Successfully reported this slideshow.

Exploiting XPC in AntiVirus

2

Share

Loading in …3
×
1 of 58
1 of 58

Exploiting XPC in AntiVirus

2

Share

Download to read offline

In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services.

In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Exploiting XPC in AntiVirus

  1. 1. Exploiting XPC in AntiVirus Csaba Fitzl Twitter: @theevilbit Wojciech Reguła Twitter: @_r3ggi
  2. 2. whoami - Wojciech • Senior IT Security Consultant @ SecuRing • Focused on iOS/macOS #appsec • Blogger - https://wojciechregula.blog • iOS Security Suite Creator
  3. 3. whoami - Csaba • content developer at Offensive Security • ex red/blue teamer • macOS researcher • husband, father • hiking 🥾 🏔 • yoga 🧘
  4. 4. agenda 1. intro 2. statistics 3. typical issues 4. demos, bugs 5. recommendations for developers 6. the future
  5. 5. intro
  6. 6. Intro • Our XPC background • a lot of XPC bugs in the past • 2 separate talks • it’s time to team up
  7. 7. Intro to XPC Source: „Auditing and Exploiting Apple IPC”, Ian Beer
  8. 8. Intro to XPC • Mach Messages: • Fundamental IPC mechanism for macOS • You can send a message with data, memory or even another port • One receiver and possible multiple senders • Sent messages are placed in a message queue • Similar to POSIX pipes
  9. 9. Intro to XPC • XPC • Built on top of Mach messages • Dictionary based communication • Strongly typed - strings, int64s, uint64s, booleans, dates, UUIDs, data, doubles, arrays • NSXPC • More convenient than Mach Ports and XPC • Objective-C/Swift API for XPC C functions • Send messages that conform your ObjC/Swift protocol • Send serialized Swift objects
  10. 10. statistics
  11. 11. statistics • Sample • 28 AntiVirus software • Tested only those we had access to • 14/28 used XPC for IPC • 14/28 used different IPC methods (mostly sockets or Mach messages) • We assessed only XPC AVs ( ͡ ° ͜ ʖ ͡ °)
  12. 12. typical issues
  13. 13. typical issues 1. No client validation in XPC server 2. Lack of / Broken runtime protections in XPC client 3. Improper runtime protections veri fi cation in XPC server 4. Using insecure process identi fi er (PID) to perform client validation
  14. 14. Privileged XPC server running as root Valid XPC client running as user Malicious application running as user typical issues
  15. 15. 1. No client validation in XPC server Perform privileged action Sure! 👍
  16. 16. 2. Lack of / Broken runtime protections in XPC client Perform privileged action Sure, you are a trusted app 👍 Inject malicious code 💉
  17. 17. 3. Improper runtime protections veri fi cation in XPC server Inject malicious code 💉 Nope, I’m hardened! 🛡
  18. 18. 3. Improper runtime protections veri fi cation in XPC server Inject malicious code 💉 OK, In my times there were no runtime protections 👍
  19. 19. 3. Improper runtime protections veri fi cation in XPC server SecRequirement = “anchor apple generic and identi fi er ‘com.yourcompany.app’ and certi fi cate leaf[subject.OU] = ‘ABCDEFG’” SecRequirement = “anchor apple generic and identi fi er ‘com.yourcompany.app’ and certi fi cate leaf[subject.OU] = ‘ABCDEFG’” ==
  20. 20. 3. Improper runtime protections veri fi cation in XPC server Perform privileged action Sure, you are a trusted app 👍 Inject malicious code 💉 Hmm, code signature matches the right one 🤔
  21. 21. 4. Using insecure process identi fi er (PID) to perform client validation Perform privileged action No, your code signature doesn’t meet my requirements 😡
  22. 22. 4. Using insecure process identi fi er (PID) to perform client validation fork() fork() fork()
  23. 23. fork() perform action fork() perform action perform action 🤯 fork()
  24. 24. 🤯 I have to put that action requests on a queue perform action perform action perform action perform action perform action action perform action perform action perform action perform
  25. 25. pop Connection 1 PID Action to perform Connection 2 PID Action to perform … PID Action to perform Connection n PID Action to perform 4. Using insecure process identi fi er (PID) to perform client validation
  26. 26. 4. Using insecure process identi fi er (PID) to perform client validation Change process’ image to the legit executable using posix_spawn()
