SlideShare a Scribd company logo

Exploiting Directory Permissions on macOS

C
Csaba Fitzl

This talk covers how we can exploit applications on macOS (including macOS itself), where some of the directory / file permissions are incorrectly set. The incorrectness of these settings is not trivial at first sight because understanding these permissions are not intuitive. We will see bugs from simple arbitrary overwrites, to file disclosures and privilege escalation. The concepts applicable to *nix based system as well, however this talk focuses on macOS bugs only. We will also cover different techniques about how to control contents of files, to what we don’t have direct write access. We will do a deep dive overview of the various r / w / x permissions, what do they mean in case of files, and more importantly in case of directories. We will also take a look at the additional settings, like ownership and the ‘lock’ flag and how do they affect the previous permissions. As part of this we will see how to find such bugs. We will see a file information disclosure bug affecting macOS Mojave, where we can get read access to files which would normally be accessible only for root users. We will also cover 4 vulnerabilities that are caused due to our ability to control the location of certain files. As we have direct control over only the file location, but not the contents, we will explore tricky techniques how we can influence the contents of some of these files to our benefit.

Technology
1 of 69
Download to read offline
Exploiting directory permissions on macOS Csaba Fitzl Twitter: @theevilbit
whoami • content developer at Offensive Security • ex red/blue teamer • recent macOS research • husband, father • hiking • yoga
agenda • macOS filesystem permissions • finding bugs • bugs • preventing attacks
macOS filesystem permissions
POSIX model • every file and directory • owner (user) permissions • group permissions • everyone (world) permissions • each of them • read • write • execute
POSIX model • files • r/w/x permissions are straightforward • directories • read - you can enumerate the directory entries • write - you can delete/write files to the directory • execute - you are allowed to traverse the directory - if you don't have this right, you can't access any files inside it, or in any subdirectories.
POSIX model - scenarios • directory: r - - (only read) • can’t access any files (no execute permissions) • directory: - - x (only execute) • can’t list files (no read permissions) • can access files if name is known
experiment
POSIX model - scenarios • in case you don’t have `x` permissions on a directory but have permissions on the file -> maybe find a way to leak • have `rwx` on a directory - can delete / create files regardless of file’s permissions • e.g.: file is owned by root -> you can still delete it (!!!)
flag modifiers • there are many flag modifiers • from exploitation point of view, the important ones: • uchg, uchange, uimmutable (same, different names) - no one can change the file until the flag is removed • restricted - protected by SIP (= not even root can modify it, special entitlement is needed)
experiment
sticky bit > When a directory's sticky bit is set, the filesystem treats the files in such directories in a special way so only the file's owner, the directory's owner, or root user can rename or delete the file* >Typically this is set on the /tmp directory to prevent ordinary users from deleting or moving other users' files* * Wikipedia
Access Control Lists • more granular then the POSIX model • Access Control Entries • can be applied for multiple users, groups • directory rights: list, search, add_file, add_subdirectory, delete_child • file rights: read, write, append, execute
sandbox • SIP is also enforced by the sandbox • can further restrict file access - typically through sandbox profiles • profiles are in: • `/usr/share/sandbox/` • `/System/Library/Sandbox/Profiles/
sandbox example (mds)
finding bugs
static method • file owner is root, but the directory owner is different • file owner is not root, but directory owner is root • file owner is root, and one of the user's group has write access to the directory • file owner is not root, but the group is wheel, and the parent folder also not root owned • python script is available the blog post
