An introduction to exploiting userspace race conditions on iOS
https://bazad.github.io/2018/11/introduction-userspace-race-conditions-ios/ [bazad.github.io]
2018-11-14 22:22
Let’s walk through the discovery and exploitation of CVE-2018-4331, a race condition in the com.apple.GSSCred XPC service that could be used to execute arbitrary code inside the GSSCred process, which runs as root on macOS and iOS. The exploit, gsscred-race, targets iOS 11.2, although versions up through iOS 11.4.1 are vulnerable. This post will show how I discovered the bug, how I analyzed its exploitability, and how I developed a JOP program that allowed me to take control of the process.
Although in practice it’s maybe more interesting on macos?
On macOS, GSSCred runs outside of any sandbox, meaning once we get the task port we have unsandboxed arbitrary code execution as root.
source: grugq