SlideShare a Scribd company logo
1 of 58
Download to read offline
Exploiting XPC in AntiVirus
Csaba Fitzl


Twitter: @theevilbit
Wojciech Reguła


Twitter: @_r3ggi
whoami - Wojciech
• Senior IT Security Consultant @ SecuRing


• Focused on iOS/macOS #appsec


• Blogger - https://wojciechregula.blog


• iOS Security Suite Creator
whoami - Csaba
• content developer at Offensive Security


• ex red/blue teamer


• macOS researcher


• husband, father


• hiking 🥾 🏔


• yoga 🧘
agenda
1. intro


2. statistics


3. typical issues


4. demos, bugs


5. recommendations for developers


6. the future
intro
Intro
• Our XPC background


• a lot of XPC bugs in the past


• 2 separate talks


• it’s time to team up
Intro to XPC
Source: „Auditing and Exploiting Apple IPC”, Ian Beer
Intro to XPC
• Mach Messages:


• Fundamental IPC mechanism for macOS


• You can send a message with data, memory or even another port


• One receiver and possible multiple senders


• Sent messages are placed in a message queue


• Similar to POSIX pipes
Intro to XPC
• XPC


• Built on top of Mach messages


• Dictionary based communication


• Strongly typed - strings, int64s, uint64s, booleans, dates, UUIDs, data, doubles, arrays


• NSXPC


• More convenient than Mach Ports and XPC


• Objective-C/Swift API for XPC C functions


• Send messages that conform your ObjC/Swift protocol


• Send serialized Swift objects
statistics
statistics
• Sample


• 28 AntiVirus software


• Tested only those we had access to


• 14/28 used XPC for IPC


• 14/28 used different IPC methods (mostly sockets or Mach messages)


• We assessed only XPC AVs ( ͡
° ͜
ʖ ͡
°)
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
typical issues
typical issues
1. No client validation in XPC server


2. Lack of / Broken runtime protections in XPC client


3. Improper runtime protections veri
fi
cation in XPC server


4. Using insecure process identi
fi
er (PID) to perform client validation
Privileged XPC server running as root
Valid XPC client running as user
Malicious application running as user
typical issues
1. No client validation in XPC server
Perform privileged action
Sure! 👍
2. Lack of / Broken runtime protections in XPC client
Perform privileged action
Sure, you are a trusted app 👍
Inject malicious code 💉
3. Improper runtime protections veri
fi
cation in XPC server
Inject malicious code 💉
Nope, I’m hardened! 🛡
3. Improper runtime protections veri
fi
cation in XPC server
Inject malicious code 💉
OK, In my times there
were no runtime protections 👍
3. Improper runtime protections veri
fi
cation in XPC server
SecRequirement = “anchor apple generic and identi
fi
er
‘com.yourcompany.app’ and certi
fi
cate leaf[subject.OU] =
‘ABCDEFG’”
SecRequirement = “anchor apple generic and identi
fi
er
‘com.yourcompany.app’ and certi
fi
cate leaf[subject.OU] =
‘ABCDEFG’”
==
3. Improper runtime protections veri
fi
cation in XPC server
Perform privileged action
Sure, you are a trusted app 👍
Inject malicious code 💉
Hmm, code
signature matches the
right one 🤔
4. Using insecure process identi
fi
er (PID) to perform client validation
Perform privileged action
No, your code signature doesn’t
meet my requirements 😡
4. Using insecure process identi
fi
er (PID) to perform client validation
fork()
fork()
fork()
fork()
perform action
fork()
perform
action
perform
action
🤯
fork()
🤯
I have to put that action
requests on a queue
perform action
perform action
perform action
perform
action
perform
action
action
perform action
perform action
perform action
perform
pop
Connection 1
PID
Action to perform
Connection 2
PID
Action to perform
…
PID
Action to perform
Connection n
PID
Action to perform
4. Using insecure process identi
fi
er (PID) to perform client validation
4. Using insecure process identi
fi
er (PID) to perform client validation
Change process’ image to the
legit executable using
posix_spawn()
1. Get PID from the connection object


2. Create a code object based on that PID


3. Perform signature check


4. isValid()


5. Establish connection or not
4. Using insecure process identi
fi
er (PID) to perform client validation
pop
Connection 1
PID
Action to perform
Connection 2
PID
Action to perform
…
PID
Action to perform
Connection n
PID
Action to perform
fork()
perform action
fork()
perform
action
perform
action
fork()
shell time (bugz)
MacKeeper
• multiple issues:


• uses process ID


• missing client "hardening"
validation


• attack: old MacKeeper client
MacKeeper
• LPE - how?


