macOS vulnerabilities hiding in plain sight

Sometimes when we publish details and writeups about vulnerabilities we are so focused on the actual bug, that we don’t notice others, which might be still hidden inside the details. The same can happen when we read these issues, but if we keep our eyes open we might find hidden gems.

In this talk I will cover three macOS vulnerabilities that I found while reading the writeup of other vulnerabilities, where some of them were public for over four years. I also only spotted them after multiple reads, and once found I realized that it was right there in front of us every single time.

In the 2017 pwn2own macOS exploit chain the authors found a privilege escalation vulnerability is the disk arbitration service. What I found that the same logic flaw was present in another part of he code segment (literally right next to the original), which allowed an attacker to perform a full sandbox escape.

In the pwn2own 2020 macOS exploit chain there was a vulnerability concerning the preferences daemon. The patch was presented later by the authors and after reading through the patch for the ~20st time, I spotted a new privilege escalation possibility.

In 2021, the macOS XCSSET malware used a TCC 0day bypass, which was later patched. Mickey Jin found a bypass for the patch and presented a new TCC bypass. While reading through his analysis for the n-th time, it hit me, that not only possible to bypass the new patch but there is an underlying fundamental issue with the TCC framework, which allowed us to generically bypass TCC.