dynamic method • monitor for similar relationships • tools: fs_usage, Objective-See's FileMonitor • benefit: find cases where root process changes file owner in a controllable location
BUGs
general idea • goal: redirect file operation to a location we want • process: delete file, place a symlink or hardlink, wait and see
problems 1. the process might run as root, however because of sandboxing it might not be able to write to any interesting location 2. the process might not follow symlinks / hardlinks, but instead it will overwrite our link, and create a new file 3. if we can successfully redirect the file operation, the file will still be owned by root, and we can't modify it after. We need to find a way to affect the file contents for our benefits. • 1 || 2 = no bug
controlling content • need to find a way to inject data into files owned by root • or if given file is controlling access, we can just make a new file
InstallHistory.plist file - Arbitrary file overwrite vulnerability (CVE-2020-3830)
InstallHistory.plist file - Arbitrary file overwrite vulnerability (CVE-2020-3830) • whenever someone installs an app on macOS, the system will log it to a file called `InstallHistory.plist`, which is located at `/Library/Receipts` • admins have write access to this location ==> delete file ==> place symlink ==> overwrite arbitrary files
InstallHistory.plist file - Arbitrary file overwrite vulnerability (CVE-2020-3830) • can't really control contents - only limited, the metadata of the application • trigger: install something
Adobe Reader macOS installer - arbitrary file overwrite vulnerability (CVE-2020-3763)
Adobe Reader macOS installer - arbitrary file overwrite vulnerability (CVE-2020-3763) • at the end of installing Adobe Acrobat Reader for macOS a file is placed in the `/tmp/` directory, named `com.adobe.reader.pdfviewer.tmp.plist` • prior the installation we can create a symlink, which will be followed • content is fixed ==> only arbitrary overwrite
Grant group write access to plist files via DiagnosticMessagesHistory.plist (CVE-2020-3835)
Grant group write access to plist files via DiagnosticMessagesHistory.plist (CVE-2020-3835) • someone can add `rw-rw-r` permissions to any `plist` file by abusing the file `DiagnosticMessagesHistory.plist` in the `/Library/Application Support/CrashReporter/` directory • the directory `/Library/Application Support/CrashReporter/` allows write access to users in the admin group. • the permissions for the file: • -rw-rw-r-- 1 root admin 258 Oct 12 20:28 DiagnosticMessagesHistory.plist
Grant group write access to plist files via DiagnosticMessagesHistory.plist (CVE-2020-3835) • we can create a symlink as normal • no file overwrite will happen • but! if the target is a PLIST file, permissions will set to -rw-rw-r-- • we can grant world read access to any PLIST file • we can grant group write access to any PLIST file
Grant group write access to plist files via DiagnosticMessagesHistory.plist (CVE-2020-3835) • trigger: Analytics & Improvements settings • find interesting files
macOS fontmover - file disclosure vulnerability (CVE-2019-8837)
macOS fontmover - file disclosure vulnerability (CVE-2019-8837) • `/Library/Fonts` has group write permissions set • as admin users are in the `admin` group, someone can drop here any file • this is the folder containing the system wide fonts, and I think this privilege unnecessary and I will come back to this why
exploitation • download a font, and double click
exploitation • set the install location to `Computer` • user location (default): `~/Library/Fonts` • computer location: `/Library/Fonts`
exploitation • press `Install Font` • press `Install Ticked` • authentication prompt to root • file is being copied
exploitation • symlinks or hardlinks don't work • will be removed • can't win race condition • even if worked, fontmover is sandboxed
exploitation • the file disclosure vulnerability happens with regards of the source file • between the steps `Install Font` and `Install Ticked` the file is not locked by the application • replace original file with symlink • what do we gain? • root process moves a file with its original permissions to a place where we already have write access • not interesting at first sight, but remember POSIX permissions!
exploitation • remember: in case you don’t have `x` permissions on a directory but have permissions on the file -> maybe find a way to leak • example: -rw-r--r-- 1 root wheel 1043 Aug 30 16:10 /private/var/run/ mds/uuid-tokenID.plist
exploitation
fix • file replacement will be verified, link is not followed
macOS DiagnosticMessages arbitrary file overwrite vulnerability (CVE-2020-3855)
macOS DiagnosticMessages arbitrary file overwrite vulnerability (CVE-2020-3855) • usual story • `/private/var/log/DiagnosticMessages` is writeable for the `admin` group • bunch of *.asl log files owned by root • exploit via hardlinks (might need to reboot)
content • this is a log file - can we control content? - partially • ASL logs - old API, few documentation • multiple destination file, how do I end up in `/private/var/log/ DiagnosticMessages`? • Most logs looked like, pre-defined fields
• Hope: found custom text from CalendarAgent • from: /System/Library/PrivateFrameworks/CalendarPersistence.framework/ Versions/Current/CalendarPersistence content
content • CalMessageTracer leads to `/System/Library/PrivateFrameworks// CalendarFoundation.framework/Versions/Current/CalendarFoundation`
content • CalMessageTracer • we see the ASL API
content • custom messages lead to further functions • I stopped • we can use this function to create a log entry for us
content • we need to create a header file • load the private framework • call the function • we can insert custom string
content • not enough for code execution :( • but can be useful trick :)
Adobe Reader macOS installer - local privilege escalation (CVE-2020-3762)
Adobe Reader macOS installer - LPE (CVE-2020-3762) • installer's `Acrobat Update Helper.app` component • `com.adobe.AcrobatRefreshManager` dir is created in /tmp/ during install • 2 PLIST files that will be copied into `/Library/LaunchDaemons/` • fixed location • installer deletes existing `com.adobe.AcrobatRefreshManager`
Adobe Reader macOS installer - LPE (CVE-2020-3762) • `/tmp/com.adobe.AcrobatRefreshManager/Adobe Acrobat Updater.app/ Contents/Library/LaunchServices` - where the plist files are stored • race condition - we recreate the dir structure after deletion, before creation • installers places the original PLIST • we delete (we own the dir), and put our own • installer puts our PLIST into LaunchDameons
macOS periodic scripts - 320.whatis script privilege escalation to root (CVE-2019-8802)
macOS periodic scripts - 320.whatis script LPE (CVE-2019-8802) • macOS's periodic maintenance scripts • weekly: /etc/periodic/weekly/320.whatis • rebuilds the man database • runs as root • will get the man paths • /usr/local/share/man • owned by the user, typically via brew install
makewhatis • makewhatis • creates `whatis.tmp` • we can redirect it via symlink • target: LaunchDaemons • PLIST file has to be proper XML
whatis database • database format: • 1st column: derived from the filename • 2nd column: the name from the NAME section of the man file • How do we get a proper XML?
exploit • STEP 1 • we put our PLIST file into the NAME section • need to end it with `<!--` to comment out any following text
exploit • STEP 2 • our man page has to be the first • if any other starts with a number (e.g.: 7zip) -> rename
exploit • STEP 3 • the filename has to make sense in XML • be it: <!--7z.1 This is a valid filename!!!
exploit • STEP 4 • need to close the XML comment that comes from the filename • The new NAME section:
exploit • STEP 5 • create symlink, run weekly scripts (or wait a week ;)) • the file we got: filename NAME section
demo - makewhatis exploit
Avoiding the attack
Installers • Use random directory name in /tmp/ • if not random: • create the directory, set permissions: owned by root, no one else has rights • cleanup the directory • can start using it
move operation • move (mv) operation doesn't follow symlinks/hardlinks for files • both will be overwritten
Objective-C • `writeToFile` doesn't follow links, overwrites them
?
Icons • Icons made by Darius Dan • Icons made by Eucalyp • Icons made by phatplus • Icons made by Freepik • Icons made by Flat Icons • Icons made by Kiranshastry • https://www.flaticon.com/

Recommended

Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store apps
Csaba Fitzl
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of Bugs
Csaba Fitzl
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
Csaba Fitzl
 
Windows 8 fuzz
Windows 8 fuzzWindows 8 fuzz
Windows 8 fuzz
Olav Tvedt
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 

Recommended

Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store apps
Csaba Fitzl
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of Bugs
Csaba Fitzl
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
Csaba Fitzl
 
Windows 8 fuzz
Windows 8 fuzzWindows 8 fuzz
Windows 8 fuzz
Olav Tvedt
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Codemotion
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
Alexander Polce Leary
 
How to deploy PHP projects with docker
How to deploy PHP projects with dockerHow to deploy PHP projects with docker
How to deploy PHP projects with docker
Ruoshi Ling
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
Will Schroeder
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
jaredhaight
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
Hacking Wordpress Plugins
Hacking Wordpress PluginsHacking Wordpress Plugins
Hacking Wordpress Plugins
Larry Cashdollar
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
Chris Gates
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
Will Schroeder
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X Systems
Sam Bowne
 
Os6
Os6Os6
Os6gopal10scs185
 

More Related Content

What's hot

SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Codemotion
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
Alexander Polce Leary
 
How to deploy PHP projects with docker
How to deploy PHP projects with dockerHow to deploy PHP projects with docker
How to deploy PHP projects with docker
Ruoshi Ling
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
Will Schroeder
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
jaredhaight
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
Hacking Wordpress Plugins
Hacking Wordpress PluginsHacking Wordpress Plugins
Hacking Wordpress Plugins
Larry Cashdollar
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
Chris Gates
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
Will Schroeder
 

What's hot (20)

SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
 
How to deploy PHP projects with docker
How to deploy PHP projects with dockerHow to deploy PHP projects with docker
How to deploy PHP projects with docker
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attack
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Hacking Wordpress Plugins
Hacking Wordpress PluginsHacking Wordpress Plugins
Hacking Wordpress Plugins
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 

Similar to Exploiting Directory Permissions on macOS

CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X Systems
Sam Bowne
 
Javase7 1641812
Javase7 1641812Javase7 1641812
Javase7 1641812Vinay H G
 
operating system File - System Interface
operating system File - System Interfaceoperating system File - System Interface
operating system File - System Interface
Chandrakant Divate
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxGiuseppe Paterno'
 
Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
SouvikRoy114738
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X Systems
Sam Bowne
 
Systems Programming - File IO
Systems Programming - File IOSystems Programming - File IO
Systems Programming - File IO
HelpWithAssignment.com
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X Systems
Sam Bowne
 
AHUG Presentation: Fun with Hadoop File Systems
AHUG Presentation: Fun with Hadoop File SystemsAHUG Presentation: Fun with Hadoop File Systems
AHUG Presentation: Fun with Hadoop File Systems
Infochimps, a CSC Big Data Business
 
File system
File systemFile system
File system
Navin Royal Achakkagari
 
File protection.59 to 60
File protection.59 to 60File protection.59 to 60
File protection.59 to 60myrajendra
 
Ch10 file system interface
Ch10 file system interfaceCh10 file system interface
Ch10 file system interface
Welly Dian Astika
 
LinuxForensicsForNon-LinuxFolks.pdf
LinuxForensicsForNon-LinuxFolks.pdfLinuxForensicsForNon-LinuxFolks.pdf
LinuxForensicsForNon-LinuxFolks.pdf
ssusere6dc9d
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profit
ssusera432ea1
 
File Management & Access Control
File Management & Access Control File Management & Access Control
File Management & Access Control
YuvrajWadavale
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
Sysdig
 

Similar to Exploiting Directory Permissions on macOS (20)

CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X Systems
 
Os6
Os6Os6
Os6
 
Javase7 1641812
Javase7 1641812Javase7 1641812
Javase7 1641812
 
operating system File - System Interface
operating system File - System Interfaceoperating system File - System Interface
operating system File - System Interface
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X Systems
 
Systems Programming - File IO
Systems Programming - File IOSystems Programming - File IO
Systems Programming - File IO
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X Systems
 
AHUG Presentation: Fun with Hadoop File Systems
AHUG Presentation: Fun with Hadoop File SystemsAHUG Presentation: Fun with Hadoop File Systems
AHUG Presentation: Fun with Hadoop File Systems
 
File system
File systemFile system
File system
 
File protection.59 to 60
File protection.59 to 60File protection.59 to 60
File protection.59 to 60
 
