Presented at
Objective by the Sea version 6.0 (2023),
Oct. 13, 2023, 10:10 a.m.
(40 minutes).
XPC is an important technology in all of Apple's operating systems. It is used for inter-process communication, often across security boundaries. For example, a low-privileged client can ask a higher-privileged process to perform an action. For these services, it is important that correct authorization checks are performed by the service. It is well known that process identifiers (PIDs) are not safe to use for this, but audit tokens need to be used instead. XPC connections are designed to be a one-to-one, but the technology is based on mach messages, which is a multiple-sender/single-receiver communications channel. This raises some questions: can we establish an XPC connection with more than two participants? And what happens then to the authorization checks when multiple senders send messages on the same XPC connection? \n\n As it turns out, this can, under specific circumstances, allow an authorization check to be bypassed due to the use of an audit token for the wrong process. In this talk, we'll explain how XPC works and how it is implemented on top of mach messages. Then, we'll explain the vulnerability we found and show how it could lead to privilege escalation in the smd service on macOS (CVE-2023-32405).
Presenters:
-
Thijs Alkemade
- Security Researcher at Computest
Thijs Alkemade (@xnyhps) works at the security research division of Computest. This division is responsible for advanced security research on commonly used systems and environments. Thijs has won Pwn2Own twice, by demonstrating a zero-day attack against Zoom at Pwn2Own Vancouver 2021 and by demonstrating multiple exploits in ICS systems at Pwn2Own Miami 2022. \n\n In previous research he demonstrated several attacks against the macOS and iOS operating systems. He has a background in both mathematics and computer science, which gives him a lot of experience with cryptography and programming language theory.
Links:
Similar Presentations: