Exploiting XPC in AntiVirus Software

Explore a comprehensive conference talk from Nullcon 2021 on exploiting XPC vulnerabilities in macOS antivirus software. Delve into the research conducted on 29 different antivirus products, focusing on exposed XPC services and their security implications. Learn about typical issues, witness demonstrations of vulnerabilities leading to full product control or local privilege escalation, and gain valuable insights on developing secure XPC services. Presented by security experts Csaba Fitzl and Wojciech Reguła, this 46-minute session covers topics such as client validation, runtime protections, and specific case studies involving popular antivirus solutions.

Intro
whoami - Wojciech
whoami - Csaba
Intro to XPC
statistics
typical issues
No client validation in XPC server
Lack of /Broken runtime protections in XPC dient
Improper runtime protections verification in XPC server
MacKeeper
Intego Mac Security
Avast & AVG
ClamXAV (CVE-2020-26893)
Acronis
the client
the XPC service
secure sample
Shield.app
the future
Further resources