Ch10 file system interface
Ch10 file system interfaceCh10 file system interface
Ch10 file system interface
 
LinuxForensicsForNon-LinuxFolks.pdf
LinuxForensicsForNon-LinuxFolks.pdfLinuxForensicsForNon-LinuxFolks.pdf
LinuxForensicsForNon-LinuxFolks.pdf
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profit
 
File Management & Access Control
File Management & Access Control File Management & Access Control
File Management & Access Control
 
Unix File System
Unix File SystemUnix File System
Unix File System
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 

More from Csaba Fitzl

Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints Overview
Csaba Fitzl
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain Sight
Csaba Fitzl
 
SecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfSecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdf
Csaba Fitzl
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?
Csaba Fitzl
 
Exploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luExploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG lu
Csaba Fitzl
 
Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)
Csaba Fitzl
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
Csaba Fitzl
 

More from Csaba Fitzl (7)

Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints Overview
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain Sight
 
SecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfSecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdf
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?
 
Exploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luExploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG lu
 
Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 

Recently uploaded

GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 

Recently uploaded (20)

GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 

Exploiting Directory Permissions on macOS

  • 1. Exploiting directory permissions on macOS Csaba Fitzl Twitter: @theevilbit
  • 2. whoami • content developer at Offensive Security • ex red/blue teamer • recent macOS research • husband, father • hiking • yoga
  • 3. agenda • macOS filesystem permissions • finding bugs • bugs • preventing attacks
  • 5. POSIX model • every file and directory • owner (user) permissions • group permissions • everyone (world) permissions • each of them • read • write • execute
  • 6. POSIX model • files • r/w/x permissions are straightforward • directories • read - you can enumerate the directory entries • write - you can delete/write files to the directory • execute - you are allowed to traverse the directory - if you don't have this right, you can't access any files inside it, or in any subdirectories.
  • 7. POSIX model - scenarios • directory: r - - (only read) • can’t access any files (no execute permissions) • directory: - - x (only execute) • can’t list files (no read permissions) • can access files if name is known
  • 9. POSIX model - scenarios • in case you don’t have `x` permissions on a directory but have permissions on the file -> maybe find a way to leak • have `rwx` on a directory - can delete / create files regardless of file’s permissions • e.g.: file is owned by root -> you can still delete it (!!!)
  • 10. flag modifiers • there are many flag modifiers • from exploitation point of view, the important ones: • uchg, uchange, uimmutable (same, different names) - no one can change the file until the flag is removed • restricted - protected by SIP (= not even root can modify it, special entitlement is needed)
  • 12. sticky bit > When a directory's sticky bit is set, the filesystem treats the files in such directories in a special way so only the file's owner, the directory's owner, or root user can rename or delete the file* >Typically this is set on the /tmp directory to prevent ordinary users from deleting or moving other users' files* * Wikipedia
  • 13. Access Control Lists • more granular then the POSIX model • Access Control Entries • can be applied for multiple users, groups • directory rights: list, search, add_file, add_subdirectory, delete_child • file rights: read, write, append, execute
  • 14. sandbox • SIP is also enforced by the sandbox • can further restrict file access - typically through sandbox profiles • profiles are in: • `/usr/share/sandbox/` • `/System/Library/Sandbox/Profiles/