• Many exposed NSXPC
methods


• initializeWithOpenVPNPath:
callback:


• Exploit: inject to the old client
and establish valid NSXPC
connection
Exploiting XPC in AntiVirus
Intego Mac Security
• Multiple issues:


• uses process ID


• missing client "hardening"
validation


• Attack: old Intego installer
(2014)
Intego Mac Security
• Over 10 XPC services


• Full AV control


• setGlobalProtectionState:
authorization:completion
Handler:


• Attack: inject to the Intego
installer and establish valid
XPC connection
Exploiting XPC in AntiVirus
Avast & AVG
• Those AVs share the same XPC codebase


• Issue:


• missing client "hardening" validation


• Attack: Old Avast (2017)
Avast & AVG
• Full AV control


• sendAvRequest:withAuthorizationData:rights:replyBlock


• Exploit: Again 😉 inject to the old Avast and establish
valid XPC connection


• Requires user to authenticate


• … but it’s a legit popup
Exploiting XPC in AntiVirus
F-Secure (CVE-2020-14977 & CVE-2020-14978)
• multiple issues:


• missing client "hardening"
validation


• uses process ID


• attack: pid reuse, old client


• authorization limits exposure
(client requires:
system.privilege.admin)


• but, is this popup legit?
ClamXAV (CVE-2020-26893)
• multiple issues:


• missing client "hardening" validation


• uses process ID


• attack: old client (ClamXAV2)
ClamXAV (CVE-2020-26893)
• LPE - how?


• Helper offers useful functions


• trashFile, MoveFile 😎


• Control AV


• writeSettings 😎


• Exploit: move plist to LaunchDaemons
demo
Acronis
• issue:


• missing client "hardening" validation


• attack: old client (2020)


• LPE


• executeProcess 😎


• signature of process is veri
fi
ed, but we can use,
old injectable process +
DYLD_INSERT_LIBRARIES
demo
recommendations for
developers
the client
• signed with hardened runtime or library validation


• doesn't have any of these entitlements


• com.apple.security.cs.disable-library-validation


• com.apple.security.get-task-allow


• doesn't have script
fi
les (those are not veri
fi
ed for code signing on every
run)
the XPC service
• The client process veri
fi
cation in the shouldAcceptNewConnection
call should verify the the following:


1. The connecting process is signed by valid cert from Apple


2. The connecting process is signed by your team ID


3. (The connecting process is identi
fi
ed by your bundle ID)


4. The connecting process has a minimum software version, where the
fi
x has
been implemented or it’s hardened against injection attacks.


• uses audit_token to identify the client
secure sample
• https://github.com/securing/SimpleXPCApp


• brought to you by Wojciech
recommendations for users
Shield.app
• free and open source app to protect
against injection attacks


• developed by Csaba


• https://github.com/theevilbit/Shield
Exploiting XPC in AntiVirus
the future
the future
• no secure public API


• Apple's sample code is insecure


• many AVs used KEXT in the past -> won't work past Big Sur


• SEXT - IPC recommendation and sample (not secure) is XPC


• vendors have no XPC experience


• => vulnerabilities 😎
Further resources
• Wojciech Reguła ( @_r3ggi ): Abusing and Securing XPC in macOS Apps, Objective
by the Sea v3


• Julia Vashchenko ( @iaronskaya ): Job(s) Bless Us! Privileged Operations on macOS,
Objective by the Sea v3


• Tyler Bohan ( @1blankwall1 ): OSX XPC Revisited - 3rd Party Application Flaws,
OffensiveCon 19


• Ian Beer ( @i41nbeer ): A deep-dive into the many
fl
avors of IPC available on OS X,
Jailbreak Security Summit 2015


• Csaba Fitzl (@theevilbit): XPC exploitation on macOS, Hacktivity 2020
Thank you!

