Mac Attacks Along the Kill Chain: Part 2 — Privilege Escalation [VIDEO]


This blog is the second in a series from CrowdStrike’s RSA 2019 keynote, “Hacking Exposed: Hacking Macs,” where I joined CrowdStrike co-founders, CEO George Kurtz and CTO Dmitri Alperovitch, as we demonstrated real-world attacks against MacOS machines and networks. In this video, I demonstrate the second stage of an attack, “Privilege Escalation.” In my previous blog, I focused on the first attack stage, “Delivery.”

Becoming a Root on a System

Once the delivery stage has been successful and the attackers have gained access to the machine, they must escalate their privileges — this means becoming the root user on the system for the purpose of performing privileged actions, such as accessing password data and other restricted files and folders.

To conduct this demonstration, I leveraged a vulnerability commonly found in applications with insecure update practices. In this case, we are working with the vendors to fix these vulnerabilities, so I won’t name the applications. For demo purposes, we’ve written our own application that shares the same update vulnerabilities as the ones we’ve found in the wild.

Root Access Aided by Poor Update Practices

Often, applications running with basic user permissions require a user to enter his or her password when it’s time to install an update. This leaves a small time gap for the attackers to replace the update with their own code. This is a relatively “old school” technique that is still proving successful today on all platforms.

Using the demo application we’ve built, here is how this privilege escalation unfolds, as demonstrated in the video:

  • First, the demo shows you how the attacker gains root access by taking advantage of a file race condition in the vulnerable app’s update process.
  • The race condition is performed by placing the update file where the application expects it. The immutable flag is used to keep the attacker update from being overwritten by the vulnerable application’s legitimate update.
  • Then the attacker simply waits for the app to ask for an update — this step can be time-consuming, though depending on permissions, some apps can be manipulated into thinking they are ready for an update.
  • In the final stage, the vulnerable app goes to update and the user enters his or her password. At this point, privileges are escalated and the attacker’s update is executed.


The video concludes by discussing countermeasures that can help keep attackers from escalating privileges.

First, it’s important to note that Apple has a number of enforced requirements for applications they offer in the App Store — one of them is the sandbox. Apps that are sandboxed are considered safer, in general, because if the attacker manages to exploit them, he must then find a way to escape the sandbox to access the rest of the system. The sandbox also provides developers with a number of ways to perform privilege separation, which can lead to a far more secure update process.

While Apple provides proactive updates, it is also incumbent on the user to be cautious about popups and prompts. For many years, there has been a strong focus on warning users about phishing attacks and the dangers of clicking on links in emails. However, there has been less focus on the prompts that crop up asking for your password. Users need to practice vigilance and question these prompts when they occur to determine whether they are legitimate or not.

Additional Resources

CrowdStrike Falcon Free Trial

Jaron Bradley

Jaron Bradley has a background in Host-Based Incident Response and has focused mainly on detected targeted attacks. Bradley is currently the youngest member of CrowdStrike’s Falcon Overwatch where he serves as one of the company’s top intrusion analysts, concentrates on OSX-based analysis, and plays a vital role in finding anomalous activity on customer networks.


Try CrowdStrike Free for 15 Days Get Started with A Free Trial