SlideShare a Scribd company logo

macOS Vulnerabilities Hiding in Plain Sight

C
Csaba Fitzl

Sometimes when we publish details and writeups about vulnerabilities we are so focused on the actual bug, that we don’t notice others, which might be still hidden inside the details. The same can happen when we read these issues, but if we keep our eyes open we might find hidden gems. In this talk I will cover three macOS vulnerabilities that I found while reading the writeup of other vulnerabilities, where some of them were public for over four years. I also only spotted them after multiple reads, and once found I realized that it was right there in front of us every single time. In the 2017 pwn2own macOS exploit chain the authors found a privilege escalation vulnerability is the disk arbitration service. What I found that the same logic flaw was present in another part of he code segment (literally right next to the original), which allowed an attacker to perform a full sandbox escape. In the pwn2own 2020 macOS exploit chain there was a vulnerability concerning the preferences daemon. The patch was presented later by the authors and after reading through the patch for the ~20st time, I spotted a new privilege escalation possibility. In 2021, the macOS XCSSET malware used a TCC 0day bypass, which was later patched. Mickey Jin found a bypass for the patch and presented a new TCC bypass. While reading through his analysis for the n-th time, it hit me, that not only possible to bypass the new patch but there is an underlying fundamental issue with the TCC framework, which allowed us to generically bypass TCC.

Technology
1 of 43
Download to read offline
macOS Vulnerabilities Hiding in Plain Sight Csaba Fitzl Twitter: @theevilbit
whoami • lead content developer of "macOS Control Bypasses" @ Offensive Security • macOS bug hunter • ex red/blue teamer • husband, father • hiking, trail running 🥾 🏔 🏃
Agenda • Intro • CVE-2021-1815 - macOS local privilege escalation via Preferences • CVE-2021-30972 - TCC bypass • CVE-2022-32780 - Sandbox escape via disk arbitration • for each CVE: • technical background • original vulnerability and exploit • new vulnerability and exploit
INTRO • "can't see the forest for the trees" • we are so focused on something, that we can easily miss some details • rush in reading stuff online
INTRO • I tend to read the same articles again and again • I found three vulnerabilities in published writeups • not for the fi rst read, but probably 10th, 20th or even 30th
CVE-2021-1815 - macOS local privilege escalation via Preferences
cfprefsd • core foundation preferences daemon • sets/stores and retrieves preferences for apps • 2 instances: user, system • interact: Preferences API or direct XPC ()
original vulnerability • pwn2own 2020 - 6 step exploit chain to pwn macOS (Yonghwi Jin, Jungwon Lim, Insu Yun, and Taesoo Kim) • LPE via cfprefsd • allowed change ownership of arbitrary folder
original exploit • race with symlink • change ownership of /etc/pam.d • update sudo pam con fi g • get root without password
Apple's fi x • reversed by the pwn2own team • ensures symlinks are no longer followed (O_NOFOLLOW)
the issue • although the symlink issue is solved • a directory is still created • and ownership set • ==> we can create a directory anywhere and set the user as the owner
exploit method #1 • periodic scripts: executed daily/weekly/ monthly • con fi g: /etc/defaults/periodic.conf • the "local" directory is empty by default • won't work beyond 11.5 (see: https:// theevilbit.github.io/beyond/ beyond_0019/) • slow :( getting root can take up to a day
demo
exploit method #2 • sysdiagnose runs as root • it executes binaries from /usr/local/bin (doesn't exists by default) • some of these have been remediated because of homebrew • not perfect - depends on user trigger: • Feedback Assistant • manually invoke • keyboard shortcut: Command + Option + Shift+ Control + Period (.)
CVE-2021-30972 - TCC bypass
TCC • security feature to control access to privacy related resources • sqlite3 database (except: private entitlements, macl extended attribute) - (~)/Library/Application Support/com.apple.TCC/TCC.db • for more: talk (20+ Ways to Bypass Your macOS Privacy Mechanisms), posts by Wojciech Regula and myself
CVE-2021-30713 - TCC bypass by XCSSET Source: JAMF • XCSSET malware TCC bypass 0day • discovered by JAMF • malicious app is hosted inside a bundle, which has TCC permissions • macOS wrongly identi fi es the bundle (hint!!!)
CVE-2021-30798 - TCC Bypass Again, Inspired By XCSSET • found by Mickey Jin • TCC db contains only bundle ID • simply fake the bundle ID in the app • system performs code sign check on the real bundle (hint!!!)
problem? • the TCC.db does store the csreq info • none of the fake processes had proper code signature • the bypass in both cases was possible because: binaries on disk were veri fi ed • WUT???? • on macOS: you can modify app binaries on disk even when they run (unlike in Windows)
elsewhere? • in every other case*, code signature is veri fi ed in memory • *except GateKeeper/am fi d when the app is launched, because there is no process yet • XPC / Mach connections • should use audit token • even PID is insecure • on-disk? not even an option 🤣 • in-memory integrity check by AMFI
CVE-2021-30972 - TCC bypass again 1. Make a fake app with the same bundle ID and name as the one we want to impersonate, and place it in an arbitrary location 2. Start the app 3. Copy the original app over the fake app 4. Initiate an action which requires privacy permissions 5. TCC is bypassed, with inheriting the original app's rights
CVE-2021-30972 - Wojciech's version 1. Make a fake app, and embed in a "donor" app (use the same team ID) 2. Start the app 3. Copy the donor app over the embedded app 4. Initiate an action which requires privacy permissions 5. TCC is bypassed, with inheriting the donor's rights
demo
fi x • fi nally dynamic code signature is veri fi ed
CVE-2022-32780 - Sandbox escape via Disk Arbitration
diskarbitration - the basics • system wide service, de fi ned in: • /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist • XPC: com.apple.DiskArbitration.diskarbitrationd • manage disk mounting, unmounting • calls mount/unmount system calls under the hood
diskarbitration - why we like it? • runs as root • unsandboxed • XPC service accessible from application sandbox • opensource
CVE-2017-2533 - LPE via diskarbitrationd • used by phoenhex team in pwn2own 2017 • DA: • resolves path -> checks if the user has rights to mount over directory • no more checks later • resolves path -> mounting • TOCTOU bug, race condition • exploit: mount the EFI (admin writeable) partition over crontabs
CVE-2022-32780 • not exactly hidden • Apple moved the check into DAServer.c - "_DAServerSessionQueueRequest" • extra check for the sandbox
CVE-2022-32780 - old vs new
CVE-2022-32780 - Testing
CVE-2022-32780 - Testing
CVE-2022-32780 - exploitation • what to mount? • EFI won't work (can't mount + not reachable from sandbox) • custom dmg! • how? DA works on /dev, diskmanagementd (can map dmg into / dev/) is not reachable from sandbox • 💡use "open" • we can unmount, /dev/ remains
CVE-2022-32780 - exploitation • where to mount? • Terminal Preferences • ~/Library/Preferences/ com.apple.Terminal.plist • "CommandString" executed upon launch
CVE-2022-32780 - full exploit 1. Drops a `dmg` fi le 2. It will call `open` to open a `dmg` fi le 3. Then it will use the diskarbitration service to unmount it --> at this point we have a custom disk device we can mount somewhere 4. It will start a thread to alternate the symlink and the directory 5. Then it will start a loop to call the mount operation of the DA service - due to the racer it will eventually succeed • we also always unmount the local directory, as we don't need that 6. It will check if we mounted over `Preferences`, and if yes stop 7. Open Terminal
demo
conclusion
conclusion • it's worth to read write-ups carefully • it's worth revisiting old docs, notes, code • it's worth to slow down
Csaba Fitzl Twitter: @theevilbit
Icons • fl aticon.com • xnimrodx • Freepik

