CrashOne - A Starbucks Story

On a cold autumn day in Budapest in 2024, I met independent security researcher Gergely Kalman at a local Starbucks to swap ideas, dead ends, and updates on our research. Over coffee, we started talking about crash logs, and that’s when we stumbled onto something big.

This article explains how that thread led to CVE-2025-24277: a sandbox escape and local privilege escalation in the osanalyticshelperd process that allows a standard user to gain root on macOS. We worked through several technical obstacles to build a reliable exploit, and we presented the results at Hexacon and Objective By The Sea.

osanalyticshelperd

The osanalyticshelperd process generates crash reports when a process crashes. It is invoked by ReportCrash, runs as root, and is heavily sandboxed. Even so, we were able to abuse its report-writing behavior to escalate from a standard user to root.

osanalyticshelperd

ReportCrash

The Wall

The osanalyticshelperd process is responsible for generating crash logs when an application crashes. It runs as root and produces logs for all processes, including those running at the user level. Crash reports for system processes are written to /Library/Logs/DiagnosticReports/