Privilege escalation with kill(-1, SIGKILL) in XNU kernel of macOS High Sierra

Michael Perez
Michael Perez

We have found an issue in the XNU kernel of macOS High Sierra wherein an unprivileged user can terminate all running processes using the kill system call. In short, a completely unprivileged user can bring down the entire system with kill(-1, SIGKILL) (and, in a shell, kill SIGKILL -1), so long as there is at least one other process running owned by that user. In some cases we've seen it take a few tries in a loop to actually trigger the issue.

We have reported the issue to Apple, who do not see it as a security concern. On its own the ability to easily bring down a multi-user system is concerning, but the fact that we found this accidentally and that the behavior is exactly what you'd expect if there were no permissions check for the kill call at all leads us to believe that there is likely more that can be done to exploit this issue. Some reports include log messages showing services being killed prior to the system breaking, though this has been difficult to reproduce.

https://archive.fo/g8s04 ( https://groups.google.com/forum/#!topic/nix-devel/KV9eomIdxWE )

All urls found in this thread:
https://archive.fo/g8s04
https://groups.google.com/forum/#!topic/nix-devel/KV9eomIdxWE
https://www.acsac.org/2002/papers/classic-multics.pdf
Lincoln Howard
Lincoln Howard

hi I'm a mac :^)

Connor Carter
Connor Carter

The mac userbase willingly give their data and agency to anyone who asks so what's the point of an explooit?

Austin Myers
Austin Myers

that stance
"Hello, I'm CIA"

Cooper Williams
Cooper Williams

Eerie.

Ayden Cook
Ayden Cook

We have reported the issue to Apple, who do not see it as a security concern.
Now to figure a way to do this on multiple systems at once over a network, preferably with making it autostart.

Brody Roberts
Brody Roberts

He looks even gayer than the Dell Dude.

Colton Hernandez
Colton Hernandez

video
hey it's me steve, your fucking son!
This is such an old ritual of etiquette, to greet and formally introduce yourself before talking. It goes back to interactions of the upper classes, letters, telephone and even in video when it's fucking obvious there is no need. From video chats to youtube, fuck me humans are weird.

Kevin Wright
Kevin Wright

So with "kill SIGKILL -1 1" i can kill the init?

Leo Martinez
Leo Martinez

Why didn't they stick to naming it after cats instead of gay shit like El Captain or Sierra?

Tyler Sanchez
Tyler Sanchez

Eventually they'd run out of actual cat species and have to name it after Big the Cat.

Thomas Fisher
Thomas Fisher

Jesus Christ what a fucking ripoff.

Juan Watson
Juan Watson

I swear it is like they just do not give a fuck about their desktop os anymore.

gay shit like El Captain or Sierra?
Just because. Starting with Mavericks, they decided to on a Mountain range naming scheme.

Julian Collins
Julian Collins

I'm pretty sure Dell dude came out before Mac guy.

Lucas Lee
Lucas Lee

your image says one thing but your post completely agrees with him

Mason Hernandez
Mason Hernandez

If UNIX really was a "simplified MULTICS" we wouldn't have these kinds of problems.
https://www.acsac.org/2002/papers/classic-multics.pdf

Brayden Robinson
Brayden Robinson

hey, it's me, autism

Gabriel Mitchell
Gabriel Mitchell

I think this particular problem happens because Apple is trying to (re)design a multi-user system for a single user.

Aaron Sullivan
Aaron Sullivan

Oh they care... they just only care about making it shinier, and easier for high functioning retards to use the OS. They probably assume most mactards have never seen a shell prompt in their life, no real worry of the average user diong shit like this.

Disable AdBlock to view this page

Disable AdBlock to view this page