Recommended

20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
SecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfSecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfCsaba Fitzl
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
Deep Dive In To Kerberos
Deep Dive In To KerberosDeep Dive In To Kerberos
Deep Dive In To KerberosIshan A B Ambanwela
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Android Task Hijacking
Android Task HijackingAndroid Task Hijacking
Android Task HijackingPositive Hack Days
 
IDOR Know-How.pdf
IDOR Know-How.pdfIDOR Know-How.pdf
IDOR Know-How.pdfBhashit Pandya
 

Recommended

20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
SecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfSecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfCsaba Fitzl
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
Deep Dive In To Kerberos
Deep Dive In To KerberosDeep Dive In To Kerberos
Deep Dive In To KerberosIshan A B Ambanwela
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Android Task Hijacking
Android Task HijackingAndroid Task Hijacking
Android Task HijackingPositive Hack Days
 
IDOR Know-How.pdf
IDOR Know-How.pdfIDOR Know-How.pdf
IDOR Know-How.pdfBhashit Pandya
 
Securing application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsSecuring application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsBinu Ramakrishnan
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingRochester Security Summit
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Fallacies of distributed computing with Kubernetes on AWS
Fallacies of distributed computing with Kubernetes on AWSFallacies of distributed computing with Kubernetes on AWS
Fallacies of distributed computing with Kubernetes on AWSRaffaele Di Fazio
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Digital Forensics and Incident Response (DFIR) using Docker Containers
Digital Forensics and Incident Response (DFIR) using Docker ContainersDigital Forensics and Incident Response (DFIR) using Docker Containers
Digital Forensics and Incident Response (DFIR) using Docker ContainersDeep Shankar Yadav
 
Istio Service Mesh
Istio Service MeshIstio Service Mesh
Istio Service MeshLuke Marsden
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting JenkinsBrian Hysell
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 

More Related Content

What's hot

Securing application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsSecuring application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsBinu Ramakrishnan
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Fallacies of distributed computing with Kubernetes on AWS
Fallacies of distributed computing with Kubernetes on AWSFallacies of distributed computing with Kubernetes on AWS
Fallacies of distributed computing with Kubernetes on AWSRaffaele Di Fazio
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Digital Forensics and Incident Response (DFIR) using Docker Containers
Digital Forensics and Incident Response (DFIR) using Docker ContainersDigital Forensics and Incident Response (DFIR) using Docker Containers
Digital Forensics and Incident Response (DFIR) using Docker ContainersDeep Shankar Yadav
 
Istio Service Mesh
Istio Service MeshIstio Service Mesh
Istio Service MeshLuke Marsden
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting JenkinsBrian Hysell
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 

What's hot (20)

Securing application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsSecuring application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environments
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Fallacies of distributed computing with Kubernetes on AWS
Fallacies of distributed computing with Kubernetes on AWSFallacies of distributed computing with Kubernetes on AWS
Fallacies of distributed computing with Kubernetes on AWS
 
Secure code
Secure codeSecure code
Secure code
 
Digital Forensics and Incident Response (DFIR) using Docker Containers
Digital Forensics and Incident Response (DFIR) using Docker ContainersDigital Forensics and Incident Response (DFIR) using Docker Containers
Digital Forensics and Incident Response (DFIR) using Docker Containers
 
Istio Service Mesh
Istio Service MeshIstio Service Mesh
Istio Service Mesh
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting Jenkins
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 

Similar to macOS Vulnerabilities Hiding in Plain Sight

Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Holehackersuli
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba Fitzl
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andAlisa Esage Шевченко
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionDefconRussia
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
Operating Docker
Operating DockerOperating Docker
Operating DockerJen Andre
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxbriancrawford30935
 
