MacOS bug bounty

Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a […]

Jamf Threat Lab investigates vulnerabilities that led to the execution of unsigned and unnotarized applications.

This time with CVE-2024-27822: macOS PackageKit Privilege Escalation though ZSH env files: — Mykola Grymalyuk (@khronokernel)

— ENKI (@ENKI_official_X)

CVE-2024-34331: Privilege escalation through malicious createinstallmedia binary: — Mykola Grymalyuk (@khronokernel)

from commit message there is a use-after-free on dentry’s d_fsdata fid list when a thread looks up a fid through dentry while another thread unlinks it:

The original topic of my first blog post, posted approximately a year ago, was to discuss how command injection vulnerabilities are present in PackageKit on macOS. While writing the article, I found some Apple-signed packages which had command injection vulnerabilities which could be used to bypass SIP.

https://github.com/R00tkitSMM/CVE-2024-27804

Last year, I discovered a full user TCC bypass issue in the macOS Sonoma beta version. There was a CVE number assigned at the beginning, but removed by Apple in the release of macOS 14.0. Instead, I got the credit in their Additional Recognitions.

A new local privilege escalation vulnerability, CVE-2023-42931, was found in macOS versions before 14.2, 13.6.3, and 12.7.2, allowing users to gain root privileges using “diskutil”. The…

In a previous blog post we described a process injection vulnerability affecting all AppKit-based macOS applications. This research was presented at Black Hat USA 2022, DEF CON 30 and Objective by the Sea v5. This vulnerability was actually the second universal process injection vulnerability we reported to Apple, but it was fixed earlier than the first. Because it shared some parts of the exploit chain with the first one, there were a few steps we had to skip in the earlier post and the presentations.

In this article, Yann Gascuel, our Lead Pentester, had to find a Local Privilege Escalation (LPE) on a macOS 13 Ventura. Find out how he did it.

About two weeks ago, Apple published the CVE-2023-42942 in the security advisory. It was a race condition issue existed in the system service xpcroleaccountd, and it could be exploited for root privilege escalation. Today, I am going to share the details.

CVE-2024-23204 [https://nvd.

Contribute to fmyyss/XNU_KERNEL_RESEARCH development by creating an account on GitHub.

This post describes the second vulnerability that I found in the XNU kernel, (first of which is here). XNU is the Operating System used for a number …

Hi, hope you guys are doing well,

By Vignesh Rao Overview In this blog post, we describe a method to exploit an integer overflow in Apple WebKit due to a vulnerability resulting from incorrect range computations when optimizing Javascript code. This research was conducted along with Martin Saar in 2020. We show how to convert this integer overflow into a stable out-of-bounds ... Read more Shifting boundaries: Exploiting an Integer Overflow in Apple Safari

Unpack the analysis of a GOG Galaxy XPC service vulnerability. More from IBM X-Force Red.

Dataflow Security blog

Posted by Ivan Fratric, Project Zero Note: The vulnerability discussed here, CVE-2022-42855, was fixed in iOS 15.7.2 and macOS Monte...

Wow, two blogposts in two days! Is this a new writeup schedule? No, it's not. But, since I'm presently just ill enough to not be productive, yet well enough to write, I figured I'd chip away at my horrendous (writeup) debt while I wait for the immune fairy to arrive …

Since I owe you guys a bunch of writeups from my talk ( Unexpected, Unreasonable, Unfixable: Filesystem Attacks on macOS), I decided that I'll tackle lateralus today. It's a simple, clean bug with a quick and satisfying resolution. I have been bitching about Apple in the past blogpost (and on twitter …

In this blog post, we’ll describe a design issue in the way XPC connections are authorised in Apple’s operating systems. This will start by describing how XPC works and is implemented on top of mach messages (based on our reverse engineering). Then, we’ll describe the vulnerability we found, which stems from implementing a (presumed to be) one-to-one communication channel on top of a communication channel that allows multiple concurrent senders. Next, we’ll describe this issue using an example for smd and diagnosticd on macOS.

Vendor: Proxyman LLC Vendor URL: Versions affected: com.proxyman.NSProxy.HelperTool version 1.4.0 (distributed with Proxyman.app up to and including versions 4.11.0) Systems Affected: macOS Author:…

This post is a writeup of batsignal, a macOS local privilege escalation bug from my talk: Unexpected, Unreasonable, Unfixable: Filesystem Attacks on macOS Background This is a blogpost I'm dreading to write. It's about my first ever report in the ASB (Apple Security Bounty) and it was by far the …

iLeakage is practical and requires minimal resources. A patch isn't (yet) available.

In May 2023, we received a vulnerability report from an anonymous researcher regarding a vulnerability in Apple Safari. It turned out to be an interesting classic integer underflow vulnerability. Apple assigned CVE-2023-38600 to this issue and fixed it in the following security advisories: — iOS 1

Contribute to tihmstar/slides development by creating an account on GitHub.