CVE-2023-42929: Why do we need the App Container Protection
Starting with macOS Sonoma 14.0, Apple has introduced a new TCC category kTCCServiceSystemPolicyAppData to protect the App Container Data. This is designed to address one of my reports (aka CVE-2023-42929):
CVE-2023-42942: xpcroleaccountd Root Privilege Escalation
About two weeks ago, Apple published the CVE-2023-42942 in the security advisory. It was a race condition issue existed in the system service xpcroleaccountd, and it could be exploited for root privilege escalation. Today, I am going to share the details.
macOS AUHelperService Full TCC Bypass
Last year, I discovered a full user TCC bypass issue in the macOS Sonoma beta version. There was a CVE number assigned at the beginning, but removed by Apple in the release of macOS 14.0. Instead, I got the credit in their Additional Recognitions.
The Nightmare of Apple's OTA Update: Bypassing the Signature Verification and Pwning the Kernel
This blog post is written for my talk at OBTS v6.0.
CVE-2022-32902: Patch One Issue and Introduce Two
A year ago, I discovered a TCC-bypass issue in the system daemon service named com.apple.fontmover. Three months later, Apple addressed it as CVE-2022-32902. After checking how Apple addressed the issue, I found two new issues introduced by patching the issue. I reported them to Apple immediately and waited for about 9 months.
CVE-2023-23525: Get Root via A Fake Installer
A few weeks ago, Rich Trouton noticed a new change in the latest macOS release: macOS Ventura 13.3 alters expected behavior for Finder’s Open With functionality for macOS installer packages. In this post, I want to share a simple LPE vulnerability associated with it and why Apple made the change.
CVE-2022-26712: The POC for SIP-Bypass Is Even Tweetable
I found some new attack surfaces in the macOS PackageKit.framework, and successfully disclosed 15+ critical SIP-Bypass vulnerabilities. Apple has addressed 12 of them with CVE assigned so far. There are still some reports in the Apple’s processing queue. All of them are interesting logic issues, and of course each has a successful exploit demonstration.
CVE-2022-22616: Simple way to bypass GateKeeper, hidden for years
In this writeup, I will introduce a very simple method to bypass GateKeeper , and uncover the root cause through reversing and debugging. Apple had already addressed it as CVE-2022-22616 in macOS Monterey 12.3, and credited the bug to two Jamf researchers (@malwarezoo, @jbradley89) and me. So, make sure you have updated your Mac devices to the latest version.
iOS14.8: Patch CVE-2021-1740 again silently
As well known, iOS14.8 patched two 0 days in the wild, one of which is the pegasus 0-click vulnerability. You can get the root cause and more interesting findings by reading my analysis from here.
CVE-2021-22545: A CVE from BinDiff & IDA Pro
Last year, I used the BinDiff plugin normally inside the IDA Pro, but I got a crash due to the plugin issue. Then a dialog prompted and I choosed to Let IDA Continue, then I got another weird crash. Yes, 2 different issues from BinDiff plugin & IDA Pro, just triggered by a bindiff file. Driven by my curiosity, I tried to find the root cause and got this CVE here :
IDA2Obj: HITB2021Sin Talk
现在许多高效的 fuzz 引擎(AFL,honggfuzz,syzkaller等)都会收集语料执行时的代码覆盖率,并以此为反馈来指导变异和 fuzz 策略。对于开源的项目,通过设置编译选项,编译器就会自动帮忙插桩了。但是对于闭源的二进制文件,问题就显得比较棘手了。当前主流的做法大多还是 DBI (运行时动态插桩,如 Dynamorio,frida stalker 等)。而与此相对的就是SBI (静态插桩)了。毫无疑问,静态插桩几乎可以获得和编译器插桩一样的执行效率,可以把编译器插桩看成是 SBI 的一个特例。但是目前已有的一些 SBI 方案没有大量运用普及,大都有各自的局限性。
CVE-2021-30798: TCC Bypass Again, Inspired By XCSSET
My team and I posted the details of the brand new Mac Malware XCSSET
last year [1] [2], and disclosed the interesting 0 day tricks used inside. All the XCSSET
payload modules were reviewed carefully. However, I was a newbie for hunting macOS vulnerability and I didn’t realize the TCC bypass is a vulnerability at that time until Jamf posted their new blog and detailed the 3rd 0 day used by XCSSET
.
Install decrypted IPA on M1 Mac
As mentioned in my last blog, I can launch any decrypted iOS App on M1 Mac with free developer certificate. Here, I will try to install the decrypted IPA dircectly without re-signing.
Run any iOS Apps in the Xcode Simulator
Besides the method in my last blog, I keep trying other methods to run the decrypted iOS App. Then I thought of the Xcode Simulator, which had no possibility to run the real iOS Apps before, due to the x86_64
platform restriction. But now, the Simulator from M1 Mac is also the arm64
architecture. Is it possible to run the decrypted iOS App in the simulator now ?
Debug any iOS Apps on M1 Mac
We have no permission to attach the lldb
to any other iOS Apps on the M1 Mac, when SIP
is enabled. But we couldn’t launch the iOS Apps if SIP
is disabled. It seems that fairplayd
has a check for the system boot policy security mode and refuses to decrypt the iOS App macho when SIP
is disabled.