Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct Exploitation for Privilege Escalation.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1559.003 | XPC Services |
Comments
This diagnostic statement protects inter-process communication mechanisms from abuse through secure development practices, such as enabling the Hardened Runtime capability when developing applications.
References
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1559.003 | XPC Services |
Comments
This diagnostic statement protects against XPC Services through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1559.003 | XPC Services | |
| CM-05 | Access Restrictions for Change | mitigates | T1559.003 | XPC Services | |
| SA-10 | Developer Configuration Management | mitigates | T1559.003 | XPC Services | |
| SA-11 | Developer Testing and Evaluation | mitigates | T1559.003 | XPC Services | |
| SA-08 | Security and Privacy Engineering Principles | mitigates | T1559.003 | XPC Services | |
| CM-07 | Least Functionality | mitigates | T1559.003 | XPC Services | |
| SI-04 | System Monitoring | mitigates | T1559.003 | XPC Services |