On day one we kick things off by introducing macOS’s architecture, and briefly discuss Objective-C. We will explain how apps work on macOS, what bundles and cryptexes are and why are they important. We will introduce and explain Apple’s unique protections. You will get to know GateKeeper, Launch Constraints, the application Sandbox, TCC, AMFI and last but most importantly the system that underpins these protections: SIP.
With a good idea about the general organization and protection schemes in mind we will turn to introducing some tooling which you will be expected to get hands-on with during the course. These are static and dynamic analyzers, tools for debugging filesystem operations, and if time permits we will talk a bit about advanced topics like dtrace.
Next we will dive into process injection on macOS, a now largely mitigated, but still crucial aspect that every researcher must be familiar with. We will learn the basic process injection techniques.
Next we will deep dive into the platform Sandbox profile, learn how we can extract and decompile it, and then use that knowledge to analyze and exploit CVE-2025-43328, which allowed someone to gain access to all private data on the system.
To close the day off we will learn about CVE-2024-27883, a PackageKit exploit. We will review the vulnerability, the exploit and discuss any further questions that you might have.
The second day we’ll focus on filesystems, a fertile ground for serious vulnerabilities. We will learn about filesystem history and the POSIX standard. You will be introduced to core filesystem concepts, like inodes, file object types and the path resolution process. We will take some time to dive into the arguably most important aspect of file handling: the permission model. All of this is crucial to understanding the myriad of traps a developer can fall into while writing software for macOS.
We will study CVE-2023-32428 (badmalloc), and explain the techniques that allowed this seemingly innocuous bug to be exploited after being in the codebase for ~20 years. You will see how a cascade of failing preventions eventually lead to a user to root LPE.
After lunch we will review another bug, CVE-2025-43268 (cryptexctl), that is a simpler vulnerability but nevertheless powerful in not only turning user access into root, but also to explain some library injections in current, present-day code.
Finally we will talk about attacking Electron applications, and see how 3rd party software on macOS is particularly ill-equipped to leverage the mitigations that Apple’s own software has. Multiple tricks will be showcased that were used to bypass TCC via Discord.
On the final day we take a look at some theory about exploitation challenges, tips and tricks. We will do so by analyzing all three of batsignal’s versions (CVE-2022-32801, CVE-2022-26704 and CVE-2023-40443). This vulnerability perfectly showcases what can go wrong if a wrong approach is taken to fix a vulnerability, as the patch was bypassed two times.
After this, we’ll take a look at CVE-2023-38571 (librarian), which is a relatively simple bug and exploit, but it touches on a particularly interesting topic: filesystem race conditions. Through this bug and the accompanying exercises we will understand and learn to exploit such race conditions.
After lunch we come back to learning about XPC, a crucial aspect of macOS and macOS VR. We will learn what XPC is, how it is implemented, why it’s necessary and the most common ways we can attack it. We will analyse a simple XPC exploit affecting Zoom do demonstrate.
As we near the end of the training we will discuss another Zoom XPC exploit, and demonstrate how we can overcome XPC client validation and racy package verifications.
Student will learn about:
Module 1: Intro to macOS
Module 2: Using Tools
Module 3: Intro to Process Injection on macOS
Module 4: CVE-2024-27883 case study
Module 5: CVE-2025-43328 case study
Module 6: FS Theory
Module 7: CVE-2023-32428 case study badmalloc
Module 8: CVE-2025-43268 cryptexctl
Module 9: Attacking Electron Applications - exploiting Discord left and right
Module 10: batsignal case study
Module 11: CVE-2023-38571 librarian case study
Module 12: XPC madness
Module 13: Easy Zoom XPC exploit
Module 14: Advanced Zoom XPC exploit