Crash One - A StarBucks Story (CVE-2025-24277)
Csaba Fitzl, Gergely Kalman
Hexacon 2025 · Day 1 · Main Stage
This talk, "Crash One - A Starbucks Story," presented by Csaba Fitzl and Gergely Kalman, delves into a critical vulnerability (CVE-2025-24277) they uncovered in macOS. The presentation meticulously details a chained exploit that leverages a flaw in the `OS analytics helperd` process, a root-running daemon responsible for writing crash logs, to achieve both arbitrary file write and ultimately, full privilege escalation and a macOS sandbox escape. What began as an initially dismissed bug, deemed "unexploitable" by both researchers due to perceived sandbox limitations, evolved into a sophisticated attack vector capable of compromising system integrity.
AI review
Fitzl and Kalman walk through a genuinely well-constructed exploit chain against macOS — a root-privileged daemon that can be coerced into consuming attacker-supplied sandbox extension tokens, a POSIX rename race condition, ACL inheritance abuse, and a clean sandbox escape via unquarantined DMG. The research required real depth across multiple macOS subsystems, the chaining is elegant, and the defensive implications are concrete. Not quite a five because the individual primitives (rename races, sandbox extension mechanics, ACL inheritance) are known concepts to anyone who's spent real time…