The historical vulnerability of NULL pointer dereferences in macOS that previously allowed attackers to execute arbitrary code with kernel privileges has been unveiled recently by security analysts.
Despite modern systems having robust mitigations, understanding these historical attack vectors provides valuable insights into Apple’s security evolution.
NULL pointer dereferences occur when the operating system attempts to access memory address zero, which normally causes a crash.
.png
)
In older macOS versions, however, attackers discovered they could map memory at this location and place malicious code there.
When the kernel accessed this location, instead of crashing, it would execute the attacker’s code with full system privileges.
A classic example of this type of vulnerability was demonstrated in a 2015 exploit called “tpwn” targeting OS X Yosemite, developed by researcher Luca Todesco.
The exploit combined a NULL pointer dereference in IOKit with an information leak to achieve root privileges, bypassing several security mechanisms of the time.
These vulnerabilities were particularly dangerous because they allowed transition from regular user privileges to full kernel access.
The kernel would execute a function pointer from address zero, thinking it was calling a valid kernel function, but instead executing attacker code.
Cybersecurity researchers at Afine noted that the exploit process typically involved several specific steps, including first mapping the NULL page in memory.
This could be accomplished in 32-bit processes with special linker flags that disabled the page-zero reservation:-
// clang -o poc poc.c -framework IOKit -m32 -pagezero_size 0x0Modern Mitigations Render Exploits Nearly Impossible
On contemporary macOS systems, especially those running on Apple Silicon, multiple layers of defense prevent exploitation of NULL pointer dereferences.
.webp)
The Mach-O executable format reserves the first 4GB of address space through the __PAGEZERO segment, making it impossible for applications to allocate memory at address zero.
Hardware protections have also significantly evolved. ARM64 processors implement Privileged Execute Never (PXN) and Privileged Access Never (PAN) technologies that prevent the kernel from executing or accessing user-space memory without explicit intent.
Even if an attacker somehow redirected execution to address zero, the hardware would immediately detect and prevent this behavior.
.webp)
Perhaps most importantly, Apple’s implementation of Pointer Authentication Codes (PAC) in modern ARM64e architecture adds cryptographic signatures to pointers that are verified upon use.
Any attempt to manipulate function pointers would fail authentication, causing the system to safely terminate rather than execute malicious code.
While historical examples demonstrate how NULL dereferences were once powerful attack vectors, Apple has effectively mitigated these vulnerabilities through comprehensive security controls.
Today, such bugs are classified merely as denial-of-service issues rather than code execution vulnerabilities, reflecting their significantly reduced threat level on modern macOS systems.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
