Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities

The presentation discusses six vulnerabilities and their exploitation used in 0.1 2020 to compromise Safari with escalation of kernel privilege. The open-source exploit chain is shared to foster further research.

• Six vulnerabilities were exploited to compromise Safari with escalation of kernel privilege
• The exploit chain is open-sourced to encourage further research
• The presentation includes a demo video of the exploit chain in action
• The motive for the research was to participate in Pwn2Own
• The move to AM 64 CPUs by Apple may make exploitation of this kind of chain more challenging

The presentation includes a demo video of the exploit chain in action, showing how the team was able to gain code execution and escape the sandbox by attacking Safari and then escalate privileges to root and kernel. The team also discusses their process for manual finding, which involved examining each demo to figure out how it related to reverse engineering in more detail.

Compromising a kernel through a browser is the ultimate goal for offensive security researchers. Because of continuous efforts to eliminate vulnerabilities and introduce various mitigations, a remote kernel exploit from a browser becomes extremely difficult, seemingly impossible.In this talk, we will share our Safari exploit submitted to Pwn2Own 2020. Combining six different vulnerabilities, our exploit successfully compromises the macOS kernel starting from the Safari browser. It breaks every mitigation in macOS including ASLR, DEP, sandbox, and even System Integrity Protection (SIP). Inspecting every vulnerability used in this exploit, we will show not only state-of-the-art hacking techniques but also challenges in protecting complicated systems (i.e., browsers and operating systems) and in introducing their mitigations. Moreover, we will introduce a new technique that reliably exploits a TOCTOU vulnerability in macOS.