This talk covers how we can exploit applications on macOS (including macOS itself), where some of the directory / file permissions are incorrectly set. The incorrectness of these settings is not trivial at first sight because understanding these permissions are not intuitive. We will see bugs from simple arbitrary overwrites, to file disclosures and privilege escalation. The concepts applicable to *nix based system as well, however this talk focuses on macOS bugs only. We will also cover different techniques about how to control contents of files, to what we don’t have direct write access.
We will do a deep dive overview of the various r / w / x permissions, what do they mean in case of files, and more importantly in case of directories. We will also take a look at the additional settings, like ownership and the ‘lock’ flag and how do they affect the previous permissions. As part of this we will see how to find such bugs.
We will see a file information disclosure bug affecting macOS Mojave, where we can get read access to files which would normally be accessible only for root users. We will also cover 4 vulnerabilities that are caused due to our ability to control the location of certain files. As we have direct control over only the file location, but not the contents, we will explore tricky techniques how we can influence the contents of some of these files to our benefit.
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
The slides of my ObjectiveByTheSea v4 conference talk.
Abstract
---------
In this talk we will dive into mount operation internals on macOS and discuss several vulnerabilities impacted the system.
In the first half we will introduce how mounting is happening, how the sandbox is tied to the mount operation. We will also discuss the diskarbitration service, which is also responsible some of the mounting which can be done by the user.
Next we will detail different bugs impacted macOS in the past, where mounting had a key role. These range from privilege escalation to complete privacy (TCC) bypasses.
Lastly we will review how we can use the mount command for our own advantage when exploiting third party applications.
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links.
When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source.
In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it.
Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.
In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services.
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
The slides of my ObjectiveByTheSea v4 conference talk.
Abstract
---------
In this talk we will dive into mount operation internals on macOS and discuss several vulnerabilities impacted the system.
In the first half we will introduce how mounting is happening, how the sandbox is tied to the mount operation. We will also discuss the diskarbitration service, which is also responsible some of the mounting which can be done by the user.
Next we will detail different bugs impacted macOS in the past, where mounting had a key role. These range from privilege escalation to complete privacy (TCC) bypasses.
Lastly we will review how we can use the mount command for our own advantage when exploiting third party applications.
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links.
When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source.
In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it.
Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.
In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services.
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Codemotion
DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organisations can end up creating security vulnerabilities using the tools and products meant to protect them. What happens when these tools are used insecurely or - even worse - they are just insecure? Technologies discussed will encompass AWS, Puppet, Hudson/Jenkins, Vagrant, Docker and much, much more. Everything from common misconfigurations to remote code execution.
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Slides for Building Better Backdoors with WMI - DerbyCon 2017 - Legacy
Code:
https://github.com/0xbadjuju/PowerProvider/
https://github.com/0xbadjuju/WheresMyImplant
A presentation covering some of the interesting things going on with Powershell in the Infosec community. I give a brief overview of what powershell is, then go over some interesting aspects of three different offensive powershell frameworks and finally give a demo of how a local user can escalate to domain admin privileges using just these frameworks.
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.
RSAC 2017
Ken Johnson & Chris Gates
Incorporating PowerShell into your Arsenal with PS>Attackjaredhaight
This talk serves as a follow up to my Introducing PS>Attack talk and covers some new features that have been added to the tool as well as how to defend an environment against PowerShell based attacks.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Codemotion
DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organisations can end up creating security vulnerabilities using the tools and products meant to protect them. What happens when these tools are used insecurely or - even worse - they are just insecure? Technologies discussed will encompass AWS, Puppet, Hudson/Jenkins, Vagrant, Docker and much, much more. Everything from common misconfigurations to remote code execution.
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Slides for Building Better Backdoors with WMI - DerbyCon 2017 - Legacy
Code:
https://github.com/0xbadjuju/PowerProvider/
https://github.com/0xbadjuju/WheresMyImplant
A presentation covering some of the interesting things going on with Powershell in the Infosec community. I give a brief overview of what powershell is, then go over some interesting aspects of three different offensive powershell frameworks and finally give a demo of how a local user can escalate to domain admin privileges using just these frameworks.
