• Vulnerability and Patches: Discusses CVE-2024-54471 patched in macOS Sequoia 15.1, Sonoma 14.7.1, and Ventura 13.7.1. Urges users to update if not on these versions.
• Kernel and Mach: Explains that the kernel in macOS is XNU, a hybrid kernel. Mach started as an OS research project at Carnegie Mellon University and was later used in NeXTSTEP, which became Darwin and the basis for macOS. Mach's Unix design was special for simplifying inter-process communication.
• Mach Architecture: Describes the four abstractions of Mach (task, thread, port, message). Ports have send and receive rights, and messages contain headers, descriptors, payload, and a trailer. The bootstrap server and Mach services are also explained.
• Mach Interface Generator (MIG): MIG provides a way to create functional interfaces around Mach message sending and receiving. It's a wrapper around Mach messages and is used heavily by the kernel. XPC API's have superseded MIG for user space communication.
• Exploiting MIG Servers: MIG has no native security measures. The ipsw CLI tool can be used to find MIG servers by searching for the NDR_record symbol.
• Exploiting NetAuthAgent: NetAuthAgent is a daemon responsible for handling file server credentials. It exposes a MIG server that can be exploited to leak credentials. The macOS keychain is used to store credentials, and NetAuthAgent proxies keychain queries.
• Exploit Chain: This vulnerability also exposes an exploit chain that allows attackers to access iCloud account information and API tokens. API tokens can be used to leak various data and perform operations through Find My.
• What Should Apple Have Done: Apple should have used entitlements to verify the senders of Mach messages. NetAuthAgent now does this by checking the entitlements of the sender before responding.
• Conclusion: Highlights the importance of security and updating macOS. Encourages users to enable Advanced Data Protection or disable web access to iCloud. If concerned about credential exposure, change passwords. Also poses the question about other vulnerable MIG servers.