Crashing to Root

Presented at Objective by the Sea version 1.0 (2018), Nov. 4, 2018, 1:50 p.m. (50 minutes).

Apple has greatly improved macOS security in recent years, but many attack surfaces remain largely ignored. For example: is it possible to elevate privileges by crashing maliciously? I decided to investigate how crash handling is implemented and whether it poses a viable attack vector. What began as a seemingly absurd question ended with full userspace control and a SIP bypass.

In this talk, I will share how I reverse engineered a system service to find a critical Mach port replacement vulnerability and how to exploit the bug to execute code with full system privileges, including the task_for_pid-allow entitlement which grants control over any userspace process. Using this technique, we can then spawn a "rootless shell" in which SIP's filesystem protections are disabled.

The talk will assume basic familiarity with macOS but I'll cover the concepts we'll need (Mach ports, MIG, launchd) before diving into the core of the vulnerability. The complete exploit code and documentation is available online.


Presenters:

  • Brandon Azad - Security Researcher   as Bradon Azad
    Brandon Azad is an independent macOS/iOS security researcher who enjoys finding 0-days, developing elegant exploits, and writing articles about security. His significant projects include a macOS/iOS kernel inspection tool called memctl as well as an IDA Pro toolkit for analyzing Apple kernelcache files called ida_kernelcache.

Links:

Similar Presentations: