A New Era of macOS Sandbox Escapes: Diving into an Overlooked Attack Surface and Uncovering 10+ New Vulnerabilities – Mickey's Blogs – Exploring the world with my sword of debugger :)
In the macOS system, most processes are running in a restricted sandbox environment, whether they are Apple’s own services or third-party applications. Consequently, once an attacker gains Remote Code Execution (RCE) from these processes, their capabilities are constrained. The next step for the attacker is to circumvent the sandbox to gain enhanced execution capabilities and broader file access permissions.
But how to discover sandbox escape vulnerabilities? Upon reviewing the existing issues, I unearthed a significant overlooked attack surface and a novel attack technique. This led to the discovery of multiple new sandbox escape vulnerabilities: CVE-2023-27944, CVE-2023-32414, CVE-2023-32404, CVE-2023-41077, CVE-2023-42961, CVE-2024-27864, CVE-2023-42977, and more.
Nowadays, as required by the Mac AppStore, most applications are running with the App Sandbox restrictions. The sandboxed application must have the entitlement “<key>com.apple.security.app-sandbox</key><true/>”. The sandbox restrictions are applied in the dyld initialization function before the app’s main function. After entering the sandbox, it will be containerized and all the file operations will be limited to its data container path.