  • 17. static method • file owner is root, but the directory owner is different • file owner is not root, but directory owner is root • file owner is root, and one of the user's group has write access to the directory • file owner is not root, but the group is wheel, and the parent folder also not root owned • python script is available the blog post
  • 18. dynamic method • monitor for similar relationships • tools: fs_usage, Objective-See's FileMonitor • benefit: find cases where root process changes file owner in a controllable location
  • 19. BUGs
  • 20. general idea • goal: redirect file operation to a location we want • process: delete file, place a symlink or hardlink, wait and see
  • 21. problems 1. the process might run as root, however because of sandboxing it might not be able to write to any interesting location 2. the process might not follow symlinks / hardlinks, but instead it will overwrite our link, and create a new file 3. if we can successfully redirect the file operation, the file will still be owned by root, and we can't modify it after. We need to find a way to affect the file contents for our benefits. • 1 || 2 = no bug
  • 22. controlling content • need to find a way to inject data into files owned by root • or if given file is controlling access, we can just make a new file
  • 23. InstallHistory.plist file - Arbitrary file overwrite vulnerability (CVE-2020-3830)
  • 24. InstallHistory.plist file - Arbitrary file overwrite vulnerability (CVE-2020-3830) • whenever someone installs an app on macOS, the system will log it to a file called `InstallHistory.plist`, which is located at `/Library/Receipts` • admins have write access to this location ==> delete file ==> place symlink ==> overwrite arbitrary files
  • 25. InstallHistory.plist file - Arbitrary file overwrite vulnerability (CVE-2020-3830) • can't really control contents - only limited, the metadata of the application • trigger: install something
  • 26. Adobe Reader macOS installer - arbitrary file overwrite vulnerability (CVE-2020-3763)
  • 27. Adobe Reader macOS installer - arbitrary file overwrite vulnerability (CVE-2020-3763) • at the end of installing Adobe Acrobat Reader for macOS a file is placed in the `/tmp/` directory, named `com.adobe.reader.pdfviewer.tmp.plist` • prior the installation we can create a symlink, which will be followed • content is fixed ==> only arbitrary overwrite
  • 28. Grant group write access to plist files via DiagnosticMessagesHistory.plist (CVE-2020-3835)
  • 29. Grant group write access to plist files via DiagnosticMessagesHistory.plist (CVE-2020-3835) • someone can add `rw-rw-r` permissions to any `plist` file by abusing the file `DiagnosticMessagesHistory.plist` in the `/Library/Application Support/CrashReporter/` directory • the directory `/Library/Application Support/CrashReporter/` allows write access to users in the admin group. • the permissions for the file: • -rw-rw-r-- 1 root admin 258 Oct 12 20:28 DiagnosticMessagesHistory.plist
  • 30. Grant group write access to plist files via DiagnosticMessagesHistory.plist (CVE-2020-3835) • we can create a symlink as normal • no file overwrite will happen • but! if the target is a PLIST file, permissions will set to -rw-rw-r-- • we can grant world read access to any PLIST file • we can grant group write access to any PLIST file
  • 31. Grant group write access to plist files via DiagnosticMessagesHistory.plist (CVE-2020-3835) • trigger: Analytics & Improvements settings • find interesting files
  • 32. macOS fontmover - file disclosure vulnerability (CVE-2019-8837)
  • 33. macOS fontmover - file disclosure vulnerability (CVE-2019-8837) • `/Library/Fonts` has group write permissions set • as admin users are in the `admin` group, someone can drop here any file • this is the folder containing the system wide fonts, and I think this privilege unnecessary and I will come back to this why
  • 34. exploitation • download a font, and double click
  • 35. exploitation • set the install location to `Computer` • user location (default): `~/Library/Fonts` • computer location: `/Library/Fonts`
  • 36. exploitation • press `Install Font` • press `Install Ticked` • authentication prompt to root • file is being copied
  • 37. exploitation • symlinks or hardlinks don't work • will be removed • can't win race condition • even if worked, fontmover is sandboxed
  • 38. exploitation • the file disclosure vulnerability happens with regards of the source file • between the steps `Install Font` and `Install Ticked` the file is not locked by the application • replace original file with symlink • what do we gain? • root process moves a file with its original permissions to a place where we already have write access • not interesting at first sight, but remember POSIX permissions!
  • 39. exploitation • remember: in case you don’t have `x` permissions on a directory but have permissions on the file -> maybe find a way to leak • example: -rw-r--r-- 1 root wheel 1043 Aug 30 16:10 /private/var/run/ mds/uuid-tokenID.plist
  • 41. fix • file replacement will be verified, link is not followed
  • 42. macOS DiagnosticMessages arbitrary file overwrite vulnerability (CVE-2020-3855)
  • 43. macOS DiagnosticMessages arbitrary file overwrite vulnerability (CVE-2020-3855) • usual story • `/private/var/log/DiagnosticMessages` is writeable for the `admin` group • bunch of *.asl log files owned by root • exploit via hardlinks (might need to reboot)
  • 44. content • this is a log file - can we control content? - partially • ASL logs - old API, few documentation • multiple destination file, how do I end up in `/private/var/log/ DiagnosticMessages`? • Most logs looked like, pre-defined fields
  • 45. • Hope: found custom text from CalendarAgent • from: /System/Library/PrivateFrameworks/CalendarPersistence.framework/ Versions/Current/CalendarPersistence content
  • 46. content • CalMessageTracer leads to `/System/Library/PrivateFrameworks// CalendarFoundation.framework/Versions/Current/CalendarFoundation`
  • 48. content • custom messages lead to further functions • I stopped • we can use this function to create a log entry for us
  • 49. content • we need to create a header file • load the private framework • call the function • we can insert custom string
  • 50. content • not enough for code execution :( • but can be useful trick :)
  • 51. Adobe Reader macOS installer - local privilege escalation (CVE-2020-3762)
  • 52. Adobe Reader macOS installer - LPE (CVE-2020-3762) • installer's `Acrobat Update Helper.app` component • `com.adobe.AcrobatRefreshManager` dir is created in /tmp/ during install • 2 PLIST files that will be copied into `/Library/LaunchDaemons/` • fixed location • installer deletes existing `com.adobe.AcrobatRefreshManager`
  • 53. Adobe Reader macOS installer - LPE (CVE-2020-3762) • `/tmp/com.adobe.AcrobatRefreshManager/Adobe Acrobat Updater.app/ Contents/Library/LaunchServices` - where the plist files are stored • race condition - we recreate the dir structure after deletion, before creation • installers places the original PLIST • we delete (we own the dir), and put our own • installer puts our PLIST into LaunchDameons
  • 54. macOS periodic scripts - 320.whatis script privilege escalation to root (CVE-2019-8802)
  • 55. macOS periodic scripts - 320.whatis script LPE (CVE-2019-8802) • macOS's periodic maintenance scripts • weekly: /etc/periodic/weekly/320.whatis • rebuilds the man database • runs as root • will get the man paths • /usr/local/share/man • owned by the user, typically via brew install
  • 56. makewhatis • makewhatis • creates `whatis.tmp` • we can redirect it via symlink • target: LaunchDaemons • PLIST file has to be proper XML
  • 57. whatis database • database format: • 1st column: derived from the filename • 2nd column: the name from the NAME section of the man file • How do we get a proper XML?
  • 58. exploit • STEP 1 • we put our PLIST file into the NAME section • need to end it with `<!--` to comment out any following text
  • 59. exploit • STEP 2 • our man page has to be the first • if any other starts with a number (e.g.: 7zip) -> rename
  • 60. exploit • STEP 3 • the filename has to make sense in XML • be it: <!--7z.1 This is a valid filename!!!
  • 61. exploit • STEP 4 • need to close the XML comment that comes from the filename • The new NAME section:
  • 62. exploit • STEP 5 • create symlink, run weekly scripts (or wait a week ;)) • the file we got: filename NAME section
  • 63. demo - makewhatis exploit
  • 65. Installers • Use random directory name in /tmp/ • if not random: • create the directory, set permissions: owned by root, no one else has rights • cleanup the directory • can start using it
  • 66. move operation • move (mv) operation doesn't follow symlinks/hardlinks for files • both will be overwritten
  • 67. Objective-C • `writeToFile` doesn't follow links, overwrites them
  • 68. ?
  • 69. Icons • Icons made by Darius Dan • Icons made by Eucalyp • Icons made by phatplus • Icons made by Freepik • Icons made by Flat Icons • Icons made by Kiranshastry • https://www.flaticon.com/