ModJack: Hijacking the macOS Kernel (HITB Ams 2019)

5d8df7ad959b5b34fd68d715974c4e46?s=47 cc
May 10, 2019

ModJack: Hijacking the macOS Kernel (HITB Ams 2019)

When talking about kernel exploits, most of the known attack techniques are related to memory safety or object lifecycle, requiring knowledge for kernel structures and internals to exploit, and sometimes with limited success rate.

However, in this session, we’ll demonstrate a pure userspace logic bug chain that can escalate from a normal user to kernel privilege, to load a completely unsigned kernel extension on macOS High Sierra 10.13.6. Secure Kernel Extension Loading (SKEL) and System Integrity Protection (rootless) are both bypassed. What’s even interesting is that the exploit has abused sandbox, which is originally supposed to be a security measure.

5d8df7ad959b5b34fd68d715974c4e46?s=128

cc

May 10, 2019
Tweet