CVE-2018-4407 Kernel crash caused by out-of-bounds write in Apple's ICMP packet-handling code - GitHub Security Lab
The networking implementation in iOS and macOS contained an out-of-bounds write, which could be triggered by sending a malicious packet to the device. No user interaction was required. This post explains how it was found using CodeQL.
CVE-2019-6231 Detailed Analysis of macOS/iOS Vulnerability
On Jan 22, 2019, Apple released macOS Mojave 10.14.3 and iOS 12.1.3. These two updates fixed a number of security vulnerabilities, including CVE-2019-6231 found in QuartzCore (aka. CoreAnimation). …
CVE-2021-30869 Analyzing a watering hole campaign using macOS exploits
To protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.As is our policy, we quickly reported this 0-day to the vendor (Apple) and a patch was released to protect users from these attacks.Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.In this blog we analyze the technical details of the exploit chain and share IOCs to help teams defend against similar style attacks.
CVE-2021-30868 macOS smbfs Race Condition leading to Use-After-Free Vulnerability
Affected Software macOS BigSur 11.0 - 11.2.3 Severity of the bug High Description of the vulnerability smbfs is a kext driver which handles SMB connection between the user and SMB Server. This vulnerability occurs in smbfs, which allows attacker can escalate from user permission into root privilege. Technical Details smbfs kext was implemented with chardev device styles. User can interact with smbfs kext via ioctl syscall to do some task.
SnatchBox (CVE-2020-27935) is a sandbox escape vulnerability and exploit affecting macOS up to version 10.15.x
SnatchBox (CVE-2020-27935) is a sandbox escape vulnerability and exploit affecting macOS up to version 10.15.x - GitHub - LIJI32/SnatchBox: SnatchBox (CVE-2020-27935) is a sandbox escape vulnerabil...
CVE-2021-30688 Sandbox escape + privilege escalation in StorePrivilegedTaskService
CVE-2021-30688 is a vulnerability which was fixed in macOS 11.4 that allowed a malicious application to escape the Mac Application Sandbox and to escalate its privileges to root. This vulnerability required a strange exploitation path due to the sandbox profile of the affected service. Background At rC3 in 2020 and HITB Amsterdam 2021 Daan Keuper and Thijs Alkemade gave a talk on macOS local security. One of the subjects of this talk was the use of privileged helper tools and the vulnerabilities commonly found in them.
CVE-2019-8507 Detailed Analysis of macOS Vulnerability
On March 25, 2019, Apple released macOS Mojave 10.14.4 and iOS 12.2. These two updates fixed a number of security vulnerabilities, including CVE-2019-8507 in QuartzCore (aka CoreAnimation), which w…
A Look into XPC Internals: Reverse Engineering the XPC Objects
We have recently been engaged in deep security research on macOS for FortiGuard Labs focused on the discovery and analysis of IPC vulnerabilities. In this blog, we uncover the XPC internals data ty…
A Technical Analysis of CVE-2021-30864: Bypassing App Sandbox Restrictions
Perception Point researchers have discovered a vulnerability in macOS which allows an attacker to bypass App Sandbox restrictions. The vulnerability was disclosed to Apple, and the fix was announced on the latest macOS Monterey 12.0.1 security update on October 25th, identified as CVE-2021-30864.
Sketch is a popular UI/UX design app for macOS. This post covers a vulnerability in Sketch that I discovered back in July — CVE-2021-40531. In its simplest form, it is a macOS quarantine bypass, but in context it can be used for remote code execution.
Introduction This vulnerability has been disclosed on @Hack in Saudi Arabia in 20+ Ways To Bypass Your Macos Privacy Mechanisms presentation. In the end, it allowed impersonating TCC entitlements of any application installed on the device. Overview Applications may install privileged helpers in the /Library/PrivilegedHelpers directory. When such a helper tries to access the protected resource (e.g. Address Book), TCC tries to determine which app is responsible for the helper. If the main app is determined, TCC checks whether the app has proper permissions and grants the helper access to the protected resources.
As well known, iOS14.8 patched two 0 days in the wild, one of which is the pegasus 0-click vulnerability. You can get the root cause and more interesting findings by reading my analysis from here.
