Created attachment 183146 [details] POC-OBJC-Krita-Injection SUMMARY STEPS TO REPRODUCE 1. Run Krita (/Applications/Krita.app). 2. Save the following Objective-C code as inject_krita.m. It locates the Krita process, acquires its task port, maps memory, writes ARM64 shellcode, and creates a remote thread in the Krita process. The shellcode writes a file to /tmp/hi_krita 3. Compile the payload: clang -framework Foundation -framework AppKit inject_krita.m -o inject_krita 4. Create an entitlements file named entitlements.plist with the following contents: ''' <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.get-task-allow</key> <true/> </dict> </plist> ''' 5. Sign the binary with the entitlement: codesign -s - --entitlements entitlements.plist --options runtime --force inject_krita 6. Run inject_krita 7. If successful, krita will exit and the payload will create /tmp/hi_krita with the contents pwn\n, confirming code execution inside the Krita process. 8. cat /tmp/hi_krita OBSERVED RESULT task_for_pid() returns KERN_SUCCESS for the Krita process. Remote memory mapping, shellcode injection, and thread creation succeed. The Krita process executes attacker-controlled code. EXPECTED RESULT Krita release builds should not include com.apple.security.get-task-allow. This entitlement is intended only for development/debugging builds. In production, it should be removed to prevent task port abuse and unauthorized code injection by local processes. SOFTWARE/OS VERSIONS macOS: 15.5 (Sequoia), Apple Silicon Linux/KDE Plasma: N/A KDE Plasma Version: N/A KDE Frameworks Version: N/A ADDITIONAL INFORMATION To verify the entitlement in the Krita binary, run: codesign -dvvvv --entitlements - /Applications/krita.app To disable it, just uncheck the options in the hardened runtime in Xcode.
We don't use xcode to developer Krita, of course... This entitlement was added to make it possible for users to generate backtraces for bug reports. I'm really not sure why this should be a "vulnerability" given that you're already executing code at the same privilege level as Krita, too, on the same system?
(In reply to Halla Rempt from comment #1) > We don't use xcode to developer Krita, of course... This entitlement was > added to make it possible for users to generate backtraces for bug reports. > I'm really not sure why this should be a "vulnerability" given that you're > already executing code at the same privilege level as Krita, too, on the > same system? Hi Halla, I totally understand what you mean. It turns out that on macOS, by default, it's common for an application to only run what's in its sandbox. Even if the attacker already has local privileges, using this entitlement significantly lowers the barrier to escalating the attack to other trusted processes (like Krita), and can be combined with other techniques to exploit user data, abuse UI spoofing, keylogging, etc. I think it's important because it's not just theoretical; the BlueNoroff APT recently used this same technique, which can be read about in the Huntress article: https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis
Does this vulnerability works on krita from the macStore or only works (or was tested) for krita downloaded from krita.org?
ok, ran the test using sandboxed krita.app (from the store) this are the results daedalus@dinamus:krita/test_files/task_allow $ ./inject_krita 2025-07-11 14:10:47.248 inject_krita[38057:3650901] [*] Searching for Krita process... 2025-07-11 14:10:47.258 inject_krita[38057:3650901] [+] Found Krita with PID: 37960 2025-07-11 14:10:47.258 inject_krita[38057:3650901] [+] Attempting to get task port... 2025-07-11 14:10:47.258 inject_krita[38057:3650901] [-] Failed to get task for pid 37960: 5 (0x5) The entitlement does not break the sandbox. however it also does not work running krita installed from our website, neither running any dev build. I followed the exact steps from this report. What could be missing?
๐๐งน โ ๏ธ This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information, then set the bug status to REPORTED. If there is no change for at least 30 days, it will be automatically closed as RESOLVED WORKSFORME. For more information about our bug triaging procedures, please read https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging. Thank you for helping us make KDE software even better for everyone!
๐๐งน This bug has been in NEEDSINFO status with no change for at least 30 days. Closing as RESOLVED WORKSFORME.