More Related Content

What's hot

Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxwaizuq
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Andrea Hauser
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Windows Attacks AT is the new black
Windows Attacks   AT is the new blackWindows Attacks   AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports  how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports  how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightCsaba Fitzl
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 

What's hot (20)

Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptx
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Windows Attacks AT is the new black
Windows Attacks   AT is the new blackWindows Attacks   AT is the new black
Windows Attacks AT is the new black
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports  how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports  how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain Sight
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 

Similar to Exploiting XPC in AntiVirus

How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfOrtus Solutions, Corp
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
Security at Greenhouse
Security at GreenhouseSecurity at Greenhouse
Security at GreenhouseMichael O'Neil
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkAmmar WK
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 

Similar to Exploiting XPC in AntiVirus (20)

pentest
pentestpentest
pentest
 
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2   basic hacking tools ncc groupNtxissacsc5 red 1 & 2   basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
Security at Greenhouse
Security at GreenhouseSecurity at Greenhouse
Security at Greenhouse
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Security testing
Security testingSecurity testing
Security testing
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 

More from Csaba Fitzl

Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints OverviewCsaba Fitzl
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba Fitzl
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?Csaba Fitzl
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store appsCsaba Fitzl
 
Exploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luExploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luCsaba Fitzl
 
Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Csaba Fitzl
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 

More from Csaba Fitzl (10)

Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints Overview
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of Bugs
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store apps
 
Exploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luExploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG lu
 
Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 

Recently uploaded

IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 

Recently uploaded (20)

IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 

Exploiting XPC in AntiVirus

  • 1. Exploiting XPC in AntiVirus Csaba Fitzl Twitter: @theevilbit Wojciech Reguła Twitter: @_r3ggi
  • 2. whoami - Wojciech • Senior IT Security Consultant @ SecuRing • Focused on iOS/macOS #appsec • Blogger - https://wojciechregula.blog • iOS Security Suite Creator
  • 3. whoami - Csaba • content developer at Offensive Security • ex red/blue teamer • macOS researcher • husband, father • hiking 🥾 🏔 • yoga 🧘
  • 4. agenda 1. intro 2. statistics 3. typical issues 4. demos, bugs 5. recommendations for developers 6. the future
  • 6. Intro • Our XPC background • a lot of XPC bugs in the past • 2 separate talks • it’s time to team up
  • 7. Intro to XPC Source: „Auditing and Exploiting Apple IPC”, Ian Beer
  • 8. Intro to XPC • Mach Messages: • Fundamental IPC mechanism for macOS • You can send a message with data, memory or even another port • One receiver and possible multiple senders • Sent messages are placed in a message queue • Similar to POSIX pipes
  • 9. Intro to XPC • XPC • Built on top of Mach messages • Dictionary based communication • Strongly typed - strings, int64s, uint64s, booleans, dates, UUIDs, data, doubles, arrays • NSXPC • More convenient than Mach Ports and XPC • Objective-C/Swift API for XPC C functions • Send messages that conform your ObjC/Swift protocol • Send serialized Swift objects
  • 11. statistics • Sample • 28 AntiVirus software • Tested only those we had access to • 14/28 used XPC for IPC • 14/28 used different IPC methods (mostly sockets or Mach messages) • We assessed only XPC AVs ( ͡ ° ͜ ʖ ͡ °)
  • 15. typical issues 1. No client validation in XPC server 2. Lack of / Broken runtime protections in XPC client 3. Improper runtime protections veri fi cation in XPC server 4. Using insecure process identi fi er (PID) to perform client validation
  • 16. Privileged XPC server running as root Valid XPC client running as user Malicious application running as user typical issues
  • 17. 1. No client validation in XPC server Perform privileged action Sure! 👍
  • 18. 2. Lack of / Broken runtime protections in XPC client Perform privileged action Sure, you are a trusted app 👍 Inject malicious code 💉
  • 19. 3. Improper runtime protections veri fi cation in XPC server Inject malicious code 💉 Nope, I’m hardened! 🛡
  • 20. 3. Improper runtime protections veri fi cation in XPC server Inject malicious code 💉 OK, In my times there were no runtime protections 👍
  • 21. 3. Improper runtime protections veri fi cation in XPC server SecRequirement = “anchor apple generic and identi fi er ‘com.yourcompany.app’ and certi fi cate leaf[subject.OU] = ‘ABCDEFG’” SecRequirement = “anchor apple generic and identi fi er ‘com.yourcompany.app’ and certi fi cate leaf[subject.OU] = ‘ABCDEFG’” ==
  • 22. 3. Improper runtime protections veri fi cation in XPC server Perform privileged action Sure, you are a trusted app 👍 Inject malicious code 💉 Hmm, code signature matches the right one 🤔
  • 23. 4. Using insecure process identi fi er (PID) to perform client validation Perform privileged action No, your code signature doesn’t meet my requirements 😡
  • 24. 4. Using insecure process identi fi er (PID) to perform client validation fork() fork() fork()
  • 26. 🤯 I have to put that action requests on a queue perform action perform action perform action perform action perform action action perform action perform action perform action perform
  • 27. pop Connection 1 PID Action to perform Connection 2 PID Action to perform … PID Action to perform Connection n PID Action to perform 4. Using insecure process identi fi er (PID) to perform client validation
  • 28. 4. Using insecure process identi fi er (PID) to perform client validation Change process’ image to the legit executable using posix_spawn()
  • 29. 1. Get PID from the connection object 2. Create a code object based on that PID 3. Perform signature check 4. isValid() 5. Establish connection or not 4. Using insecure process identi fi er (PID) to perform client validation
  • 30. pop Connection 1 PID Action to perform Connection 2 PID Action to perform … PID Action to perform Connection n PID Action to perform
  • 33. MacKeeper • multiple issues: • uses process ID • missing client "hardening" validation • attack: old MacKeeper client
  • 34. MacKeeper • LPE - how? • Many exposed NSXPC methods • initializeWithOpenVPNPath: callback: • Exploit: inject to the old client and establish valid NSXPC connection
  • 36. Intego Mac Security • Multiple issues: • uses process ID • missing client "hardening" validation • Attack: old Intego installer (2014)
  • 37. Intego Mac Security • Over 10 XPC services • Full AV control • setGlobalProtectionState: authorization:completion Handler: • Attack: inject to the Intego installer and establish valid XPC connection
  • 39. Avast & AVG • Those AVs share the same XPC codebase • Issue: • missing client "hardening" validation • Attack: Old Avast (2017)
  • 40. Avast & AVG • Full AV control • sendAvRequest:withAuthorizationData:rights:replyBlock • Exploit: Again 😉 inject to the old Avast and establish valid XPC connection • Requires user to authenticate • … but it’s a legit popup
  • 42. F-Secure (CVE-2020-14977 & CVE-2020-14978) • multiple issues: • missing client "hardening" validation • uses process ID • attack: pid reuse, old client • authorization limits exposure (client requires: system.privilege.admin) • but, is this popup legit?
  • 43. ClamXAV (CVE-2020-26893) • multiple issues: • missing client "hardening" validation • uses process ID • attack: old client (ClamXAV2)
  • 44. ClamXAV (CVE-2020-26893) • LPE - how? • Helper offers useful functions • trashFile, MoveFile 😎 • Control AV • writeSettings 😎 • Exploit: move plist to LaunchDaemons
  • 45. demo
  • 46. Acronis • issue: • missing client "hardening" validation • attack: old client (2020) • LPE • executeProcess 😎 • signature of process is veri fi ed, but we can use, old injectable process + DYLD_INSERT_LIBRARIES
  • 47. demo
  • 49. the client • signed with hardened runtime or library validation • doesn't have any of these entitlements • com.apple.security.cs.disable-library-validation • com.apple.security.get-task-allow • doesn't have script fi les (those are not veri fi ed for code signing on every run)
  • 50. the XPC service • The client process veri fi cation in the shouldAcceptNewConnection call should verify the the following: 1. The connecting process is signed by valid cert from Apple 2. The connecting process is signed by your team ID 3. (The connecting process is identi fi ed by your bundle ID) 4. The connecting process has a minimum software version, where the fi x has been implemented or it’s hardened against injection attacks. • uses audit_token to identify the client
  • 53. Shield.app • free and open source app to protect against injection attacks • developed by Csaba • https://github.com/theevilbit/Shield
  • 56. the future • no secure public API • Apple's sample code is insecure • many AVs used KEXT in the past -> won't work past Big Sur • SEXT - IPC recommendation and sample (not secure) is XPC • vendors have no XPC experience • => vulnerabilities 😎
  • 57. Further resources • Wojciech Reguła ( @_r3ggi ): Abusing and Securing XPC in macOS Apps, Objective by the Sea v3 • Julia Vashchenko ( @iaronskaya ): Job(s) Bless Us! Privileged Operations on macOS, Objective by the Sea v3 • Tyler Bohan ( @1blankwall1 ): OSX XPC Revisited - 3rd Party Application Flaws, OffensiveCon 19 • Ian Beer ( @i41nbeer ): A deep-dive into the many fl avors of IPC available on OS X, Jailbreak Security Summit 2015 • Csaba Fitzl (@theevilbit): XPC exploitation on macOS, Hacktivity 2020