Two zero-day Safari exploits found, one allowing complete takeover of Mac

By Ben Lovejoy

White-hat hackers at a security conference in Vancouver have found two zero-day Safari exploits, one of which allowed them to escalate their privileges to the point that they were able to completely take over the Mac …

The first exploit managed to escape the sandbox, a protection macOS uses to ensure that apps only have access to their own data, and any system data permitted by Apple.

The contest started with the team of Fluoroacetate (Amat Cama and Richard Zhu) targeting the Apple Safari web browser. They successfully exploited the browser and escaped the sandbox by using an integer overflow in the browser and a heap overflow to escape the sandbox. The attempt nearly took the entire allowed time because they used a brute force technique during the sandbox escape. The code would fail then try again until it succeeded. The demonstration earned them $55,000 USD and 5 points towards Master of Pwn.

The second got rather further, gaining both root and kernel access to the Mac.

The final entry in Day One saw the phoenhex & qwerty team (@_niklasb @qwertyoruiopz and @bkth_) targeting Apple Safari with a kernel elevation. They demonstrated a complete system compromise. By browsing to their website, they triggered a JIT bug followed by a heap out-of-bounds (OOB) read – used twice – then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug. Unfortunately, it was only a partial win since Apple already know of one of the bugs used in the demo. Still, they earned themselves $45,000 USD and 4 points towards Master of Pwn.ZDI

Safari is a common access point for hackers. Last year’s conference saw one zero-day Safari exploit used to take control of the Touch Bar on the MacBook Pro, with three more Safari-based exploits demonstrated the following day.

The event was hosted by Trend Micro under the branding of its Zero Day Initiative (ZDI). The program was created to encourage hackers to privately report vulnerabilities to the companies concerned rather than sell them to bad actors. ZDI does this by offering financial rewards and kudos.

Interested researchers provide us with exclusive information about previously un-patched vulnerabilities they have discovered. The ZDI then collects background information in order to validate the identity of the researcher strictly for ethical and financial oversight. Our internal researchers and analysts validate the issue in our security labs and make a monetary offer to the researcher. If the researcher accepts the offer, a payment will be promptly made. As a researcher discovers and provides additional vulnerability research, bonuses and rewards can increase through a loyalty program similar to a frequent flier program.

Trend Micro uses the vulnerability information to create protection for its customers, while simultaneously notifying the vendor – in this case Apple – so that they can fix the problem.

ZDI paid out a total of $240k on the first day.

As per its usual practice, ZDI will not release detailed information on the exploits until Apple has confirmed that it has fixed them in a macOS update.

Check out 9to5Mac on YouTube for more Apple news: