Finding Vulnerabilities in Apple packages at Scale

In the past couple of years exploiting Apple signed installer packages became a common theme, as the Apple package installer runs with very powerful entitlements, which allows an attacker to bypass certain parts of System Integrity Protection (SIP). There have been handful of vulnerabilities found in the past, however except one known research all of these were focusing on individual packages. In early 2024 I decided to take a look at Apple's entire software catalog, which that time contained about 10.000 different installer packages which summed to about 1.3TB. Although there was one public research on the subject, I decided to download all packages and systematically look for vulnerabilities in all of them in the hope that not everything was discovered. Going through each package 1 by 1 is hardly impossible thus I turned towards automation. In this talk I will show how I automated the vulnerability research across the packages, and how I used ChatGPT to help me with that. I will show the process which allowed me to trim down the research from 10.000 to about 300 packages, which allowed me to quickly go through each package. I will disclose five previously unpublished vulnerabilities, which I found during my research. All these vulnerabilities allowed me to bypass SIP's file system protection, what I could use to persist anything with SIP protection (so regular AVs can't clean up the files) or bypass TCC. Fixing these vulnerabilities is not easy as because of the packages' code signature someone could exploit an old version of the installer even if a package have been fixed. At the end I will talk about Apple's new mitigation strategy, which allows them to protect against installer package vulnerabilities at the operating system level, thus finally closing the gap after many years.

Presented at Security Fest 2025.

Speaker: Csaba Fitzl

About Csaba Fitzl

Csaba Fitzl

Csaba Fitzl graduated in 2006 as a computer engineer. He worked for 6 years as a network engineer, troubleshooting and designing big networks. After that, he worked for 8 years as a blue and red teamer focusing on network forensics, malware analysis, adversary simulation, and defense bypasses. Then he moved on to the macOS world and developed a 'macOS Exploitation and Penetration Testing' training at OffSec. Currently he works as a Principal macOS Security Researcher at Kandji. He gave talks and workshops at various international IT security conferences, including Hacktivity, BlackHat, Troopers, SecurityFest, DEFCON, and Objective By The Sea. Csaba spends his free time with his family, hikes and runs in the mountains.

 
Get all relevant information and news regarding Security Fest, when we release recordings of talks, etc.
Get newsletter →