XPC

XPC LPE Vulnerabilities

1. Find daemons in /Library/LaunchDaemons.
2. Find a privileged helper tool in /Library/PrivilegedHelperTools/.
3. Use codesign -dv --entitlements :- /Applications/someapp.App/Contents/MacOS/someapp to check for injection opportunities in an XPC client (no hardened runtime, get-task-allow).
4. Open the helper tool in a dissassembler (Hopper, Ghidra), look for the shouldAcceptNewConnection method and check for validation.
5. If there is no signature validation, or there is signature validation but the PID validation uses processIdentifier instead of connection.auditToken you may be able to send data as an arbitrary client, or use PID reuse attack.
6. Use class-dump -C <PROTOCOL NAME> <PATH TO HELPER> to view the available methods. If any appear to be capable of code execution, file creation, or file copy/move, there may be an LPE. Open the associated function in the dissassebler and determine the usage.

Additional Resources

• Abusing & Security XPC in macOS apps
• Learn XPC exploitation - Part 1: Broken cryptography (wojciechregula.blog)
• Learn XPC exploitation - Part 2: Say no to the PID! (wojciechregula.blog)
• Learn XPC exploitation - Part 3: Code injections (wojciechregula.blog)