macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache

Tested on macOS Mojave 10.14.6, 18G87 and Catalina Beta 10.15 Beta 19A536g. On macOS, the dyld shared cache in /private/var/db/dyld/ is generated locally on the system and therefore doesn't have a real code signature; instead, SIP seems to be the only mechanism that prevents modifications of the...

macOS iOS NSKeyedUnarchiver - Use-After-Free of ObjC Objects when Unarchiving OITSUIntDictionary Instances

macOS iOS NSKeyedUnarchiver - Use-After-Free of ObjC Objects when Unarchiving OITSUIntDictionary Instances When deserializing NSObjects with the NSArchiver API 1, one can supply a whitelist of classes that are allowed to be unarchived. In that case, any object in the archive whose class is not...