XPC, which stands for XNU (the kernel used by macOS) inter-Process Communication, is a framework for communication between processes on macOS and iOS. XPC provides a mechanism for making safe, asynchronous method calls between different processes on the system. It's a part of Apple's security paradigm, allowing for the creation of privilege-separated applications where each component runs with only the permissions it needs to do its job, thereby limiting the potential damage from a compromised process.
XPC uses a form of Inter-Process Communication (IPC), which is a set of methods for different programs running on the same system to send data back and forth.
The primary benefits of XPC include:
Security: By separating work into different processes, each process can be granted only the permissions it needs. This means that even if a process is compromised, it has limited ability to do harm.
Stability: XPC helps isolate crashes to the component where they occur. If a process crashes, it can be restarted without affecting the rest of the system.
Performance: XPC allows for easy concurrency, as different tasks can be run simultaneously in different processes.
The only drawback is that separating an application in several processes making them communicate via XPC is less efficient. But in todays systems this isn't almost noticeable and the benefits are better.
Application Specific XPC services
The XPC components of an application are inside the application itself. For example, in Safari you can find them in /Applications/Safari.app/Contents/XPCServices. They have extension .xpc (like com.apple.Safari.SandboxBroker.xpc) and are also bundles with the main binary inside of it: /Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker and an Info.plist: /Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/Info.plist
As you might be thinking a XPC component will have different entitlements and privileges than the other XPC components or the main app binary. EXCEPT if a XPC service is configured with JoinExistingSession set to “True” in its Info.plist file. In this case, the XPC service will run in the same security session as the application that called it.
XPC services are started by launchd when required and shut down once all tasks are complete to free system resources. Application-specific XPC components can only be utilized by the application, thereby reducing the risk associated with potential vulnerabilities.
System Wide XPC services
System-wide XPC services are accessible to all users. These services, either launchd or Mach-type, need to be defined in plist files located in specified directories such as /System/Library/LaunchDaemons, /Library/LaunchDaemons, /System/Library/LaunchAgents, or /Library/LaunchAgents.
These plists files will have a key called MachServices with the name of the service, and a key called Program with the path to the binary:
The ones in LaunchDameons are run by root. So if an unprivileged process can talk with one of these it could be able to escalate privileges.
XPC Event Messages
Applications can subscribe to different event messages, enabling them to be initiated on-demand when such events happen. The setup for these services is done in launchd plist files, located in the same directories as the previous ones and containing an extra LaunchEvent key.
XPC Connecting Process Check
When a process tries to call a method from via an XPC connection, the XPC service should check if that process is allowed to connect. Here are the common ways to check that and the common pitfalls:
Apple also allows apps to configure some rights and how to get them so if the calling process have them it would be allowed to call a method from the XPC service:
To sniff the XPC messages you could use xpcspy which uses Frida.
# Installpip3installxpcspypip3installxpcspy--no-deps# To not make xpcspy install Frida 15 and downgrade your Frida installation# Start sniffingxpcspy-U-r-W<bundle-id>## Using filters (i: for input, o: for output)xpcspy-U<prog-name>-t'i:com.apple.*'-t'o:com.apple.*'-r
# Compile the server & clientgccxpc_server.c-oxpc_servergccxpc_client.c-oxpc_client# Save server on it's locationcpxpc_server/tmp# Load daemonsudocpxyz.hacktricks.service.plist/Library/LaunchDaemonssudolaunchctlload/Library/LaunchDaemons/xyz.hacktricks.service.plist# Call client./xpc_client# Cleansudolaunchctlunload/Library/LaunchDaemons/xyz.hacktricks.service.plistsudorm/Library/LaunchDaemons/xyz.hacktricks.service.plist/tmp/xpc_server
# Compile the server & clientgcc-frameworkFoundationoc_xpc_server.m-ooc_xpc_servergcc-frameworkFoundationoc_xpc_client.m-ooc_xpc_client# Save server on it's locationcpoc_xpc_server/tmp# Load daemonsudocpxyz.hacktricks.svcoc.plist/Library/LaunchDaemonssudolaunchctlload/Library/LaunchDaemons/xyz.hacktricks.svcoc.plist# Call client./oc_xpc_client# Cleansudolaunchctlunload/Library/LaunchDaemons/xyz.hacktricks.svcoc.plistsudorm/Library/LaunchDaemons/xyz.hacktricks.svcoc.plist/tmp/oc_xpc_server