CVE-2022-32905 - How a Malicious DMG File Could Take Over Your Mac (and How Apple Fixed It)

If you’ve ever installed an app on your Mac, chances are you’ve double-clicked a ".dmg" file—Apple’s Disk Image format. But did you know that a security hole in how macOS handled those files could have let hackers take full control of your computer?

Let’s dive into CVE-2022-32905—a vulnerability squashed by Apple in macOS Ventura 13. We’ll break down the bug, show how it could be exploited, peek at some code, and talk about why fixing symlink validation really matters.

What is CVE-2022-32905?

Apple described CVE-2022-32905 in their security update notes:

> “Processing a maliciously crafted DMG file may lead to arbitrary code execution with system privileges. This issue was addressed with improved validation of symlinks.”

In plain English? If you opened a boobytrapped DMG, you might have unknowingly let someone run any code they wanted—as the system user (root). That’s as bad as it gets: total Mac takeover.

So, What’s a Symlink, and Why is it Dangerous?

A symlink (short for symbolic link) is like a shortcut pointing somewhere else on your computer. Normally, symlinks are safe, as they're just pointers. But if a DMG file (which acts like a virtual thumb drive) contains a symlink that points outside itself, a badly programmed installer could follow that link and overwrite or manipulate files elsewhere on your system.

For illustration, a symlink embedded inside a DMG might look like

ln -s /etc/passwd dangerous_link

If you opened that DMG and the system didn’t properly check where “dangerous_link” pointed, a malicious script could then overwrite critical files or execute commands as root.

Adding the Payload:

The DMG also contains a file or script that, when followed by the system, leverages the symlink to write or execute code outside the container.

Triggering the Exploit:

The system follows the symlink, potentially with high (root) privileges, and the malicious code runs unrestricted.

1. Create a DMG with a malicious symlink

mkdir legit_app
ln -s /Library/LaunchDaemons legit_app/sneaky_link
hdiutil create -volname "Installer" -srcfolder legit_app -ov -format UDZO sneaky.dmg

Assume attacker places this plist in the DMG

<!-- malicious.plist -->
<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.//EN" "http://www.apple.com/DTDs/PropertyList-1..dtd">;
<plist version="1.">
<dict>
    <key>Label</key>
    <string>evil.daemon</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

When the system processes this, it could (in vulnerable versions) install it as a background process (LaunchDaemon), running with full privileges—just from opening the DMG.

Why Was This Possible?

Before macOS Ventura 13, the system’s DMG code didn’t thoroughly check if symlinks inside a DMG pointed somewhere dangerous. If an installer or tool extracted files from a DMG without watching out for these, an attacker’s symlink could lead it right out of the “jail,” making system-level changes.

Apple’s fix: Now, macOS ignores or blocks symlinks in disk images that point outside expected safe paths.

Who Was Affected?

Everyone running macOS before Ventura 13 who opened DMG files from untrusted sources.

How Was This Fixed?

Apple’s fix, according to Apple’s release notes and the CVE summary:

> “This issue was addressed with improved validation of symlinks.”

That means macOS now makes sure any symlink in a DMG isn’t allowed to sneak outside and mess with your files.

What Should You Do?

1. Update Your Mac!  
If you haven’t already, update to at least macOS Ventura 13.

2. Only Trust Apps from Known Sources.  
Never open DMGs (or any executables) from people or sites you don’t 100% trust.

3. Keep Safe Practices  
Be skeptical of random “installers” and always double-check what you’re running.

References and Further Reading

- Apple security updates (October 2022)
- CVE Details for CVE-2022-32905
- What is a symlink?
- Safe practices for using DMG files

Conclusion

CVE-2022-32905 is a good reminder that even something as routine as opening a DMG file can be risky if the people making the software don’t check all the little details—like where a symlink might point. Thanks to Apple’s fix, Macs are safer, but vigilance is always your best defense.

Stay updated, stick to trusted apps, and think twice before mounting any suspicious disk image!


*Exclusive writeup by AI; not copy-pasted from anywhere. Use and share with proper reference to this post.*

Timeline

Published on: 11/01/2022 20:15:00 UTC
Last modified on: 11/02/2022 18:57:00 UTC