Custom Tile Generation in PCF
Custom Tile Generation in PCFCustom Tile Generation in PCF
Custom Tile Generation in PCFVMware Tanzu
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
Custom Tile Generation in PCF
Custom Tile Generation in PCFCustom Tile Generation in PCF
Custom Tile Generation in PCFDustin Ruehle
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 

Similar to macOS Vulnerabilities Hiding in Plain Sight (20)

Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of Bugs
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Operating Docker
Operating DockerOperating Docker
Operating Docker
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
 
Custom Tile Generation in PCF
Custom Tile Generation in PCFCustom Tile Generation in PCF
Custom Tile Generation in PCF
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Custom Tile Generation in PCF
Custom Tile Generation in PCFCustom Tile Generation in PCF
Custom Tile Generation in PCF
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 

More from Csaba Fitzl

Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints OverviewCsaba Fitzl
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirusCsaba Fitzl
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?Csaba Fitzl
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store appsCsaba Fitzl
 
Exploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luExploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luCsaba Fitzl
 
Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Csaba Fitzl
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 

More from Csaba Fitzl (8)

Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints Overview
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store apps
 
Exploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luExploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG lu
 
Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 

Recently uploaded

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

macOS Vulnerabilities Hiding in Plain Sight

  • 1. macOS Vulnerabilities Hiding in Plain Sight Csaba Fitzl Twitter: @theevilbit
  • 2. whoami • lead content developer of "macOS Control Bypasses" @ Offensive Security • macOS bug hunter • ex red/blue teamer • husband, father • hiking, trail running 🥾 🏔 🏃
  • 3. Agenda • Intro • CVE-2021-1815 - macOS local privilege escalation via Preferences • CVE-2021-30972 - TCC bypass • CVE-2022-32780 - Sandbox escape via disk arbitration • for each CVE: • technical background • original vulnerability and exploit • new vulnerability and exploit
  • 4. INTRO • "can't see the forest for the trees" • we are so focused on something, that we can easily miss some details • rush in reading stuff online
  • 5. INTRO • I tend to read the same articles again and again • I found three vulnerabilities in published writeups • not for the fi rst read, but probably 10th, 20th or even 30th
  • 6. CVE-2021-1815 - macOS local privilege escalation via Preferences
  • 7. cfprefsd • core foundation preferences daemon • sets/stores and retrieves preferences for apps • 2 instances: user, system • interact: Preferences API or direct XPC ()
  • 8. original vulnerability • pwn2own 2020 - 6 step exploit chain to pwn macOS (Yonghwi Jin, Jungwon Lim, Insu Yun, and Taesoo Kim) • LPE via cfprefsd • allowed change ownership of arbitrary folder
  • 9. original exploit • race with symlink • change ownership of /etc/pam.d • update sudo pam con fi g • get root without password
  • 10. Apple's fi x • reversed by the pwn2own team • ensures symlinks are no longer followed (O_NOFOLLOW)
  • 11. the issue • although the symlink issue is solved • a directory is still created • and ownership set • ==> we can create a directory anywhere and set the user as the owner
  • 12. exploit method #1 • periodic scripts: executed daily/weekly/ monthly • con fi g: /etc/defaults/periodic.conf • the "local" directory is empty by default • won't work beyond 11.5 (see: https:// theevilbit.github.io/beyond/ beyond_0019/) • slow :( getting root can take up to a day
  • 13. demo
  • 14.
  • 15. exploit method #2 • sysdiagnose runs as root • it executes binaries from /usr/local/bin (doesn't exists by default) • some of these have been remediated because of homebrew • not perfect - depends on user trigger: • Feedback Assistant • manually invoke • keyboard shortcut: Command + Option + Shift+ Control + Period (.)
