Intego X9: Why your macOS antivirus should not trust PIDs

This blog post dives into the most common classes of macOS Local Privilege Escalation vulnerabilities, from time-of-check to time-of-use (TOCTOU) Race Conditions and insecure XPC communications to a range of implementation and configuration oversights. We will explore how attackers can exploit these weaknesses to escalate privileges, and highlight real-world examples to illustrate recurring patterns.

This blog post dives into the most common classes of macOS Local Privilege Escalation vulnerabilities, from time-of-check to time-of-use (TOCTOU) Race Conditions and insecure XPC communications to a range of implementation and configuration oversights. We will explore how attackers can exploit these weaknesses to escalate privileges, and highlight real-world examples to illustrate recurring patterns. Introduction Today's post dives into a practical reverse engineering exercise focused on Intego (for macOS). We will first use static analysis with Ghidra to inspect how a privileged process exposes Mach services via XPC, so we know where to look before moving on to observing real runtime behavior. In the second part we will switch to dynamic analysis with Frida to observe how those Mach services behave under execution and to illustrate a class of Race Condition attacks (PID reuse attack using posix_spawn() semantics). The goal of this article is not to provide exploit recipes, but to demonstrate, from a research perspective, how seemingly small implementation details can expand an attacker's ability to interact with privileged processes over XPC. Target identification We will start by enumerating the privileged services configured under /Library/LaunchDaemons/ , a system directory where system-wide launchd job property lists ( .plist files) register daemons and background services that run with elevated privileges on macOS. Apple's official documentation describes how launchd and /Library/LaunchDaemons/ are used to install and manage system-wide jobs. Daemons identification from looking at /Library/LaunchDaemons/ After analyzing the configured daemons we will compare that list against the processes actually running as root on the machine using ps . Figure 1 - List of binaries supposed to run as root . Command: plutil -extract ProgramArguments.0 raw *.plist Output: /Library/Intego/integod /Library/Intego/TaskManager/TaskManagerDaemon /Library/Intego/ContentBarrier.bundle/Contents/MacOS/ContentBarrier Daemon.app/Contents/MacOS/ContentBarrier Daemon /Library/Intego/netbarrier.bundle/Contents/MacOS/netbarrierl /Library/Intego/netbarrier.bundle/Contents/MacOS/netbarrierm /Library/Intego/netbarrier.bundle/Contents/MacOS/netbarrierd /Library/Intego/netupdated.bundle/Contents/MacOS/com.intego.netupdated /Library/Intego/netupdated.bundle/Contents/MacOS/NetUpdate Installer.app/Contents/MacOS/NetUpdate Installer /Library/Intego/Personal Backup.bundle/Contents/MacOS/Personal Backup Script Scheduler /Library/Intego/virusbarrier.bundle/Contents/MacOS/VirusBarrier.app/Contents/MacOS/virusbarrierl /Library/Intego/virusbarrier.bundle/Contents/MacOS/VirusBarrier.app/Contents/MacOS/virusbarrierd /Library/Intego/virusbarrier.bundle/Contents/MacOS/VirusBarrier.app/Contents/MacOS/virusbarriers /Library/PrivilegedHelperTools/com.intego.WashingMachine.service.app/Contents/MacOS/com.intego.WashingMachine.service From the command output, we can extract the paths and represented this in the form of a tree: - /Library/ (dir) - Intego/ (dir) - integod (binary) - TaskManager/ (dir) - TaskManagerDaemon (binary) - ContentBarrier.bundle/Contents/MacOS/ContentBarrier Daemon.app/Contents/MacOS/ (dir) - ContentBarrier Daemon (binary) - netbarrier.bundle/Contents/MacOS/ (dir) - netbarrierl (binary) - netbarrierm (binary) - netbarrierd (binary) - netupdated.bundle/Contents/MacOS/ (dir) - com.intego.netupdated (binary) - NetUpdate Installer.app/Contents/MacOS/ (dir) - NetUpdate Installer (binary) - Personal Backup.bundle/Contents/MacOS/ (dir) - Personal Backup Script Scheduler (binary) - virusbarrier.bundle/Contents/MacOS/VirusBarrier.app/Contents/MacOS/ (dir) - virusbarrierl (binary) - virusbarrierd (binary) - virusbarriers (binary) - PrivilegedHelperTools/com.intego.WashingMachine.service.app/Contents/MacOS/ (dir) - com.intego.WashingMachine.service (binary) Analyzing ps output The command ps -u root | grep -i intego will lists all processes owned by root and pipes the output to grep for the string intego , which quickly shows any Intego related processes running with root privileges. It is a simple way to verify whether Intego services or daemons are active as root (note that grep itself does not appear in the results as run a normal user). Command: ps -u root | grep -i intego Output: 0 257 ?? 0:01.83 /Library/Intego/ContentBarrier.bundle/Contents/MacOS/ContentBarrier Daemon.app/Contents/MacOS/ContentBarrier Daemon 0 258 ?? 0:00.40 /Library/Intego/netupdated.bundle/Contents/MacOS/com.intego.netupdated 0 259 ?? 0:00.01 /Library/PrivilegedHelperTools/com.intego.WashingMachine.service.app/Contents/MacOS/com.intego.WashingMachine.service 0 260 ?? 0:00.36 /Library/Intego/virusbarrier.bundle/Contents/MacOS/VirusBarrier.app/Contents/MacOS/virusbarrierd 0 261 ?? 0:01.25 /Library/Intego/netbarrier.bundle/Contents/MacOS/netbarrierd 0 262 ?? 0:01.37 /Library/Intego/netbarrier.bundle/Contents/MacOS/netbarrierm 0 263 ?? 0:00.41 /Library/Intego/Personal...