macOS - Gaining root with Harmless AppStore Apps

This talk is about my journey from trying to find dylib hijacking vulnerability in a particular application to finding a privilege escalation vulnerability in macOS. During the talk I will try to show the research process, how did I moved from one finding to the next and I will also show many of the failures / dead ends I had during the exploit development.

First I will briefly cover what is a dylib hijacking, and what is the current state of various application regarding this type of vulnerability. We will see how hard is to exploit these in many cases due to the fact that root access is required.

Second I will cover 2 seemingly harmless bugs affecting the installation process of AppStore apps, and we will see how can we chain these together in order to gain root privileges - for this we will utilise a completely benign app from the macOS App Store. Part of this I will cover how can we submit apps to the store, and what are the difficulties with that process.

In the last part I will cover how we can infect and include our malicious file in an App installer without breaking the App’s signature.

This was presented at Security Fest 2019.

Speakers: Csaba Fitzl

About Csaba Fitzl

Csaba Fitzl

Csaba graduated in 2006 as a computer engineer. He worked for 6 years as a network engineer, troubleshooting and designing big Cisco networks. After that he started to work as a blue teamer, focusing on network forensics, malware analysis and kernel exploitation. Currentl he works in a red team, where he spends most of his time simulating adversary techniques and doing pentents. He gave talks / workshops on various international IT security conferences, including Hacktivity,,, SecurityFest, DEFCON and BSidesBUD. He currently holds OSWP / OSCP / OSCE / OSEE certifications. He is the author of the 'kex' kernel exploitation Python toolkit.

Get all relevant information and news regarding Security Fest, when we release recordings of talks, etc.