This post is the last part of this silly series, but I think it’s the only noteworthy one. The exploit chain triggers two XSS across two privileged WebViews and bypasses GateKeeper to execute arbitrary native code outside the sandbox. It works on both High Sierra and Mojave.

Parental Advisory: this is a pure sh**post that has explicit language and the content may disappoint you

What is your impression of XSS? Stealing credentials from websites? Struggling for CSP and SameSite cookies?

This post is the first part of a series of Safari sandbox escapes I found on macOS. This bug was found on High Sierra (10.13.x) two years ago.

This blog does not involve any vulnerability, but I hope the readers can find these tricks useful for red teaming and malware defense.

There’s a general bug type on macOS. When a privileged (or loosely sandboxed) user space process accepts an IPC message from an unprivileged or sandboxed client, it decides whether the operation is valid by enforcing code signature (bundle id, authority or entitlements). If such security check is based on process id, it can be bypassed via pid reuse attack.