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.
RSAC 2017
Ken Johnson & Chris Gates
Incorporating PowerShell into your Arsenal with PS>Attackjaredhaight
This talk serves as a follow up to my Introducing PS>Attack talk and covers some new features that have been added to the tool as well as how to defend an environment against PowerShell based attacks.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
DevOoops (Increase awareness around DevOps infra security)
DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organisations can end up creating security vulnerabilities using the tools and products meant to protect them. What happens when these tools are used insecurely or - even worse - they are just insecure? Technologies discussed will encompass AWS, Puppet, Hudson/Jenkins, Vagrant, Docker and much, much more. Everything from common misconfigurations to remote code execution.
Linux Privilege Escalation
You will learn how to do privilege escalation on Linux systems by which an attacker gains initial access to a limited or full interactive shell of a primary user or system account with limited privileges.
CNIT 152: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Launch and Environment Constraints OverviewCsaba Fitzl
In this talk I will talk about two mitigations which Apple introduced in order to protect against many types of logic vulnerabilities. Launch Constraints was introduced in macOS Ventura, and they can control who can launch a built-in system application and how. Environment Constraints were introduced in Sonoma, and it's basically the extension of Launch Constraints for third party apps. These two features are probably the most impactful when it comes to exploitation. I will review them in detail, how they are set up, what they do exactly, and what kind of vulnerability classes they mitigate. I will also go through a couple of past vulnerabilities, which could not have been exploited with these constraints present. Finally I will walk through how various third party apps should be set up in order to be secure.
macOS Vulnerabilities Hiding in Plain SightCsaba Fitzl
Sometimes when we publish details and writeups about vulnerabilities we are so focused on the actual bug, that we don’t notice others, which might be still hidden inside the details. The same can happen when we read these issues, but if we keep our eyes open we might find hidden gems.
In this talk I will cover three macOS vulnerabilities that I found while reading the writeup of other vulnerabilities, where some of them were public for over four years. I also only spotted them after multiple reads, and once found I realized that it was right there in front of us every single time.
In the 2017 pwn2own macOS exploit chain the authors found a privilege escalation vulnerability is the disk arbitration service. What I found that the same logic flaw was present in another part of he code segment (literally right next to the original), which allowed an attacker to perform a full sandbox escape.
In the pwn2own 2020 macOS exploit chain there was a vulnerability concerning the preferences daemon. The patch was presented later by the authors and after reading through the patch for the ~20st time, I spotted a new privilege escalation possibility.
In 2021, the macOS XCSSET malware used a TCC 0day bypass, which was later patched. Mickey Jin found a bypass for the patch and presented a new TCC bypass. While reading through his analysis for the n-th time, it hit me, that not only possible to bypass the new patch but there is an underlying fundamental issue with the TCC framework, which allowed us to generically bypass TCC.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
5. POSIX model
• every file and directory
• owner (user) permissions
• group permissions
• everyone (world) permissions
• each of them
• read
• write
• execute
6. POSIX model
• files
• r/w/x permissions are straightforward
• directories
• read - you can enumerate the directory entries
• write - you can delete/write files to the directory
• execute - you are allowed to traverse the directory - if you don't have this
right, you can't access any files inside it, or in any subdirectories.
7. POSIX model - scenarios
• directory: r - - (only read)
• can’t access any files (no execute permissions)
• directory: - - x (only execute)
• can’t list files (no read permissions)
• can access files if name is known
9. POSIX model - scenarios
• in case you don’t have `x` permissions on a directory but have
permissions on the file -> maybe find a way to leak
• have `rwx` on a directory - can delete / create files regardless of file’s
permissions
• e.g.: file is owned by root -> you can still delete it (!!!)
