permission change operations from Archify helper
Network Indicators:
- Local XPC connections to privileged helper
SIEM Query:
process_name:"com.oct4pie.archifyhelper" OR parent_process_name:"Archify" AND event_type:"privilege_escalation"