Successfully reported this slideshow.
Your SlideShare is downloading. ×

20+ Ways to Bypass Your macOS Privacy Mechanisms

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 58 Ad

20+ Ways to Bypass Your macOS Privacy Mechanisms

Download to read offline

"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.

In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.

In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.

Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.

The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.

"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.

In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.

In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.

Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.

The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to 20+ Ways to Bypass Your macOS Privacy Mechanisms (20)

Advertisement

More from SecuRing (20)

Recently uploaded (20)

Advertisement

20+ Ways to Bypass Your macOS Privacy Mechanisms

  1. 1. 20+ Ways to Bypass Your macOS Privacy Mechanisms Wojciech Reguła & Csaba Fitzl #BHUSA @BlackHatEvents
  2. 2. #BHUSA @BlackHatEvents Whoami - Csaba • Author of “macOS Control Bypasses” training @ Offensive Security • Developer of Shield.app – exploit protection for macOS • Ex red and blue teamer • Husband, father • Hiking
  3. 3. #BHUSA @BlackHatEvents Whoami - Wojciech • Senior IT Security Consultant @ SecuRing • Focused on iOS/macOS #appsec • Blogger – https://wojciechregula.blog • iOS Security Suite Creator • macOS environments security
  4. 4. #BHUSA @BlackHatEvents Agenda 1. Introduction to macOS Privacy 2. TCC bypasses through: • plugins • process injection • mounting • app behavior • /usr/bin/grep 3. Our thoughts on the Apple Security Bounty 4. Conclusion
  5. 5. #BHUSA @BlackHatEvents Intro – macOS Security Mechanisms System Integrity Protection (SIP): • Based on Sandbox kernel extension • Restricts access to many directories on macOS • Denies debugger attachments to processes signed directly by Apple • Also known as rootless, because even root cannot do the above-mentioned operations when the SIP is turned on
  6. 6. #BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC)
  7. 7. #BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC)
  8. 8. #BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC) • SQLite3 Database • /Library/Application Support/com.apple.TCC • ~/Library/Application Support/com.apple.TCC
  9. 9. #BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC) • User Intent • Extended attribute: com.apple.macl • Managed by the Sandbox • Can’t be added/deleted
  10. 10. #BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC)
  11. 11. #BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC) • com.apple.macl • Header • UUID
  12. 12. #BHUSA @BlackHatEvents TCC bypasses through plugins • TCCd validates entitlements held by the main executable • Plugins execute code in the context of the main application • So, plugins inherit the private tcc entitlements
  13. 13. System app with plugin TCC daemon Kernel
  14. 14. System app with plugin TCC daemon Kernel I want to access files from Desktop
  15. 15. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app
  16. 16. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement
  17. 17. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted
  18. 18. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted Access Granted
  19. 19. System app with malicious plugin
  20. 20. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted Access Granted
  21. 21. #BHUSA @BlackHatEvents Changing NFSHomeDirectory aka CVE-2020-27937 TCC bypasses through plugins
  22. 22. #BHUSA @BlackHatEvents Changing NFSHomeDirectory aka CVE-2020-27937 TCC bypasses through plugins
  23. 23. #BHUSA @BlackHatEvents TCC bypasses through plugins Changing NFSHomeDirectory aka CVE-2020-27937 1. Copy Directory Utility to location not protected by the SIP 2. Inject a malicious plugin that will be executed with the Directory Utility’s private TCC entitlements 3. Prepare a fake TCC SQLite3 database with fake permissions 4. Modify the NFSHomeDirectory 5. Restart TCCd, so it will load our fake database basing on the NFSHomeDirectory 6. Full user TCC bypass achieved 😎
  24. 24. https://vimeo.com/594616491 Demo #1
  25. 25. #BHUSA @BlackHatEvents Full TCC bypass via coreaudiod aka CVE-2020-29621 TCC bypasses through plugins
  26. 26. #BHUSA @BlackHatEvents Full TCC bypass via coreaudiod aka CVE-2020-29621 1. Create a malicious macOS bundle with “.driver” extension 2. Plant it in /Library/Audio/Plug-Ins/HAL/ 3. Restart the coreaudiod 4. We can now fully control TCCd 😎 TCC bypasses through plugins
  27. 27. #BHUSA @BlackHatEvents Full TCC bypass via coreaudiod aka CVE-2020-29621 TCC bypasses through plugins
  28. 28. https://vimeo.com/594616357 Demo #2
  29. 29. #BHUSA @BlackHatEvents TCC bypasses through process injection Injecting to xsanctl aka CVE-2020-10006: • We execute code again in the context of an entitled application • However you cannot inject to Apple’s signed apps • But there are exceptions… com.apple.security.get-task-allow 😎
  30. 30. #BHUSA @BlackHatEvents TCC bypasses through process injection • 3rd party apps are especially vulnerable to this kind of attacks • If you manually give the vulnerable app TCC permissions, malware can abuse that app • Electron apps are vulnerable by default 😅 • We have found such vulnerabilities in many apps including: o Firefox (0day / won’t fix) o StreamLabs OBS (0day / won’t fix) o Signal (CVE-2020-24259, fixed) o Snaglt (fixed)
  31. 31. https://wojciechregula.blog/post/how-to-rob-a-firefox/
  32. 32. #BHUSA @BlackHatEvents TCC bypasses through mounting CVE-2020-9771 - mount_apfs TCC bypass • APFS supports snapshots • Mount the snapshot in custom location • Access all files (read-only) • Mount with ”noowners” à access every user’s files • FIX: requires Full Disk Access 😭
  33. 33. #BHUSA @BlackHatEvents TCC bypasses through mounting CVE-2021-1784 - TCC bypass via disk mounting • User’s TCC DB file is protected • But! We can mount over the directory • Prepare a new TCC.db file, new disk image • Mount over “~/Library/Application Support/com.apple.TCC” • Profit 🤑
  34. 34. https://vimeo.com/594616408 Demo #3
  35. 35. #BHUSA @BlackHatEvents TCC bypasses through app behavior • Some apps can access private files • Some apps move files when they do something • Some apps can do both
  36. 36. Malicious app App with access to private files
  37. 37. Hi app! I see you can access XYZ private files. Yes! Why? Could you move those files for me to location ABC?
  38. 38. Of course! Here they are. Thank you! Anytime! It was my pleasure.
  39. 39. #BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-30751 – Notes.app • Open files with notes -> auto attach to notes • Notes are unprotected
  40. 40. #BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-30751 – Notes.app
  41. 41. #BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-XXXX – App translocation • Makes NULLFS mount (not copy) when downloaded app first run • Destination: $TMPDIR/AppTranslocation/d/d/Some.app • Open source as part of Security. • Library: libsecurity_translocate • Binary: /usr/libexec/lsd
  42. 42. #BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-XXXX – App translocation • Add Quarantine attribute to “Library” • Call the com.apple.security.translocation XPC service • (XPC client is also open source) • Map Library to $TMPDIR/AppTranslocation/d/d/Library • Access all files
  43. 43. #BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-XXXX – App translocation
  44. 44. https://vimeo.com/594616522 Demo #4
  45. 45. #BHUSA @BlackHatEvents TCC bypasses with /usr/bin/grep 😅 • Private info is everywhere • Various DBs, caches, configuration files – keep / leak bits of info • How to find them? grep to the rescue 🤣
  46. 46. #BHUSA @BlackHatEvents TCC info leaks • CVE-2020-9963 - QuickLook thumbnails DB (filenames) • CVE-2021-1803 - CloudDocs DBs (filenames) • CVE-2021-1781 - UITextInputContextIdentifiers.plist (contacts) • CVE-2021-XXXX - com.apple.identityservices.idstatuscache.plist (contacts) • CVE-2021-30750 - Recents database (contacts)
  47. 47. #BHUSA @BlackHatEvents TCC info leaks • CVE-2021-XXXX - CircleCache.plist (family contacts, birth date) • CVE-2021-XXXX - knowledgeC.db (full iMessages, contacts, etc..) • WON’T FIX - Quarantine database (full download history) • And many more… (yet to be fixed)
  48. 48. #BHUSA @BlackHatEvents Apple Security Bounty (ASB) https://developer.apple.com/security-bounty/payouts/
  49. 49. #BHUSA @BlackHatEvents Apple Security Bounty (ASB) • Apple pays what promised • Bug fixes are often slow – especially design issues • Some reports will be fixed in Monterey only, although they were reported in Catalina à 2 major OS versions!! • Lack of communication, often no updates for months • ASB eligibility decision timeline is unacceptable, often more than 6-7 months!!!
  50. 50. #BHUSA @BlackHatEvents Conclusion • We appreciate the effort • Step in the right direction • Other vendors should do the same • Still lots of issues 1. Apple’s binaries have too many exceptions 2. Third parties are vulnerable to injection attacks • ASB has to improve
  51. 51. #BHUSA @BlackHatEvents Q&A

×