Full Report
In the first part of this series, I detailed my journey into macOS security research, which led to the discovery of a type confusion vulnerability (CVE-2024-54529) and a double-free vulnerability (CVE-2025-31235) in the coreaudiod system daemon through a process I call knowledge-driven fuzzing. While the first post focused on the process of finding the vulnerabilities, this post dives into the intricate process of exploiting the type confusion vulnerability. I’ll explain the technical details of turning a potentially exploitable crash into a working exploit: a journey filled with dead ends, creative problem solving, and ultimately, success. The Vulnerability: A Quick Recap If you haven’t already, I highly recommend reading my detailed writeup on this vulnerability before proceeding. As a refresher, CVE-2024-54529 is a type confusion vulnerability within the com.apple.audio.audiohald Mach service in the CoreAudio framework used by the coreaudiod process. Several Mach message handlers, such as _XIOContext_Fetch_Workgroup_Port, would fetch a HALS_Object from the Object Map based on an ID from the Mach message, and then perform operations on it, assuming it was of a specific type (ioct) without proper validation.
Analysis Summary
# Vulnerability: Type Confusion in macOS CoreAudio Daemon
## CVE Details
- CVE ID: CVE-2024-54529
- CVSS Score: *Score not provided in text*
- CWE: Type Confusion
## Affected Systems
- Products: macOS, `coreaudiod` system daemon, CoreAudio framework (`com.apple.audio.audiohald` Mach service).
- Versions: *Specific vulnerable versions not explicitly listed in this summary section, but the exploit demo ran on macOS Sequoia 15.0.1.*
- Configurations: Systems running the affected CoreAudio components processing Mach messages.
## Vulnerability Description
CVE-2024-54529 is a **Type Confusion vulnerability** within the `com.apple.audio.audiohald` Mach service handled by the `coreaudiod` process. Specifically, Mach message handlers (like `_XIOContext_Fetch_Workgroup_Port`) retrieve a `HALS_Object` from the Object Map using an ID from the incoming message. The handler then improperly assumes this object is of a specific expected type (`ioct`) and performs operations (leading to a virtual function call) on it without proper type validation. This results in an `EXC_BAD_ACCESS` crash when a virtual call is attempted on an object pointer stored within the flawed `HALS_Object`.
## Exploitation
- Status: **Exploited (Proof-of-Concept detailed/demonstrated)**
- Complexity: **High** (Requires establishing a precise pointer chain involving heap spraying, controlling offsets within the `HALS_Object` (0x68 to point to controlled memory, which in turn points to a fake vtable), and setting the target address at offset 0x168 of the fake vtable).
- Attack Vector: *Implied Local or Sandbox Escape, as the vulnerability resides in a system daemon.*
## Impact
- Confidentiality: *High (Implied by ROP chain activity, potentially leading to arbitrary code execution)*
- Integrity: *High (Arbitrary code execution grants full control over the compromised process)*
- Availability: *High (Process termination/crash)*
## Remediation
### Patches
- *Specific patch version information is not detailed in this section of the article.* (The vulnerability was found via Project Zero research, implying Apple likely issued a patch concurrently or subsequently.)
### Workarounds
- No specific workarounds are detailed in the provided excerpt, outside of the steps needed for the successful exploit chain.
## Detection
- Detection methods are implied to involve monitoring for suspicious activity within the `coreaudiod` process memory or unusual Mach message interactions targeting the `com.apple.audio.audiohald` service.
- The exploit detailed here was written for **Intel CPUs**. Exploitation on Apple Silicon would require overcoming pointer signing mitigations.
## References
- Vendor Advisories: *Not explicitly detailed in the provided text snippet.*
- Relevant Links:
- Part I (Fuzzing process): hxxps://projectzero[.]google/2025/05/breaking-sound-barrier-part-i-fuzzing[.]html
- CVE-2024-54529 Issue Tracker: hxxps://project-zero[.]issues[.]chromium[.]org/issues/372511888
- Fuzzing Harness/Tools: hxxps://github[.]com/googleprojectzero/p0tools/tree/master/CoreAudioFuzz
- PoC Exploit: hxxps://github[.]com/googleprojectzero/p0tools/tree/master/CoreAudioFuzz/exploit