AirBorne: Wormable zero-click remote code execution (RCE) in AirPlay protocol

https://www.oligo.security/blog/airborne

70•throw0101a•14h ago

Comments

throw0101a•13h ago

CVE-2025-24252 and CVE-2025-24132 are two examples. Doing a search for "Oligo" in release notes gives various other results, e.g.,

* https://support.apple.com/en-ca/122374

Apple fixed their stuff, but third-parties who used their SDK will have to issue updates as well.

abhisek•10h ago

Very curious about the exploitation of CVE-2025-24252, a use-after-free (UAF) using which they achieved zero-click RCE on MacOS. This is inspite of ASLR and heap exploitation mitigations in place to mitigate such vulnerability classes

https://security.apple.com/blog/towards-the-next-generation-...

hammock•6h ago

On ASLR: you might use the UAF to access memory regions you shouldn’t have access to. By reading the contents, they can potentially leak pointers to a critical library (e.g., libc), allowing them to calculate the offsets to bypass ASLR.

On heap protection: if you spray the heap with predictable data patterns you can improve your chance of landing a useful address, even with ASLR in place

rubatuga•7h ago

Good thing I'm still on macOS 12

slama•5h ago

macOS 12 is EOL and is no longer receiving security updates.

There’s a strong chance it’s vulnerable, too

m463•4h ago

macos is pretty promiscuous, and I've noticed random airplay displays (like the neighbors) showing up in the mirroring dropdown in the dock.

wonder if this is a way to get into the stack.

Roguelazer•2h ago

Running a parser for a network protocol as root seems like a pretty unnecessarily dumb thing to do. I can't really imagine why any part of airplay would need to run as root; maybe something to do with DRM? Although the DRM daemon `fairplayd` runs as a limited-privilege user `_fpsd`, so maybe not. So bizarre that Apple makes all these cool systems to sandbox code, and creates dozens of privilege-separated users on macOS, and then runs an HTTP server doing plists parsing as an unsandboxed root process.

Jepsen: Amazon RDS for PostgreSQL 17.4

Chain of Recursive Thoughts: Make AI think harder by making it argue with itself

I use zip bombs to protect my server

Bamba: An open-source LLM that crosses a transformer with an SSM

An illustrated guide to automatic sparse differentiation

Path Isn't Real on Linux

Everything we announced at our first LlamaCon

Only Teslas exempt from new auto tariffs thanks to 85% domestic content rule

It's School time: Adventures in hacking an old Kindle

Performance optimization is hard because it's fundamentally a brute-force task

Show HN: Beatsync – perfect audio sync across multiple devices

WorldGen: Open-source 3D scene generator for Game/VR/XR

Programming languages should have a tree traversal primitive

ArkFlow: High-performance Rust stream processing engine

Show HN: A Chrome extension that will auto-reject non-essential cookies

Show HN: An MCP server for understanding AWS costs

Modern Realty (YC S24) Is Hiring

Show HN: I build a Fantasy NHL app in 3 days with Claude AI

Firefox tab groups are here

O3 beats a master-level GeoGuessr player, even with fake EXIF data

Finding paths of least action with gradient descent (2023)

China's Clinical Trial Boom

Waymo and Toyota outline partnership to advance autonomous driving deployment

Show HN: An interactive demo of QR codes' error correction

Show HN: AgenticSeek – Self-hosted alternative to cloud-based AI tools

Indian court orders blocking of Proton Mail

LibreLingo – FOSS Alternative to Duolingo

Show HN: Flowcode – Turing-complete visual programming platform

Princeton Engineering Anomalies Research (2010)

The last masters of Afro-Colombian machete fencing