  • 17. TCC • security feature to control access to privacy related resources • sqlite3 database (except: private entitlements, macl extended attribute) - (~)/Library/Application Support/com.apple.TCC/TCC.db • for more: talk (20+ Ways to Bypass Your macOS Privacy Mechanisms), posts by Wojciech Regula and myself
  • 18. CVE-2021-30713 - TCC bypass by XCSSET Source: JAMF • XCSSET malware TCC bypass 0day • discovered by JAMF • malicious app is hosted inside a bundle, which has TCC permissions • macOS wrongly identi fi es the bundle (hint!!!)
  • 19. CVE-2021-30798 - TCC Bypass Again, Inspired By XCSSET • found by Mickey Jin • TCC db contains only bundle ID • simply fake the bundle ID in the app • system performs code sign check on the real bundle (hint!!!)
  • 20. problem? • the TCC.db does store the csreq info • none of the fake processes had proper code signature • the bypass in both cases was possible because: binaries on disk were veri fi ed • WUT???? • on macOS: you can modify app binaries on disk even when they run (unlike in Windows)
  • 21. elsewhere? • in every other case*, code signature is veri fi ed in memory • *except GateKeeper/am fi d when the app is launched, because there is no process yet • XPC / Mach connections • should use audit token • even PID is insecure • on-disk? not even an option 🤣 • in-memory integrity check by AMFI
  • 22. CVE-2021-30972 - TCC bypass again 1. Make a fake app with the same bundle ID and name as the one we want to impersonate, and place it in an arbitrary location 2. Start the app 3. Copy the original app over the fake app 4. Initiate an action which requires privacy permissions 5. TCC is bypassed, with inheriting the original app's rights
  • 23. CVE-2021-30972 - Wojciech's version 1. Make a fake app, and embed in a "donor" app (use the same team ID) 2. Start the app 3. Copy the donor app over the embedded app 4. Initiate an action which requires privacy permissions 5. TCC is bypassed, with inheriting the donor's rights
  • 24. demo
  • 25.
  • 26. fi x • fi nally dynamic code signature is veri fi ed
  • 27. CVE-2022-32780 - Sandbox escape via Disk Arbitration
  • 28. diskarbitration - the basics • system wide service, de fi ned in: • /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist • XPC: com.apple.DiskArbitration.diskarbitrationd • manage disk mounting, unmounting • calls mount/unmount system calls under the hood
  • 29. diskarbitration - why we like it? • runs as root • unsandboxed • XPC service accessible from application sandbox • opensource
  • 30. CVE-2017-2533 - LPE via diskarbitrationd • used by phoenhex team in pwn2own 2017 • DA: • resolves path -> checks if the user has rights to mount over directory • no more checks later • resolves path -> mounting • TOCTOU bug, race condition • exploit: mount the EFI (admin writeable) partition over crontabs
  • 31. CVE-2022-32780 • not exactly hidden • Apple moved the check into DAServer.c - "_DAServerSessionQueueRequest" • extra check for the sandbox
  • 35. CVE-2022-32780 - exploitation • what to mount? • EFI won't work (can't mount + not reachable from sandbox) • custom dmg! • how? DA works on /dev, diskmanagementd (can map dmg into / dev/) is not reachable from sandbox • 💡use "open" • we can unmount, /dev/ remains
  • 36. CVE-2022-32780 - exploitation • where to mount? • Terminal Preferences • ~/Library/Preferences/ com.apple.Terminal.plist • "CommandString" executed upon launch
  • 37. CVE-2022-32780 - full exploit 1. Drops a `dmg` fi le 2. It will call `open` to open a `dmg` fi le 3. Then it will use the diskarbitration service to unmount it --> at this point we have a custom disk device we can mount somewhere 4. It will start a thread to alternate the symlink and the directory 5. Then it will start a loop to call the mount operation of the DA service - due to the racer it will eventually succeed • we also always unmount the local directory, as we don't need that 6. It will check if we mounted over `Preferences`, and if yes stop 7. Open Terminal
  • 38. demo
  • 39.
  • 41. conclusion • it's worth to read write-ups carefully • it's worth revisiting old docs, notes, code • it's worth to slow down