In this presentation, the speaker will disclose several macOS design-based vulnerabilities. Compared with code-level bugs, design-based vulnerabilities are often hard to fix in a single shot. A piece of vulnerable code might only be exploitable on macOS, but the same code can exist across Apple platforms (macOS, iOS, watchOS, etc.). That means Apple may need to refactor an entire framework to fully address the root cause, which is obviously time-consuming. In practice, they’re more likely to ship a temporary mitigation that blocks a specific exploit gadget, but as long as we can find a new exploitation path, we can reach the target again. This makes these attack surfaces highly valuable to real-world attackers: they don’t have to worry that “the vendor patched one of my findings, and now I need to find a new bug to chain with other 0-days.”
For example, protecting non-atomic operations has always been a challenge in modern operating systems. Apple introduced a security protection mechanism for this attack surface, and it helps defend many non-atomic operations. In this talk, the speaker will disclose 3 related vulnerabilities, we can achieve LPE on arbitrary apps with them, including Apple-signed apps, allow us to obtain the target’s entitlements.
Design-based vulnerabilities often chain with other attack surfaces as well. The speaker will also introduce 5 additional (derived) vulnerabilities. They are all design-based issues too, and they can also be used to achieve LPE on arbitrary apps.
In addition, the speaker will share several practical exploitation tricks that can help make exploiting some vulnerabilities quiet and low-noise.
Independent security researcher. Focused on Apple, Android, IoT and Web3 security. Speaker at Black Hat USA 2024, KCon 2024, and Kanxue 2023.
