Abusing and Securing XPC in macOS Apps

Presented at Objective by the Sea version 3.0 (2020), Oct. 16, 2020, midnight (25 minutes)

XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more. In this talk, I will: Explain how XPC/NSXPC work Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t) Abuse an interesting feature on Catalina allowing to inject an unsigned dylib Show you how to fix that vulnz finally!

Presenters:

• Wojciech Reguła - IT Senior Security Specialist at SecuRing
  Wojciech is an IT Senior Security Specialist employed at SecuRing. Professionally responsible for web and mobile security testing with particular emphasis on iOS. He is also a creator of iOS Security Suite, an open source anti-tampering Swift framework. Recently interested also in macOS app security. In free time he runs an infosec blog, <https://wojciechregula.blog>.

Links:

• https://objectivebythesea.org/v3/content.html#wReguła
• https://objectivebythesea.org/v3/talks/OBTS_v3_wReguła.pdf

Similar Presentations:

• DEF CON 23 (2015) / Stick That In Your (root)Pipe & Smoke It
• Black Hat Europe 2018 / Drill Apple Core: Up and Down - Fuzz Apple Core Component in Kernel and User Mode for Fun and Profit
• May Contain Hackers (MCH2022) / macOS local security: escaping the sandbox and bypassing TCC