TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Quarkslab

Intego X9: Never trust my updates

Mathieu Farrell · 2026-03-19 · Read original ↗

ATT&CK techniques detected

15 predictions
T1027Obfuscated Files or Information
99%
“/ macos / netupdate installer. app / contents / macos / netupdate installer / library / intego / netupdated. bundle / contents / macos / netupdate checker. app / contents / macos / netupdate checker figure 9 - method encryptdecryptdata : from class nupackage ( xor encryption / de…”
T1068Exploitation for Privilege Escalation
96%
“attack figure 14 - stages of preparing the attack. execution of the attack figure 15 - stages of the exploit execution. detailed explanation of how the exploit works figure 16 - detailed explanation of how the exploit works. figure 17 - exploit running. proof of concept file : ge…”
T1559.003XPC Services
95%
“intego x9 : never trust my updates introduction in this final chapter of our series on vulnerabilities in intego ' s macos products, we pick up where part 2 left off. we previously showed how a toctou pid reuse race condition could be used to bypass xpc authentication checks in a…”
T1559.003XPC Services
95%
“intego. netupdate. daemon. agent < / key > < true / > < / dict > < key > associatedbundleidentifiers < / key > < array > < string > com. intego. netupdate < / string > < / array > < / dict > < / plist > as it can be seen above, it exposes the following machservices service : com.…”
T1068Exploitation for Privilege Escalation
92%
“##table settings and a check / use gap can be combined to obtain root. taken together, these findings show that the problem is not one isolated bug, but a broader design weakness in how privileged services validate identity, files, and update artifacts. the defensive takeaway is …”
T1559.003XPC Services
86%
“different structures to see what we can interact with. figure 2 - exploration of structures. which leads us to identify some of the exposed methods. figure 3 - list of methods exposed by the xpc service. to have a clearer view of what is exposed we can draw a graph of all exposed…”
T1543.001Launch Agent
84%
“. plist ) can be observed below ( real data used as an example ). <? xml version = " 1. 0 " encoding = " utf - 8 "? > <! doctype plist public " - / / apple / / dtd plist 1. 0 / / en " " http : / / www. apple. com / dtds / propertylist - 1. 0. dtd " > < plist version = " 1. 0 " > …”
T1559.003XPC Services
69%
“/ / author : mathieu farrell aka @ coiffeur0x90 / / date : 2025 - 11 - 12 / / summary : exploits a pid - reuse race condition to bypass xpc listener / / client - signature verification, uses that bypass to modify the / / updater ' s ( netupdate ) configuration, then leverages a s…”
T1027Obfuscated Files or Information
66%
“data. therefore, it is trivial for us to find out what the " encrypted " data contains. to decipher the data we used this small python script ( extract. py ) file : extract. py import plistlib # define the expected keys within the. plist to extract. keys = [ " package ", " produc…”
T1055.001Dynamic-link Library Injection
52%
“log ( " [ + ] method found : ` " + method + " ` " ) ; console. log ( " [ * ] hooking class ` " + h. classname + " ` method ` " + h. selector + " `... " ) ; interceptor. attach ( method. implementation, { onenter : h. onenter, onleave : h. onleave } ) ; } ) ; after examining the v…”
T1068Exploitation for Privilege Escalation
45%
“. luckily for us there is a brief time window between the moment a package ' s signature is validated and the moment that same. pkg file is actually used for installation as root. this gap, a classic toctou ( time - of - check to time - of - use ) vulnerability, allows us to swap…”
T1543.001Launch Agent
44%
“intego. netupdate. daemon. plist. <? xml version = " 1. 0 " encoding = " utf - 8 "? > <! doctype plist public " - / / apple / / dtd plist 1. 0 / / en " " http : / / www. apple. com / dtds / propertylist - 1. 0. dtd " > < plist version = " 1. 0 " > < dict > < key > label < / key >…”
T1027Obfuscated Files or Information
37%
“to extract and process its corresponding value. for key in keys : try : extracted _ data = plist. get ( key ) # apply xor decryption for all but the version key, # which is expected to be plaintext and should remain unchanged. if key! = keys [ 2 ] : data = xor ( extracted _ data …”
T1195.001Compromise Software Dependencies and Development Tools
36%
“##3xyqrtowjmxotjm34vyfpm + tq5gcf93nnrisu8crqahx6gdfy63f0wrxn1vsvj3 / / fshor330wgog0fbalyqo + bqfposn6yt4pbxs6mpfd6vk4k9miwof1nxjvwshe8lp2bth2gl60wcxirp9 / mrsmgzrjktfmh6afzanxp6pr711ydw1dwe6dl2dzhzcsyghceulc7s7t5b / mxto5hcbylplrgwkzz5ae2ltfxaubjxs6lkqwzpz / 0b6bmo9avsy5k84xca …”
T1543.001Launch Agent
31%
“we would be able to craft a custom update package and watch the system install it with root privileges during the update process. to make this work, we had to dive deep into the update system itself, reverse engineering the format of the update packages and uncovering a way to sl…”

Summary

This blog post dives into the most common classes of macOS Local Privilege Escalation vulnerabilities, from insecure XPC communications and time-of-check to time-of-use (TOCTOU) Race Conditions to a range of implementation and configuration oversights. We will explore how attackers can exploit these weaknesses to escalate privileges, and highlight real-world examples to illustrate recurring patterns. This post ends the series on Intego products on macOS by revealing vulnerabilities that can lead to Local Privilege Escalation, as well as a surprise bonus.