17th and 18th February, 2023
Kaapelitehdas, Helsinki Finland
Have U Been Invited? My journey to find and chain macOS vulns
Mikko Kenttälä (Turmio)
This is a story about my journey to find logic bugs in macOS. During 2020 - 2022 I found a bunch of them and reported three major vulnerabilities from macOS. I will explain my methodology to find them and walk you through an exploit chain that compromises users' sensitive data with zero click.
This chain starts with a zero-click vulnerability that I found in macOS Calendar. It allows an attacker to add or delete arbitrary files inside the Calendar sandbox environment. This will lead to arbitrary code execution.I will demonstrate how the vulnerability can be combined with Gatekeeper evasion and TCC evasion to compromise users’ sensitive data.
Edit: Some of the patches are still coming so unfortunately I can not disclose the full vulnerability chain yet. Instead, I will concentrate more on the first part of the vulnerability.
This chain starts with a zero-click vulnerability that I found in macOS Calendar. It allows an attacker to add or delete arbitrary files inside the Calendar sandbox environment. This will lead to arbitrary code execution.
Edit: Some of the patches are still coming so unfortunately I can not disclose the full vulnerability chain yet. Instead, I will concentrate more on the first part of the vulnerability.
Mikko Kenttälä (Turmio)
Since I remember, I have hacked, built and broken stuff, and that landed me a career in cybersecurity over 10 years ago. I have done technical security audits, hunted bug bounties, and now also built security products as CEO of SensorFu. Hacking still makes me happy, I enjoy blue and red teaming in exercises, and I am interested in defending electronic freedoms and privacy in our digital society.
Nick: Turmio
Twitter: @Turmio_