macOS local security is shifting more and more to the iOS model, where every application is codesigned, sandboxed and needs to ask for permission to access data and features. New security layers have been added to make it harder for malware that has gained a foothold to compromise the user's most sensitive data. Changing the security model of something as large and established as macOS is a long process, as it requires many existing parts of the system to be re-examined. For example, creating a security boundary between applications running as the same user is a large change from the previous security model, introducing new vulnerabilities such as process injection.
CVE-2021-30873 is a process injection vulnerability we reported to Apple that affected all macOS applications. This was addressed in the macOS Monterey update from October 2021, but completely fixing this vulnerability requires changes to all third-party applications as well. Apple has even changed the template for new applications in Xcode to assist developers with this.
In this talk, we'll explain what a process injection vulnerability is and why it can have a critical impact on macOS. Then, we'll explain the details of this vulnerability, including the techniques we developed to exploit insecure deserialization in macOS. Finally, we will explain how we exploited it to escape the macOS sandbox, elevate our privileges to root and bypass SIP.