Safety researcher under the pseudonym “Mickey Jin” presented a new vector of attacks capable of bypassing the defense of MacOS. Speaking at the POC2024 conference, Jin discussed a recently discovered vulnerability that allows the MacOS sandbox to be bypassed, providing access to files without restrictions.
The attack method stems from a vulnerability related to XPC services used in MacOS for inter-process communication. Jin highlighted that these services were not adequately protected, enabling attackers to exploit third-party programs to execute commands without restrictions. Vulnerabilities such as cve-2023-27944 and cve-2023-42977 allow applications to bypass protection measures, gaining access to files and circumventing quarantine protocols.
Currently, there are two types of sandboxes in MacOS: one for applications and one for system services. While the application sandbox restricts access to data and system resources, the system services sandbox is less stringent, creating opportunities for attackers. Jin identified vulnerabilities in XPC services related to the PID domain, making them susceptible to exploitation.
Special focus was given to XPC services for system frameworks during the research, as attackers can leverage these services to go beyond the sandbox. For example, the SHOVESERVICE service can be loaded with a single line of code, granting attackers the ability to execute commands at the system level.
Apple has already issued patches for many of the identified vulnerabilities, but work is ongoing to address some remaining vulnerabilities. Specifically, vulnerabilities related to services that do not verify the capabilities of connected clients leave room for attackers to mimic system commands and manipulate files without proper authentication.
In response to this research, Apple has enhanced the security mechanisms in the latest versions of MacOS, introducing audits of XPC client privileges and restricting access to vulnerable services. MacOS Ventura and MacOS Sonoma have implemented new safeguards to protect against unauthorized commands, although Jin continues to explore methods to potentially evade these protections.