You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm still investigating this but right now I'm not sure there's actually a problem, MOLXPCConnection checks the signature in the listener:shouldAcceptNewConnection: method but requires the client to call connectWithReply: from the validation interface before anything else in the exported interface can be called. Due to this requirement exploiting the race would involve actually sending 2 messages before an exec, which I don't believe is possible but I'm not yet certain.
Unfortunately switching to auditToken is not ideal as NSXPCConnection doesn't actually provide access to the audit token and while there are simple methods to get access to it, we generally try to avoid private interfaces wherever possible. If we can establish whether doing so is necessary then this might have to be one of the few exceptions we make.
I forgot this was still open - we looked into this for a while and found no way that it could be exploited: you could connect to the 'server' and then exec another process but due to the validation mechanism there's no message you could queue to send before the exec.
See Project Zero's previous issue on macOS/iOS:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1223
This project's implementation has exact the same problem.
https://github.com/google/macops-MOLXPCConnection/blob/f59153565ed1/Source/MOLXPCConnection/MOLXPCConnection.m#L155
Code signature validation here is based on incoming pid, which is racy by replacing caller process with valid caller through
exec*
function.Should use
auditToken
instead.The text was updated successfully, but these errors were encountered: