Process Injection: Breaking All macOS Security Layers With a Single Vulnerability

Process Injection: Breaking All macOS Security Layers With a Single Vulnerability

• macOS local security is shifting towards the iOS model with every application being codesigned, sandboxed, and requiring permission to access data and features
• New security layers have been added to make it harder for malware to compromise sensitive data
• Process injection vulnerabilities can be used to break security boundaries between processes
• CVE-2021-30873 was a process injection vulnerability affecting all macOS applications
• The vulnerability was addressed in the macOS Monterey update from October 2021, but fixing it requires changes to all third-party applications
• The vulnerability was exploited to escape the macOS sandbox, elevate privileges to root, and bypass SIP

The speaker describes how they found a vulnerability in macOS and exploited it to escape the sandbox, elevate privileges, and bypass SIP. They explain the importance of understanding the current security model and the challenges of adding new security layers to an established system. They also mention the need for developers to update their applications to address the vulnerability.

macOS local security is shifting more and more to the iOS model, where every application is codesigned, sandboxed and needs to ask for permission to access data and features. New security layers have been added to make it harder for malware that has gained a foothold to compromise the user's most sensitive data. Changing the security model of something as large and established as macOS is a long process, as it requires many existing parts of the system to be re-examined. For example, creating a security boundary between applications running as the same user is a large change from the previous security model, introducing new vulnerabilities such as process injection.CVE-2021-30873 is a process injection vulnerability we reported to Apple that affected all macOS applications. This was addressed in the macOS Monterey update from October 2021, but completely fixing this vulnerability requires changes to all third-party applications as well. Apple has even changed the template for new applications in Xcode to assist developers with this.In this talk, we'll explain what a process injection vulnerability is and why it can have a critical impact on macOS. Then, we'll explain the details of this vulnerability, including the techniques we developed to exploit insecure deserialization in macOS. Finally, we will explain how we exploited it to escape the macOS sandbox, elevate our privileges to root and bypass SIP.