KeySteal is a macOS <= 10.14.3 Keychain exploit that allows you to access passwords inside the Keychain without a user prompt.
KeySteal consists of two parts:
- KeySteal Daemon: This is a daemon that exploits securityd to get a session that is allowed to access the Keychain without a password prompt.
- KeySteal Client: This is a library that can be injected into Apps. It will automatically apply a patch that forces the Security Framework to use the session of our keysteal daemon.
- Open the KeySteal Xcode Project
- Build the keystealDaemon and keystealClient
- Open the directory which contains the built daemon and client (right cick on keystealDaemon -> Open in Finder)
- Run dump-keychain.sh
Add a link to my talk about this vulnerability at Objective by the Sea
For most files, see LICENSE.txt.
The following files were taken (or generated) from Security-58286.220.15 and are under the Apple Public Source License:
- handletypes.h
- ss_types.h
- ucsp_types.h
- ucsp.hpp
- ucspUser.cpp
A copy of the Apple Public Source License can be found here.