MacOS 10.12 - 'task_t' Privilege Escalation Exploit

Exploit for macOS platform in category local exploits Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=837 TL;DR you cannot hold or use a task struct pointer and expect the euid of that task to stay the same. Many many places in the kernel do this and there are a great many very...

Apple OS XiOS - mach_ports_register Multiple Memory Safety s

Apple OS XiOS - machportsregister Multiple Memory Safety s Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=882 machportsregister is a kernel task port MIG method. It's defined in MIG like this: routine machportsregister targettask : taskt; initportset : machportarrayt = ^array o...

Apple macOS 10.12 - task_t Local Privilege Escalation

Apple macOS 10.12 - taskt Local Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=837 TL;DR you cannot hold or use a task struct pointer and expect the euid of that task to stay the same. Many many places in the kernel do this and there are a great many very...

Apple macOS 10.12 - 'task_t' Local Privilege Escalation

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=837 TL;DR you cannot hold or use a task struct pointer and expect the euid of that task to stay the same. Many many places in the kernel do this and there are a great many very exploitable bugs as a result. taskt is just a typedef...