Nullcon Berlin 2024 | Fuzzing At Mach Speed: Uncovering IPC Vulnerabilities On MacOS By Dillon

Abstract

This research presents an in-depth investigation of macOS Inter-Process Communication (IPC) security, with a focus on Mach message handlers. It explores how Mach message handlers are utilized to execute privileged RPC-like functions and how this introduces vectors for sandbox escapes and privilege escalations. This involves a detailed examination of macOS internals, particularly the calling and processing of Mach messages, their data formats, and statefulness.

The core of the study is the development and application of a custom fuzzing harness targeting these identified IPC function handlers. The fuzzing process, aimed at inducing crashes indicative of memory corruption vulnerabilities, is discussed in detail. Several generated crashes will be discussed, one of which may be exploitable to obtain remote code execution. The research culminates in the open-sourcing of a bespoke Mach message corpus generation script and custom fuzzing harness, contributing to the broader cybersecurity community and laying the groundwork for future exploration in this area.

#MacOS #IPC #SecurityResearch #PrivilegeEscalation

Know more - https://nullcon.net/berlin-2024/speak...

Download Presentation: https://berlin2024.nullcon.net/berlin...
----------------
Follow Nullcon on Facebook:   / nullcon  
X:   / nullcon  
LinkedIn:   / posts  
Website: https://nullcon.net/