macOS - Gaining root with Harmless AppStore Apps

This talk is about my journey from trying to find dylib hijacking vulnerability in a particular application to finding a privilege escalation vulnerability in macOS. During the talk I will try to show the research process, how did I moved from one finding to the next and I will also show many of the failures / dead ends I had during the exploit development. First I will briefly cover what is a dylib hijacking, and what is the current state of various application regarding this type of vulnerability. We will see how hard is to exploit these in many cases due to the fact that root access is required. Second I will cover 2 seemingly harmless bugs affecting the installation process of AppStore apps, and we will see how can we chain these together in order to gain root privileges - for this we will utilise a completely benign app from the macOS App Store. Part of this I will cover how can we submit apps to the store, and what are the difficulties with that process. In the last part I will cover how we can infect and include our malicious file in an App installer without breaking the App’s signature.

Presented at Security Fest 2019.

Speaker: Csaba Fitzl

About Csaba Fitzl

Csaba Fitzl

Csaba Fitzl graduated in 2006 as a computer engineer. He worked for 6 years as a network engineer, troubleshooting and designing big networks. After that, he worked for 8 years as a blue and red teamer focusing on network forensics, malware analysis, adversary simulation, and defense bypasses. Currently, he is working as a content developer at Offensive Security. He gave talks/workshops at various international IT security conferences, including Hacktivity,, Troopers, SecurityFest, DEFCON, BlackHat and Objective By The Sea. Csaba spends his free time with his family, and runs or hikes in the mountains

Get all relevant information and news regarding Security Fest, when we release recordings of talks, etc.