In the last post of the series we will see another typical issue, where XPC services using the connecting process’s ID (PID) to verify the client instead of the audit token. We will use F-Secure SAFE again for our case study, the vulnerability was fixed in 17.8 and it was assigned CVE-2020-14977. The root cause Link to heading The XPC services of F-Secure SAFE use the process ID (PID) to verify the client’s signature, as can be seen in the code below.| theevilbit.github.io
This is the first part of a blog post series I plan about PrivilegedHelperTools that exists on macOS systems. I recently took a look on a couple of these tools, and found that it’s very easy to make the code insecure, as there are many small pieces to it, and if one is done wrong, the helper tool will be open to abuse by anyone having a foothold on the system.| theevilbit.github.io