macOS Big Sur 11.2.1 (Also affect the latest 11.2.2) root privilege escalation demo on M1 MacBook. #M1 #ARM64 #BugBounty #Hacking
Some security highlights about M1 and macOS 11:
1. It's difficult to achieve kernel code execution with Kernel PAC that comes with the M1 chip.
2. Important kernel variables such as csr_config that directly affect CSR/SIP policies are now stored in the read-only segment.
Just as kernel code, they are protected by KTRR/CTRR from being modified even after the attacker gain kernel R/W ability. Intel-based Macs do not have this security feature. Read pmap.c and arm_vm_init.c to learn more.
3. AuxKC prevents attackers from loading custom kexts immediately after the kernel is exploited. The custom kext gives attackers the ability to deploy an advanced and undetectable payload.
According to Apple Platform Security PDF. Starting with macOS 11, kext can't be loaded into the kernel on demand without an occurrence of a system reboot. which was not needed in the past.
4. APFS snapshot, more steps are needed to modify the root file system.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
