Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- Interapp communication is extremely powerful but dangerous. If XPC calls are not handled properly, then major security issues can occur.
- The XPC daemon needs to verify a multitude of things in order to confirm that the correct client is sending the data.
- To start with, the requests made to the XPC daemon are cryptographically signed. However, there are GOOD and BAD ways to do this check, with many of them being bypassable.
- Secondly, verifying a request, based upon the PID, is NOT secure. The PID space is really small; by forking the same process a crazy amount of times, it may be possible to switch the process in the queue.
- The final (XPC bypass) is injecting code into processes that are NOT expected to be there. This can be done by loading libraries with the DYLD_INSERT_LIBRARIES.
- Ian Beer also has an article on XPC exploitation which discusses the improper checking of types on XPC messages. Like JavaScript exploitation, there are quite a bit of type confusion bugs.