  27. 27. 1. Get PID from the connection object 2. Create a code object based on that PID 3. Perform signature check 4. isValid() 5. Establish connection or not 4. Using insecure process identi fi er (PID) to perform client validation
  28. 28. pop Connection 1 PID Action to perform Connection 2 PID Action to perform … PID Action to perform Connection n PID Action to perform
  29. 29. fork() perform action fork() perform action perform action fork()
  30. 30. shell time (bugz)
  31. 31. MacKeeper • multiple issues: • uses process ID • missing client "hardening" validation • attack: old MacKeeper client
  32. 32. MacKeeper • LPE - how? • Many exposed NSXPC methods • initializeWithOpenVPNPath: callback: • Exploit: inject to the old client and establish valid NSXPC connection
  33. 33. Intego Mac Security • Multiple issues: • uses process ID • missing client "hardening" validation • Attack: old Intego installer (2014)
  34. 34. Intego Mac Security • Over 10 XPC services • Full AV control • setGlobalProtectionState: authorization:completion Handler: • Attack: inject to the Intego installer and establish valid XPC connection
  35. 35. Avast & AVG • Those AVs share the same XPC codebase • Issue: • missing client "hardening" validation • Attack: Old Avast (2017)
  36. 36. Avast & AVG • Full AV control • sendAvRequest:withAuthorizationData:rights:replyBlock • Exploit: Again 😉 inject to the old Avast and establish valid XPC connection • Requires user to authenticate • … but it’s a legit popup
  37. 37. F-Secure (CVE-2020-14977 & CVE-2020-14978) • multiple issues: • missing client "hardening" validation • uses process ID • attack: pid reuse, old client • authorization limits exposure (client requires: system.privilege.admin) • but, is this popup legit?
  38. 38. ClamXAV (CVE-2020-26893) • multiple issues: • missing client "hardening" validation • uses process ID • attack: old client (ClamXAV2)
  39. 39. ClamXAV (CVE-2020-26893) • LPE - how? • Helper offers useful functions • trashFile, MoveFile 😎 • Control AV • writeSettings 😎 • Exploit: move plist to LaunchDaemons
  40. 40. demo
  41. 41. Acronis • issue: • missing client "hardening" validation • attack: old client (2020) • LPE • executeProcess 😎 • signature of process is veri fi ed, but we can use, old injectable process + DYLD_INSERT_LIBRARIES
  42. 42. demo
  43. 43. recommendations for developers
  44. 44. the client • signed with hardened runtime or library validation • doesn't have any of these entitlements • com.apple.security.cs.disable-library-validation • com.apple.security.get-task-allow • doesn't have script fi les (those are not veri fi ed for code signing on every run)
  45. 45. the XPC service • The client process veri fi cation in the shouldAcceptNewConnection call should verify the the following: 1. The connecting process is signed by valid cert from Apple 2. The connecting process is signed by your team ID 3. (The connecting process is identi fi ed by your bundle ID) 4. The connecting process has a minimum software version, where the fi x has been implemented or it’s hardened against injection attacks. • uses audit_token to identify the client
  46. 46. secure sample • https://github.com/securing/SimpleXPCApp • brought to you by Wojciech
  47. 47. recommendations for users
  48. 48. Shield.app • free and open source app to protect against injection attacks • developed by Csaba • https://github.com/theevilbit/Shield
  49. 49. the future
  50. 50. the future • no secure public API • Apple's sample code is insecure • many AVs used KEXT in the past -> won't work past Big Sur • SEXT - IPC recommendation and sample (not secure) is XPC • vendors have no XPC experience • => vulnerabilities 😎
  51. 51. Further resources • Wojciech Reguła ( @_r3ggi ): Abusing and Securing XPC in macOS Apps, Objective by the Sea v3 • Julia Vashchenko ( @iaronskaya ): Job(s) Bless Us! Privileged Operations on macOS, Objective by the Sea v3 • Tyler Bohan ( @1blankwall1 ): OSX XPC Revisited - 3rd Party Application Flaws, OffensiveCon 19 • Ian Beer ( @i41nbeer ): A deep-dive into the many fl avors of IPC available on OS X, Jailbreak Security Summit 2015 • Csaba Fitzl (@theevilbit): XPC exploitation on macOS, Hacktivity 2020
  52. 52. Thank you!

×