Getting root with benign AppStore apps

If you prefer to watch this as a talk, you can se it here: Csaba Fitzl – macOS: Gaining root with Harmless AppStore Apps – SecurityFest 2019 – YouTube

Slides are here: Getting root with benign app store apps

This entire story started with me trying to find dylib hijacking vulnerability in a specific application, which I can’t name here. Let’s say I want to drop the App’s main mach-o file in a folder where only root has access, e.g.: (folders protected by SIP, like won’t work, as even root doesn’t have access there). -rw-r–r– csaby staff Sep :16 a lrwxr-xr-x csaby staff Sep :16 b -> a $ cat b aaa $ bbb >> b $ cat b aaa bbb $ touch c $ ls -l total -rw-r–r– csaby staff Sep :16 a lrwxr-xr-x csaby staff Sep :16 b -> a -rw-r–r– csaby staff Sep :25 c $ mv c b $ ls -la total drwxr-xr-x csaby staff Sep :25 .

Source: theevilbit.github.io