Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Entitlements are privilege capabilities on application within MacOS. These are stored as key-value pairs embedded within the code signature of the application.

In MacOS, apps will have a UI defined with a NIB file. For whatever reason, Gatekeeper doesn't invalidate access to an app if the NIB file has been swapped.

Why is this a big deal? A modified NIB file is trivial to get code execution with. In particular, this allows for the usage of the entitlements of the application that is running. By design this creates a pretty horrible privilege escalation. The author demonstrates how to do this using XCode.

With MacOS Ventura, a new mitigation called Launch Constraints made this much, much harder. An application can be constraints on what can be done to it, such as copying with the same permissions as before. The previous POC didn't work because of the launch constraints on the binary.

They found a new candidate binary which was vulnerable to the same attack as before. And then another bypass on a later version. Apparently, they tried reporting this to Apple in 2021 but things just never got fixed. This seems like such a simple vulnerability; it's crazy this hasn't been fixed yet.