Explore a groundbreaking kernel exploit technique for macOS High Sierra 10.13.6 in this 56-minute conference talk from the Hack In The Box Security Conference. Discover how a pure userspace logic bug chain can escalate privileges from a normal user to kernel level, bypassing both Secure Kernel Extension Loading (SKEL) and System Integrity Protection (rootless). Learn how this exploit abuses the sandbox, a security measure, to load an unsigned kernel extension. Examine the module hijacking method on a trusted binary, similar to UAC bypass techniques on Windows, and understand why this exploit's stability is exceptional due to the absence of memory corruption. Delve into the failures of mitigations like Library Validation, SKEL, and SIP against this exploit, and learn about Apple's response and subsequent mitigation in AppleMobileFileIntegrity (AMFI) on Mojave. Additionally, gain insights into a simple yet effective binary analysis tool that aided in discovering this and other logic privilege escalation bugs.
Overview
Syllabus
#HITB2019AMS D2T2 - ModJack: Hijacking The MacOS Kernel - Zhi Zhou
Taught by
Hack In The Box Security Conference