Have U Been Invited? My journey to find and chain macOS vulns

Presented at Disobey 2023, Feb. 17, 2023, 6 p.m. (30 minutes).

This is a story about my journey to find logic bugs in macOS. During 2020 - 2022 I found a bunch of them and reported three major vulnerabilities from macOS. I will explain my methodology to find them and walk you through an exploit chain that compromises users' sensitive data with zero click. This chain starts with a zero-click vulnerability that I found in macOS Calendar. It allows an attacker to add or delete arbitrary files inside the Calendar sandbox environment. This will lead to arbitrary code execution. I will demonstrate how the vulnerability can be combined with Gatekeeper evasion and TCC evasion to compromise users' sensitive data. Edit: Some of the patches are still coming so unfortunately I can not disclose the full vulnerability chain yet. Instead, I will concentrate more on the first part of the vulnerability.

Presenters:

• Mikko Kenttälä (Turmio)

Links:

• https://disobey.fi/2023/profile/have_u_been_invited

Similar Presentations:

• DEF CON 30 (2022) / Process injection: breaking all macOS security layers with a single vulnerability
• Objective by the Sea version 5.0 (2022) / Process Injection: Breaking all macOS Security Layers with a Single Vulnerability
• Disobey 2024 / Have U Been Invited (episode 2)? - macOS logic bugs