Apple has greatly improved macOS security in recent years, but many attack surfaces remain largely ignored. For example: is it possible to elevate privileges by crashing maliciously? I decided to investigate how crash handling is implemented and whether it poses a viable attack vector. What began as a seemingly absurd question ended with full userspace control and a SIP bypass.
In this talk, I will share how I reverse engineered a system service to find a critical Mach port replacement vulnerability and how to exploit the bug to execute code with full system privileges, including the task_for_pid-allow entitlement which grants control over any userspace process. Using this technique, we can then spawn a "rootless shell" in which SIP's filesystem protections are disabled.
The talk will assume basic familiarity with macOS but I'll cover the concepts we'll need (Mach ports, MIG, launchd) before diving into the core of the vulnerability. The complete exploit code and documentation is available online.