Running a parser for a network protocol as root seems like a pretty unnecessarily dumb thing to do. I can't really imagine why any part of airplay would need to run as root; maybe something to do with DRM? Although the DRM daemon `fairplayd` runs as a limited-privilege user `_fpsd`, so maybe not. So bizarre that Apple makes all these cool systems to sandbox code, and creates dozens of privilege-separated users on macOS, and then runs an HTTP server doing plists parsing as an unsandboxed root process.
Mindwipe · 9h ago
Apple have reworked Airplay so many times at this point the entire thing is just a massive pile of technical debt piled on another massive pile of technical debt, piled on a bunch of weird hacks to try and keep all the devices built for previous versions afloat.
walterbell · 33m ago
At least it can be disabled via MDM/Configurator policy.
throw0101a · 1d ago
CVE-2025-24252 and CVE-2025-24132 are two examples. Doing a search for "Oligo" in release notes gives various other results, e.g.,
Apple fixed their stuff, but third-parties who used their SDK will have to issue updates as well.
m463 · 17h ago
macos is pretty promiscuous, and I've noticed random airplay displays (like the neighbors) showing up in the mirroring dropdown in the dock.
wonder if this is a way to get into the stack.
greyadept · 11h ago
This behaviour always made me feel a bit suspicious about airplay but I reassured myself that Apple surely had it locked down. But these 17 CVEs show that my trust was misplaced.
abhisek · 1d ago
Very curious about the exploitation of CVE-2025-24252, a use-after-free (UAF) using which they achieved zero-click RCE on MacOS. This is inspite of ASLR and heap exploitation mitigations in place to mitigate such vulnerability classes
On ASLR: you might use the UAF to access memory regions you shouldn’t have access to. By reading the contents, they can potentially leak pointers to a critical library (e.g., libc), allowing them to calculate the offsets to bypass ASLR.
On heap protection: if you spray the heap with predictable data patterns you can improve your chance of landing a useful address, even with ASLR in place
RainyDayTmrw · 12h ago
I understand heap sprays in theory. In practice, how do they avoid clobbering something important and crashing the app? It seems like a typical app has a lot of state to clobber.
No comments yet
RainyDayTmrw · 13h ago
Oof. It's parsing and memory corruption again.
pjmlp · 3h ago
Basically a collection of use-after-free, stack-based buffer overflow, type confusion, memory exhaustion, integer overflow, NULL pointer dereference, for the most part.
However we all know that the problem is that juniors and interns are the ones that get to write this code, a senior with proper education would never deliver these mistakes into production. /s
rubatuga · 20h ago
Good thing I'm still on macOS 12
slama · 18h ago
macOS 12 is EOL and is no longer receiving security updates.
* https://support.apple.com/en-ca/122374
Apple fixed their stuff, but third-parties who used their SDK will have to issue updates as well.
wonder if this is a way to get into the stack.
https://security.apple.com/blog/towards-the-next-generation-...
On heap protection: if you spray the heap with predictable data patterns you can improve your chance of landing a useful address, even with ASLR in place
No comments yet
However we all know that the problem is that juniors and interns are the ones that get to write this code, a senior with proper education would never deliver these mistakes into production. /s
There’s a strong chance it’s vulnerable, too