Exploiting Directory Permissions on macOS

Explore the intricacies of exploiting directory permissions on macOS in this 56-minute Hack In The Box Security Conference talk. Delve into the non-intuitive nature of macOS directory and file permissions, uncovering vulnerabilities ranging from arbitrary overwrites to file disclosures and privilege escalation. Learn techniques for controlling file contents without direct write access, applicable to Unix-based systems but focusing on macOS-specific bugs. Examine real-world examples, including CVE-2020-3830, CVE-2020-3763, and CVE-2019-8802, while gaining insights into POSIX models, Access Control Lists, and sandbox environments. Presented by Csaba Fitzl, an experienced computer engineer and red team professional, this talk offers valuable knowledge for both blue and red team security practitioners.

Intro
whoami
agenda
POSIX model - scenarios
flag modifiers
sticky bit
Access Control Lists
sandbox example (mds)
static method
dynamic method
general idea
problems
controlling content
Install History.plist file - Arbitrary file overwrite vulnerability (CVE-2020-3830)
Adobe Reader macOS installer - arbitrary file overwrite vulnerability (CVE-2020-3763)
Grant group write access to plist files via Diagnostic Messages History.plist (CVE-2020-3835)
macOS fontmover - file disclosure vulnerability (CVE-2019-8837)
exploitation
fix
macOS Diagnostic Messages arbitrary file overwrite vulnerability (CVE-2020-3855)
Adobe Reader macOS installer - LPE (CVE-2020-3762)
macOS periodic scripts - 320.whatis script LPE (CVE-2019-8802)
makewhatis
whatis database
OverSight
Installers
move operation
Objective-C