To escape the Safari sandbox at pwn2own 2018, Ret2 discovered and exploited CVE-2018-4193. They detailed their exploit, which takes 90s to pop a shell, in a blogpost series and challenged their readers to do better... this presentation is Synacktiv's answer.
The presentation will first briefly describe CVE-2018-4193 and how it was used by Ret2 to exploit the macOS Window Server, then the new way to exploit it will be detailed, step by step, and multiple tricks will be disclosed. These will range from CoreFoundation internals to the mach IPC implementation and include bypass details and the default-heap feng-shui.
The code will be released just after the presentation and a (hopefully successful) demo.
Eloi (@elvanderb) is Synacktiv's reverse-engineering team coordinator.