10. flag modifiers
• there are many flag modifiers
• from exploitation point of view, the important ones:
• uchg, uchange, uimmutable (same, different names) - no one can change the
file until the flag is removed
• restricted - protected by SIP (= not even root can modify it, special
entitlement is needed)
12. sticky bit
> When a directory's sticky bit is set, the filesystem treats the files in such
directories in a special way so only the file's owner, the directory's owner, or
root user can rename or delete the file*
>Typically this is set on the /tmp directory to prevent ordinary users from
deleting or moving other users' files*
* Wikipedia
13. Access Control Lists
• more granular then the POSIX model
• Access Control Entries
• can be applied for multiple users, groups
• directory rights: list, search, add_file, add_subdirectory, delete_child
• file rights: read, write, append, execute
14. sandbox
• SIP is also enforced by the sandbox
• can further restrict file access - typically through sandbox profiles
• profiles are in:
• `/usr/share/sandbox/`
• `/System/Library/Sandbox/Profiles/
17. static method
• file owner is root, but the directory owner is different
• file owner is not root, but directory owner is root
• file owner is root, and one of the user's group has write access to the
directory
• file owner is not root, but the group is wheel, and the parent folder also
not root owned
• python script is available the blog post
18. dynamic method
• monitor for similar relationships
• tools: fs_usage, Objective-See's FileMonitor
• benefit: find cases where root process changes file owner in a
controllable location
20. general idea
• goal: redirect file operation to a location we want
• process: delete file, place a symlink or hardlink, wait and see
21. problems
1. the process might run as root, however because of sandboxing it might
not be able to write to any interesting location
2. the process might not follow symlinks / hardlinks, but instead it will
overwrite our link, and create a new file
3. if we can successfully redirect the file operation, the file will still be
owned by root, and we can't modify it after. We need to find a way to
affect the file contents for our benefits.
• 1 || 2 = no bug
22. controlling content
• need to find a way to inject data into files owned by root
• or if given file is controlling access, we can just make a new file
24. InstallHistory.plist file - Arbitrary file overwrite
vulnerability (CVE-2020-3830)
• whenever someone installs an app on macOS, the system will log it to a
file called `InstallHistory.plist`, which is located at `/Library/Receipts`
• admins have write access to this location ==> delete file ==> place
symlink ==> overwrite arbitrary files
25. InstallHistory.plist file - Arbitrary file overwrite
vulnerability (CVE-2020-3830)
• can't really control contents -
only limited, the metadata of
the application
• trigger: install something
27. Adobe Reader macOS installer - arbitrary file overwrite
vulnerability (CVE-2020-3763)
• at the end of installing Adobe Acrobat Reader for macOS a file is placed
in the `/tmp/` directory, named `com.adobe.reader.pdfviewer.tmp.plist`
• prior the installation we can create a symlink, which will be followed
• content is fixed ==> only arbitrary overwrite
28. Grant group write access to plist files
via DiagnosticMessagesHistory.plist
(CVE-2020-3835)
29. Grant group write access to plist files via
DiagnosticMessagesHistory.plist (CVE-2020-3835)
• someone can add `rw-rw-r` permissions to any `plist` file by abusing the
file `DiagnosticMessagesHistory.plist` in the `/Library/Application
Support/CrashReporter/` directory
• the directory `/Library/Application Support/CrashReporter/` allows write
access to users in the admin group.
• the permissions for the file:
• -rw-rw-r-- 1 root admin 258 Oct 12 20:28
DiagnosticMessagesHistory.plist
30. Grant group write access to plist files via
DiagnosticMessagesHistory.plist (CVE-2020-3835)
• we can create a symlink as normal
• no file overwrite will happen
• but! if the target is a PLIST file, permissions will set to -rw-rw-r--
• we can grant world read access to any PLIST file
• we can grant group write access to any PLIST file
31. Grant group write access to plist files via
DiagnosticMessagesHistory.plist (CVE-2020-3835)
• trigger: Analytics &
Improvements settings
• find interesting files
33. macOS fontmover - file disclosure vulnerability
(CVE-2019-8837)
• `/Library/Fonts` has group write permissions set
• as admin users are in the `admin` group, someone can drop here any file
• this is the folder containing the system wide fonts, and I think this
privilege unnecessary and I will come back to this why
37. exploitation
• symlinks or hardlinks don't work
• will be removed
• can't win race condition
• even if worked, fontmover is sandboxed
38. exploitation
• the file disclosure vulnerability happens with regards of the source file
• between the steps `Install Font` and `Install Ticked` the file is not locked
by the application
• replace original file with symlink
• what do we gain?
• root process moves a file with its original permissions to a place where we
already have write access
• not interesting at first sight, but remember POSIX permissions!
39. exploitation
• remember: in case you don’t have `x` permissions on a directory but have
permissions on the file -> maybe find a way to leak
• example:
-rw-r--r-- 1 root wheel 1043 Aug 30 16:10 /private/var/run/
mds/uuid-tokenID.plist
43. macOS DiagnosticMessages arbitrary file overwrite
vulnerability (CVE-2020-3855)
• usual story
• `/private/var/log/DiagnosticMessages` is writeable for the `admin` group
• bunch of *.asl log files owned by root
• exploit via hardlinks (might need to reboot)
44. content
• this is a log file - can we control content? - partially
• ASL logs - old API, few documentation
• multiple destination file, how do I end up in `/private/var/log/
DiagnosticMessages`?
• Most logs looked like, pre-defined fields
45. • Hope: found custom text from CalendarAgent
• from: /System/Library/PrivateFrameworks/CalendarPersistence.framework/
Versions/Current/CalendarPersistence
content
46. content
• CalMessageTracer leads to `/System/Library/PrivateFrameworks//
CalendarFoundation.framework/Versions/Current/CalendarFoundation`
51. Adobe Reader macOS installer - local
privilege escalation (CVE-2020-3762)
52. Adobe Reader macOS installer - LPE (CVE-2020-3762)
• installer's `Acrobat Update Helper.app` component
• `com.adobe.AcrobatRefreshManager` dir is created in /tmp/ during
install
• 2 PLIST files that will be copied into `/Library/LaunchDaemons/`
• fixed location
• installer deletes existing `com.adobe.AcrobatRefreshManager`
53. Adobe Reader macOS installer - LPE (CVE-2020-3762)
• `/tmp/com.adobe.AcrobatRefreshManager/Adobe Acrobat Updater.app/
Contents/Library/LaunchServices` - where the plist files are stored
• race condition - we recreate the dir structure after deletion, before
creation
• installers places the original PLIST
• we delete (we own the dir), and put our own
• installer puts our PLIST into LaunchDameons
55. macOS periodic scripts - 320.whatis script LPE
(CVE-2019-8802)
• macOS's periodic maintenance scripts
• weekly: /etc/periodic/weekly/320.whatis
• rebuilds the man database
• runs as root
• will get the man paths
• /usr/local/share/man
• owned by the user, typically via brew install
56. makewhatis
• makewhatis
• creates `whatis.tmp`
• we can redirect it via symlink
• target: LaunchDaemons
• PLIST file has to be proper XML
57. whatis database
• database format:
• 1st column: derived from the filename
• 2nd column: the name from the NAME section of the man file
• How do we get a proper XML?
58. exploit
• STEP 1
• we put our PLIST file into the NAME section
• need to end it with `<!--` to comment out any following text
59. exploit
• STEP 2
• our man page has to be the first
• if any other starts with a number (e.g.: 7zip) -> rename
60. exploit
• STEP 3
• the filename has to make sense in XML
• be it: <!--7z.1 This is a valid filename!!!
61. exploit
• STEP 4
• need to close the XML comment that comes from the filename
• The new NAME section:
62. exploit
• STEP 5
• create symlink, run weekly scripts (or wait a week ;))
• the file we got: filename
NAME
section
65. Installers
• Use random directory name in /tmp/
• if not random:
• create the directory, set permissions: owned by root, no one else has rights
• cleanup the directory
• can start using it
66. move operation
• move (mv) operation doesn't
follow symlinks/hardlinks for
files
• both will be overwritten
69. Icons
• Icons made by Darius Dan
• Icons made by Eucalyp
• Icons made by phatplus
• Icons made by Freepik
• Icons made by Flat Icons
• Icons made by Kiranshastry
• https://www.flaticon.com/