Today, I am disclosing a 0-day vulnerability that bypasses the patch for CVE-2024-34331. I have identified two distinct methods to circumvent the fix. Both bypasses were reported separately to the Zero Day Initiative (ZDI) and the affected vendor Parallels. Unfortunately, their responses have been deeply unsatisfactory.| jhftss.github.io
This is a blog post for my presentation at the conference OBTS v7.0. The slides are uploaded here.| jhftss.github.io
Happy New Year!| jhftss.github.io
Article URL: https://jhftss.github.io/A-New-Era-of-macOS-Sandbox-Escapes/ Comments URL: https://news.ycombinator.com/item?id=42084588 Points: 44 # Comments: 3| Hacker News: Newest
Starting with macOS Sonoma 14.0, Apple has introduced a new TCC category kTCCServiceSystemPolicyAppData to protect the App Container Data. This is designed to address one of my reports (aka CVE-2023-42929):| jhftss.github.io
About two weeks ago, Apple published the CVE-2023-42942 in the security advisory. It was a race condition issue existed in the system service xpcroleaccountd, and it could be exploited for root privilege escalation. Today, I am going to share the details.| jhftss.github.io
Last year, I discovered a full user TCC bypass issue in the macOS Sonoma beta version. There was a CVE number assigned at the beginning, but removed by Apple in the release of macOS 14.0. Instead, I got the credit in their Additional Recognitions.| jhftss.github.io
This blog post is written for my talk at OBTS v6.0.| jhftss.github.io
A year ago, I discovered a TCC-bypass issue in the system daemon service named com.apple.fontmover. Three months later, Apple addressed it as CVE-2022-32902. After checking how Apple addressed the issue, I found two new issues introduced by patching the issue. I reported them to Apple immediately and waited for about 9 months.| jhftss.github.io
A few weeks ago, Rich Trouton noticed a new change in the latest macOS release: macOS Ventura 13.3 alters expected behavior for Finder’s Open With functionality for macOS installer packages. In this post, I want to share a simple LPE vulnerability associated with it and why Apple made the change.| jhftss.github.io
I found some new attack surfaces in the macOS PackageKit.framework, and successfully disclosed 15+ critical SIP-Bypass vulnerabilities. Apple has addressed 12 of them with CVE assigned so far. There are still some reports in the Apple’s processing queue. All of them are interesting logic issues, and of course each has a successful exploit demonstration.| jhftss.github.io
In this writeup, I will introduce a very simple method to bypass GateKeeper , and uncover the root cause through reversing and debugging. Apple had already addressed it as CVE-2022-22616 in macOS Monterey 12.3, and credited the bug to two Jamf researchers (@malwarezoo, @jbradley89) and me. So, make sure you have updated your Mac devices to the latest version.| jhftss.github.io