Process Injection: Breaking All macOS Security Layers With a Single Vulnerability

Presented at Black Hat USA 2022, Aug. 11, 2022, 10:20 a.m. (40 minutes)

macOS local security is shifting more and more to the iOS model, where every application is codesigned, sandboxed and needs to ask for permission to access data and features. New security layers have been added to make it harder for malware that has gained a foothold to compromise the user's most sensitive data. Changing the security model of something as large and established as macOS is a long process, as it requires many existing parts of the system to be re-examined. For example, creating a security boundary between applications running as the same user is a large change from the previous security model, introducing new vulnerabilities such as process injection.

CVE-2021-30873 is a process injection vulnerability we reported to Apple that affected all macOS applications. This was addressed in the macOS Monterey update from October 2021, but completely fixing this vulnerability requires changes to all third-party applications as well. Apple has even changed the template for new applications in Xcode to assist developers with this.

In this talk, we'll explain what a process injection vulnerability is and why it can have a critical impact on macOS. Then, we'll explain the details of this vulnerability, including the techniques we developed to exploit insecure deserialization in macOS. Finally, we will explain how we exploited it to escape the macOS sandbox, elevate our privileges to root and bypass SIP.


Presenters:

  • Thijs Alkemade - Security Researcher, Computest
    Thijs Alkemade (@xnyhps) works at the security research division of Computest. This division is responsible for advanced security research on commonly used systems and environments. Thijs is a Pwn2Own winner by demonstrating a zero-day attack against Zoom. In previous research, he demonstrated several attacks against the macOS and iOS operating systems. He has a background in both mathematics and computer science, which gives him a lot of experience with cryptography and programming language theory.

Links:

Similar Presentations: