Skeletons in the App Sandbox: 5+ Ways to Escape

Presented at Black Hat Europe 2021, Nov. 11, 2021, 2:30 p.m. (30 minutes)

The safety and trust promised by the App Store is in large part due to mandatory sandboxing requirements. The required App Sandbox lets users install apps with abandon and without worry, keeping malicious ones contained. This talk will deep dive into a string of logic vulnerabilities in LaunchServices (CVE-2021-30677, CVE-2021-30783, and more) that allowed an attacker to escape the App Sandbox and bypass privacy protections despite the many new security mechanisms introduced in Big Sur and Catalina.

You'll learn how one deceptively simple issue can be exploited in multiple different ways and surely have a laugh at the same time. We'll release a tool to help reverse the latest versions of macOS and extend an already great tool to help find and detect vulnerabilities like this one. Finally, we'll lay the groundwork for bugs to come and highlight a forgotten attack surface.


Presenters:

  • Ron Waisberg - Senior Security Engineer, Okta
    Ron Waisberg does product security at Okta during the day and tinkers with platform security at night. In his previous role at Trend Micro, you could find him tearing apart patches and writing n-day exploits. To forget about computers he likes to climb, hike, and enjoy a nice beer.

Links:

Similar Presentations: