October 13, 2023

Don’t Talk All at Once! Elevating Privileges on macOS by Audit Token Spoofing

In this blog post, we’ll describe a design issue in the way XPC connections are authorised in Apple’s operating systems. This will start by describing how XPC works and is implemented on top of mach messages (based on our reverse engineering). Then, we’ll describe the vulnerability we found, which stems from implementing a (presumed to be) one-to-one communication channel on top of a communication channel that allows multiple concurrent senders. Next, we’ll describe this issue using an example for smd and diagnosticd on macOS.

November 10, 2016

Observium - unauthenticated remote code execution

During a recent penetration test we found and exploited various issues in Observium, a popular networking monitoring platform. The vulnerabilities lead us from unauthenticated user to full shell access as root.

Menu