Abusing & Securing XPC in macOS apps

XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple’s components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere – Anti Viruses, Messengers, Privacy tools, Firewalls, and more.

This presentation:

  • explains how XPC/NSXPC work,
  • presents you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t),
  • abuses an interesting feature on Catalina allowing to inject an unsigned dylib,
  • shows you how to fix that vulnz finally!
Wojciech Reguła
Wojciech Reguła Senior IT Security Consultant