Ever get an uneasy feeling when an installer asks for your password? Well, your gut was right! The majority of macOS installers & updaters are vulnerable to a wide range of priv-esc attacks.
It began with the discovery that Apple's OS updater could be abused to bypass SIP (CVE-2017-6974). Next, turns out Apple's core installer app may be subverted to load unsigned dylibs which may elevate privileges to root.
And what about 3rd-party installers? I looked at what's installed on my Mac, and ahhh, so many bugs!
Firewall, Little Snitch: EoP via race condition of insecure plist Anti-Virus, Sophos: EoP via hijack of binary component Browser, Google Chrome: EoP via script hijack Virtualization, VMWare Fusion: EoP via race condition of insecure script IoT, DropCam: EoP via hijack of binary component and more!
...and 3rd-party auto-update frameworks like Sparkle -yup vulnerable too!
Though root is great, we can't bypass SIP nor load unsigned kexts. However with root, I discovered one could now trigger a ring-0 heap-overflow that provides complete system control.
Though the talk will discuss a variety of discovery mechanisms, 0days, and macOS exploitation techniques, it won't be all doom & gloom. We'll end by discussing ways to perform authorized installs/upgrades that don't undermine system security.