The Price of Compatibility: Defeating macOS Kernel Using Extended File Attributes

Presented at Black Hat Asia 2021 Virtual, May 7, 2021, 12:30 p.m. (40 minutes).

Filesystem is one of the infrastructures of OS, and any flaws in it may cause serious impacts.

When I studied filesystem's implementation on macOS, I found that the old msdos FAT filesystem supports advanced features such as symbolic link and extended file attributes, which surprised me. Perhaps for compatibility and security considerations, Apple has done the simulation work of these FAT features for macOS. In the digital world, it's very difficult to make everything right. So when I dug deeper, I found that there are some flaws in the FAT feature implementation, giving me the opportunity to break its security boundary and launch an attack on the macOS through filesystem.

In this talk, I will give an overview of the techniques behind Apple's filesystem implementation, then detail the vulnerabilities (CVE-2020-27904, CVE-2019-8852) I have found. Additionally, I will show how to exploit them to achieve arbitrary kernel code execution. The above facts prove that a little flaw in filesystem can lead to a serious impact. At last, I will discuss some other possible attack surfaces from the perspective of filesystem.


Presenters:

  • Zuozhi Fan - Security Researcher, Ant Group
    Zuozhi Fan is a security researcher at Tianqiong Lab of Ant Group. He mainly focuses on macOS/iOS security.

Links:

Similar Presentations: