DEF CON 31 - Apples Predicament - NSPredicate Exploitation on macOS and iOS - Austin Emmitt
5,734
Published 2023-09-15
After an overview of the classes involved, we will explore the full syntax of NSPredicate and cover how it can be used to script the Objective-C runtime and even call any C function. It will be shown that PAC can still be bypassed 100% reliably with NSPredicates in order to execute any function with arbitrary arguments. A new tool will be unveiled to help craft complex NSPredicates to execute arbitrary code and inject those predicates in any application. Additionally, a demonstration will be given which executes arbitrary code in the highly privileged Preferences app.
Finally, the talk will cover a bypass of NSPredicateVisitor implementations which allows a malicious process to evaluate any NSPredicate within several system processes including coreduetd, appstored, OSLogService, and SpringBoard. Next there will be a live demo of exploiting SpringBoard to steal a user’s notifications and location data. The presentation will end with some discussion about what can still be done with NSPredicates now that these issues have been fixed, including bypassing App Store Review, and what app developers should know to keep their own apps safe.
All Comments (5)
-
amazing talk and many intricate details!
-
Y’know audio engineer here.. I honestly could give af lol Awesome presentation Happy New Year everybody
-
Absolutely fucking loved this talk. I also couldn't stop thinking about this attack surface after reading the project zero paper. Great job dude! What's your twitter again bro?
-
all I hear is that ticking sound...