科技回声

9 条评论

Running a parser for a network protocol as root seems like a pretty unnecessarily dumb thing to do. I can't really imagine why any part of airplay would need to run as root; maybe something to do with DRM? Although the DRM daemon `fairplayd` runs as a limited-privilege user `_fpsd`, so maybe not. So bizarre that Apple makes all these cool systems to sandbox code, and creates dozens of privilege-separated users on macOS, and then runs an HTTP server doing plists parsing as an unsandboxed root process.

评论 #43841987 未加载

评论 #43843189 未加载

throw0101a14 天前

CVE-2025-24252 and CVE-2025-24132 are two examples. Doing a search for "Oligo" in release notes gives various other results, e.g.,* <a href="https://support.apple.com/en-ca/122374" rel="nofollow">https://support.apple.com/en-ca/122374</a>Apple fixed their stuff, but third-parties who used their SDK will have to issue updates as well.

评论 #43848864 未加载

paulddraper13 天前

Zero-click local network RCE on macOS: 102 pointsArticle titled "Someone At YouTube Needs Glasses" about YouTube layout: 837 points and risingHacker News my a*s

m46314 天前

macos is pretty promiscuous, and I've noticed random airplay displays (like the neighbors) showing up in the mirroring dropdown in the dock.wonder if this is a way to get into the stack.

评论 #43841368 未加载

abhisek14 天前

Very curious about the exploitation of CVE-2025-24252, a use-after-free (UAF) using which they achieved zero-click RCE on MacOS. This is inspite of ASLR and heap exploitation mitigations in place to mitigate such vulnerability classes<a href="https://security.apple.com/blog/towards-the-next-generation-of-xnu-memory-safety/" rel="nofollow">https://security.apple.com/blog/towards-the-next-generation-...</a>

评论 #43837578 未加载

RainyDayTmrw14 天前

Oof. It's parsing and memory corruption again.

pjmlp13 天前

Basically a collection of use-after-free, stack-based buffer overflow, type confusion, memory exhaustion, integer overflow, NULL pointer dereference, for the most part.However we all know that the problem is that juniors and interns are the ones that get to write this code, a senior with proper education would never deliver these mistakes into production. /s

评论 #43904453 未加载

rubatuga14 天前

Good thing I'm still on macOS 12

评论 #43838352 未加载

waterTanuki13 天前

The most important question remains unanswered: would Rust have prevented this?

9 条评论

Roguelazer14 天前

评论 #43841987 未加载

评论 #43843189 未加载

throw0101a14 天前

评论 #43848864 未加载

paulddraper13 天前

Zero-click local network RCE on macOS: 102 pointsArticle titled "Someone At YouTube Needs Glasses" about YouTube layout: 837 points and risingHacker News my a*s

m46314 天前

macos is pretty promiscuous, and I've noticed random airplay displays (like the neighbors) showing up in the mirroring dropdown in the dock.wonder if this is a way to get into the stack.

评论 #43841368 未加载

abhisek14 天前

评论 #43837578 未加载

RainyDayTmrw14 天前

Oof. It's parsing and memory corruption again.

pjmlp13 天前

评论 #43904453 未加载

rubatuga14 天前

Good thing I'm still on macOS 12

评论 #43838352 未加载

waterTanuki13 天前

The most important question remains unanswered: would Rust have prevented this?

AirBorne: Wormable zero-click remote code execution (RCE) in AirPlay protocol

9 条评论

AirBorne: Wormable zero-click remote code execution (RCE) in AirPlay protocol

9 条评论