Explore practical approaches to remotely gaining root access by subverting Apple graphics in this Black Hat conference talk. Delve into the vulnerabilities within Apple's graphics components, both in userland and kernel, that can be exploited from sandboxed applications. Learn about the WindowServer process, IOKit user clients, and hidden interfaces that expose attack surfaces. Discover "graphic-style" exploitation techniques for elevating privileges from inside the sandbox. Examine specific security flaws, including design-related logic issues, vulnerabilities in hidden interfaces, and memory corruption bugs. Gain insights into kernel attack surfaces within closed-source core graphics pipeline components. Understand new kernel heap spraying methods with improved control and reduced side effects. Watch live demonstrations of remote root access exploitation chains on OS X El Capitan, showcasing attacks on both userland and kernel graphics components.
Subverting Apple Graphics - Practical Approaches to Remotely Gaining Root
Overview
Syllabus
Introduction
Title
About us
Agenda
Apple Graphics
Land Attack
Mark Header Bits
Windows Server
Session Management
Bypass Sandbox
Window API
Why Windows
Safari sandbox
There is a message
Windows privilege escalation
Windows server privilege escalation
Set Global Force Configure API
Legacy Free Program
CF Message
Process
Heap Spray
Spray Criteria
Asar
Privilege Escalation
Demo
Service Family
External Master
Rectangle
Pleat
Normalize
Disassembly
Floating Instruction
Two Rectangles
Vector Structure
Exploitation
Kernel SRR
Info League
UNC Execute
Context Finish
Method Disassembly
Time constraint
Thank you
Taught by
Black Hat
