AirBorne: Wormable zero-click remote code execution (RCE) in AirPlay protocol

https://www.oligo.security/blog/airborne

130•throw0101a•9mo ago

Comments

throw0101a•9mo ago

CVE-2025-24252 and CVE-2025-24132 are two examples. Doing a search for "Oligo" in release notes gives various other results, e.g.,

* https://support.apple.com/en-ca/122374

Apple fixed their stuff, but third-parties who used their SDK will have to issue updates as well.

john_alan•9mo ago

Heya, is it possible to detect the worm on iOS / macOS? Does the fix in latest OS just remove the worm if unknowingly infected?

Reads like a zero click infection leading to arbitrary execution of long running code.

Seems fairly insidious?

abhisek•9mo ago

Very curious about the exploitation of CVE-2025-24252, a use-after-free (UAF) using which they achieved zero-click RCE on MacOS. This is inspite of ASLR and heap exploitation mitigations in place to mitigate such vulnerability classes

https://security.apple.com/blog/towards-the-next-generation-...

hammock•9mo ago

On ASLR: you might use the UAF to access memory regions you shouldn’t have access to. By reading the contents, they can potentially leak pointers to a critical library (e.g., libc), allowing them to calculate the offsets to bypass ASLR.

On heap protection: if you spray the heap with predictable data patterns you can improve your chance of landing a useful address, even with ASLR in place

RainyDayTmrw•9mo ago

I understand heap sprays in theory. In practice, how do they avoid clobbering something important and crashing the app? It seems like a typical app has a lot of state to clobber.

xyzzy123•9mo ago

The writes for a spray are pre exploit, you are going through an allocator to get the space you're writing to. Put another way, its the apps job to write the spray into "free space".

Sprays are pretty crashy but the heap setup is not usually the problem, its that the pointer you want to control "missed" the sprayed area.

rubatuga•9mo ago

Good thing I'm still on macOS 12

slama•9mo ago

macOS 12 is EOL and is no longer receiving security updates.

There’s a strong chance it’s vulnerable, too

m463•9mo ago

macos is pretty promiscuous, and I've noticed random airplay displays (like the neighbors) showing up in the mirroring dropdown in the dock.

wonder if this is a way to get into the stack.

greyadept•9mo ago

This behaviour always made me feel a bit suspicious about airplay but I reassured myself that Apple surely had it locked down. But these 17 CVEs show that my trust was misplaced.

Roguelazer•9mo ago

Running a parser for a network protocol as root seems like a pretty unnecessarily dumb thing to do. I can't really imagine why any part of airplay would need to run as root; maybe something to do with DRM? Although the DRM daemon `fairplayd` runs as a limited-privilege user `_fpsd`, so maybe not. So bizarre that Apple makes all these cool systems to sandbox code, and creates dozens of privilege-separated users on macOS, and then runs an HTTP server doing plists parsing as an unsandboxed root process.

Mindwipe•9mo ago

Apple have reworked Airplay so many times at this point the entire thing is just a massive pile of technical debt piled on another massive pile of technical debt, piled on a bunch of weird hacks to try and keep all the devices built for previous versions afloat.

walterbell•9mo ago

At least it can be disabled via MDM/Configurator policy.

bigyabai•9mo ago

To the express benefit of all 3 Apple users that configure their devices with a PList editor.

walterbell•9mo ago

The breaches will continue until device policy improves.

bigyabai•9mo ago

Three cheers for smart defaults!

RainyDayTmrw•9mo ago

Oof. It's parsing and memory corruption again.

pjmlp•9mo ago

Basically a collection of use-after-free, stack-based buffer overflow, type confusion, memory exhaustion, integer overflow, NULL pointer dereference, for the most part.

However we all know that the problem is that juniors and interns are the ones that get to write this code, a senior with proper education would never deliver these mistakes into production. /s

hoseja•9mo ago

Thankfully, the borrow checker will protect you from delivering anything at all.

paulddraper•9mo ago

Zero-click local network RCE on macOS: 102 points

Article titled "Someone At YouTube Needs Glasses" about YouTube layout: 837 points and rising

Hacker News my a*s

waterTanuki•9mo ago

The most important question remains unanswered: would Rust have prevented this?

Ask HN: How are researchers using AlphaFold in 2026?

Running the "Reflections on Trusting Trust" Compiler

Watermark API – $0.01/image, 10x cheaper than Cloudinary

Now send your marketing campaigns directly from ChatGPT

Queueing Theory v2: DORA metrics, queue-of-queues, chi-alpha-beta-sigma notation

Show HN: Hibana – choreography-first protocol safety for Rust

Haniri: A live autonomous world where AI agents survive or collapse

GPT-5.3-Codex System Card [pdf]

Atlas: Manage your database schema as code

Geist Pixel

Show HN: MCP to get latest dependency package and tool versions

The better you get at something, the harder it becomes to do

Show HN: WP Float – Archive WordPress blogs to free static hosting

Show HN: I Hacked My Family's Meal Planning with an App

Sony BMG copy protection rootkit scandal

The Future of Systems

NASA now allowing astronauts to bring their smartphones on space missions

Claude Code Is the Inflection Point

Show HN: MicroClaw – Agentic AI Assistant for Telegram, Built in Rust

Show HN: Omni-BLAS – 4x faster matrix multiplication via Monte Carlo sampling

The AI-Ready Software Developer: Conclusion – Same Game, Different Dice

AI Agent Automates Google Stock Analysis from Financial Reports

Voxtral Realtime 4B Pure C Implementation

I Was Trapped in Chinese Mafia Crypto Slavery [video]

U.S. CBP Reported Employee Arrests (FY2020 – FYTD)

Show HN: I built a free UCP checker – see if AI agents can find your store

Show HN: SVGV – A Real-Time Vector Video Format for Budget Hardware

Study of 150 developers shows AI generated code no harder to maintain long term

Spotify now requires premium accounts for developer mode API access

When Albert Einstein Moved to Princeton