1. InfoconDB
  2. Objective by the Sea
  3. Objective by the Sea version 5.0 (2022)
  4. Process Injection: Breaking all macOS Security Layers with a Single Vulnerability

Process Injection: Breaking all macOS Security Layers with a Single Vulnerability

Presented at Objective by the Sea version 5.0 (2022), Oct. 7, 2022, 10:40 a.m. (50 minutes)

macOS local security is shifting more and more to the iOS model, where every application is codesigned, sandboxed and needs to ask for permission to access sensitive data. New security layers have been added to make it harder for malware that has gained a foothold to compromise the user's most sensitive data. Changing the security model of something as large and established as macOS is a long process, as it requires many existing parts of the system to be re-examined. For example, creating a security boundary between applications running as the same user is a large change from the previous security model. \n\n CVE-2021-30873 is a process injection vulnerability we reported to Apple that affected all macOS applications. This was addressed in the macOS Monterey update, but completely fixing this vulnerability requires changes to all third-party applications as well. Apple has even changed the template for new applications in Xcode to assist developers with this. \n\n In this talk, we'll explain what a process injection vulnerability is and why it can have critical impact on macOS. Then, we'll explain the details of this vulnerability, including how to exploit insecure deserialization in macOS. Finally, we will explain how we exploited it to escape the macOS sandbox, elevate our privileges to root and bypass SIP.


Presenters:

  • Thijs Alkemade - Security Researcher at Computest
    Thijs Alkemade (@xnyhps) works at the security research division of Computest. This division is responsible for advanced security research on commonly used systems and environments. Thijs has won Pwn2Own twice, by demonstrating a zero-day attack against Zoom at Pwn2Own Vancouver 2021 and by demonstrating multiple exploits in ICS systems at Pwn2Own Miami 2022. \n\n In previous research he demonstrated several attacks against the macOS and iOS operating systems. He has a background in both mathematics and computer science, which gives him a lot of experience with cryptography and programming language theory.
  • Daan Keuper - Head of Security Research at Computest
    Daan Keuper is the head of security research at Computest. This division is responsible for advanced security research on commonly used systems and environments. Daan participated three times in the internationally known Pwn2Own competition by demonstrating zero-day attacks against the iPhone, Zoom and multiple ICS applications. \n\n In addition Daan did research on internet connected cars, in which several vulnerabilities were found in cars from the Volkswagen Group.

Links:

Similar Presentations: