Successfully reported this slideshow.
Your SlideShare is downloading. ×

20+ Ways To Bypass Your Macos Privacy Mechanisms

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 64 Ad

20+ Ways To Bypass Your Macos Privacy Mechanisms

Download to read offline

In this presentation, we showed multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user’s consent.

In this presentation, we showed multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user’s consent.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to 20+ Ways To Bypass Your Macos Privacy Mechanisms (20)

Advertisement

More from SecuRing (20)

Recently uploaded (20)

Advertisement

20+ Ways To Bypass Your Macos Privacy Mechanisms

  1. 1. #BHUSA @BlackHatEvents 20+ WAYS TO BYPASS YOUR MACOS SECURITY MECHANISMS
  2. 2. #BHUSA @BlackHatEvents WHOAMI - CSABA • Lead content developer of “macOS Control Bypasses” (EXP- 312) training @ Offensive Security • Developer of Shield.app – exploit protection for macOS • Ex red and blue teamer • Husband, father • Hiking, trail running
  3. 3. #BHUSA @BlackHatEvents WHOAMI - WOJCIECH • Principal IT Security Consultant @ SecuRing • Focused on iOS/macOS #appsec • Blogger – https://wojciechregula.blog • iOS Security Suite Creator • macOS environments security
  4. 4. #BHUSA @BlackHatEvents AGENDA 1. Introduction to macOS Privacy 2. TCC bypasses through: • plugins • privileged helpers • process injection • mounting • app behavior • /usr/bin/grep 3. Our thoughts on the Apple Security Bounty 4. Conclusion
  5. 5. #BHUSA @BlackHatEvents INTRO – MACOS SECURITY MECHANISMS System Integrity Protection (SIP): • Based on Sandbox kernel extension • Restricts access to many directories on macOS • Denies debugger attachments to processes signed directly by Apple • Also known as rootless, because even root cannot do the above-mentioned operations when the SIP is turned on
  6. 6. #BHUSA @BlackHatEvents TRANSPARENCY, CONSENT, AND CONTROL (TCC)
  7. 7. #BHUSA @BlackHatEvents TRANSPARENCY, CONSENT, AND CONTROL (TCC)
  8. 8. #BHUSA @BlackHatEvents • SQLite3 Database • /Library/Application Support/com.apple.TCC • ~/Library/Application Support/com.apple.TCC TRANSPARENCY, CONSENT, AND CONTROL (TCC)
  9. 9. #BHUSA @BlackHatEvents • User Intent • Extended attribute: com.apple.macl • Managed by the Sandbox • Can’t be added/deleted TRANSPARENCY, CONSENT, AND CONTROL (TCC)
  10. 10. #BHUSA @BlackHatEvents TRANSPARENCY, CONSENT, AND CONTROL (TCC)
  11. 11. #BHUSA @BlackHatEvents • com.apple.macl • Header • UUID TRANSPARENCY, CONSENT, AND CONTROL (TCC)
  12. 12. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH PLUGINS • TCCd validates entitlements held by the main executable • Plugins execute code in the context of the main application • So, plugins inherit the private tcc entitlements
  13. 13. System app with plugin TCC daemon Kernel
  14. 14. System app with plugin TCC daemon Kernel I want to access files from Desktop
  15. 15. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app
  16. 16. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement
  17. 17. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted
  18. 18. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted Access Granted
  19. 19. System app with malicious plugin
  20. 20. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted Access Granted
  21. 21. #BHUSA @BlackHatEvents Changing NFSHomeDirectory aka CVE-2020-27937 TCC BYPASSES THROUGH PLUGINS
  22. 22. #BHUSA @BlackHatEvents Changing NFSHomeDirectory aka CVE-2020-27937 TCC BYPASSES THROUGH PLUGINS
  23. 23. #BHUSA @BlackHatEvents Changing NFSHomeDirectory aka CVE-2020-27937 1. Copy Directory Utility to location not protected by the SIP 2. Inject a malicious plugin that will be executed with the Directory Utility’s private TCC entitlements 3. Prepare a fake TCC SQLite3 database with fake permissions 4. Modify the NFSHomeDirectory 5. Restart TCCd, so it will load our fake database basing on the NFSHomeDirectory 6. Full user TCC bypass achieved 😎 TCC BYPASSES THROUGH PLUGINS
  24. 24. https://vimeo.com/653698755
  25. 25. #BHUSA @BlackHatEvents Privileged Helper tools TCC bypass aka CVE-2020-10008: • Applications can use SMJobBless() API to register privileged helpers • These helpers are stored in the /Library/PrivilegedHelperTools • The helpers have launchd plists embedded that point to their main apps’ csreqs • When helper tries accessing protected resources, TCC validates permissions of the main application TCC BYPASSES THROUGH PRIVILEGED HELPERS
  26. 26. #BHUSA @BlackHatEvents Wait what? A security mechanism guesses the responsible process? 😂
  27. 27. #BHUSA @BlackHatEvents
  28. 28. #BHUSA @BlackHatEvents
  29. 29. #BHUSA @BlackHatEvents
  30. 30. #BHUSA @BlackHatEvents
  31. 31. #BHUSA @BlackHatEvents
  32. 32. #BHUSA @BlackHatEvents
  33. 33. #BHUSA @BlackHatEvents CVE-2020-10008 - attack scenario: 1. Find application (Donor) that has suitable TCC permission already granted 2. Create a malicious Privileged Helper and embed the Donor’s codesigning requirement 3. Manually copy the Privileged Helper to the /Library/PrivilegedHelperTools 4. TCC privileges of the Donor’s app taken over 😎 TCC BYPASSES THROUGH PRIVILEGED HELPERS
  34. 34. #BHUSA @BlackHatEvents https://vimeo.com/653703584
  35. 35. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH PROCESS INJECTION • We execute code again in the context of an entitled application • 3rd party apps are especially vulnerable to this kind of attacks • If you manually give the vulnerable app TCC permissions, malware can abuse that app • Electron apps are vulnerable by default 😅 • We have found such vulnerabilities in many apps including: o Firefox (0day / won’t fix) o StreamLabs OBS (0day / won’t fix) o Signal (CVE-2020-24259, fixed) o Snaglt (fixed)
  36. 36. https://wojciechregula.blog/post/how-to-rob-a-firefox/
  37. 37. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH MOUNTING CVE-2020-9771 - mount_apfs TCC bypass • APFS supports snapshots • Mount the snapshot in custom location • Access all files (read-only) • Mount with ”noowners” à access every user’s files • FIX: requires Full Disk Access 😭
  38. 38. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH MOUNTING CVE-2021-1784 - TCC bypass via disk mounting • User’s TCC DB file is protected • But! We can mount over the directory • Prepare a new TCC.db file, new disk image • Mount over “~/Library/Application Support/com.apple.TCC” • Profit 🤑
  39. 39. https://vimeo.com/653701892
  40. 40. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH MOUNTING V2 CVE-2021-30808 - TCC bypass via disk mounting • The reborn of CVE-2021-1784 • Found in Monterey Beta1, Big Sur was not impacted • Can’t mount over “~/Library/Application Support/com.apple.TCC” • But! Can munt over “~/Library/”
  41. 41. #BHUSA @BlackHatEvents https://vimeo.com/653705598
  42. 42. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH APP BEHAVIOR • Some apps can access private files • Some apps move files when they do something • Some apps can do both
  43. 43. Malicious app App with access to private files
  44. 44. Hi app! I see you can access XYZ private files. Yes! Why? Could you move those files for me to location ABC?
  45. 45. Of course! Here they are. Thank you! Anytime! It was my pleasure.
  46. 46. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH APP BEHAVIOR CVE-2021-30751 – Notes.app • Open files with notes -> auto attach to notes • Notes are unprotected
  47. 47. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH APP BEHAVIOR CVE-2021-30751 – Notes.app
  48. 48. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH APP BEHAVIOR CVE-2021-30782 – App translocation • Makes NULLFS mount (not copy) when downloaded app first run • Destination: $TMPDIR/AppTranslocation/d/d/Some.app • Open source as part of Security. • Library: libsecurity_translocate • Binary: /usr/libexec/lsd
  49. 49. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH APP BEHAVIOR CVE-2021-30782 – App translocation • Add Quarantine attribute to “Library” • Call the com.apple.security.translocation XPC service • (XPC client is also open source) • Map Library to $TMPDIR/AppTranslocation/d/d/Library • Access all files
  50. 50. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH APP BEHAVIOR CVE-2021-30782 – App translocation
  51. 51. https://vimeo.com/653709886
  52. 52. #BHUSA @BlackHatEvents TCC BYPASSES WITH /USR/BIN/GREP 😅 • Private info is everywhere • Various DBs, caches, configuration files – keep / leak bits of info • How to find them? grep to the rescue 🤣
  53. 53. #BHUSA @BlackHatEvents TCC info leaks • CVE-2020-9963 - QuickLook thumbnails DB (filenames) • CVE-2021-1803 - CloudDocs DBs (filenames) • CVE-2021-1781 - UITextInputContextIdentifiers.plist (contacts) • CVE-2021-30803 - com.apple.identityservices.idstatuscache.plist (contacts) • CVE-2021-30750 - Recents database (contacts)
  54. 54. #BHUSA @BlackHatEvents TCC info leaks • CVE-2021-30817 - CircleCache.plist (family contacts, birth date) • CVE-2021-30804 - com.apple.findmy.fmipcore cache (family contacts) • CVE-2021-???? - knowledgeC.db (full iMessages, contacts, etc..) • WON’T FIX - Quarantine database (full download history) • And many more… (yet to be fixed)
  55. 55. #BHUSA @BlackHatEvents APPLE SECURITY BOUNTY (ASB) https://developer.apple.com/security-bounty/payouts/
  56. 56. #BHUSA @BlackHatEvents APPLE SECURITY BOUNTY (ASB) • Apple pays what promised • Bug fixes are often slow – especially design issues • Some reports were fixed in Monterey only, although they were reported in Catalina à 2 major OS versions!! (architectural issues) • Lack of communication, often no updates for months • ASB eligibility decision timeline is long, but started to improve recently
  57. 57. #BHUSA @BlackHatEvents CONCLUSION • We appreciate the effort • Step in the right direction • Other vendors should do the same • Still lots of issues 1. Apple’s binaries have too many exceptions 2. Third parties are vulnerable to injection attacks • ASB has to improve
  58. 58. #BHUSA @BlackHatEvents Q&A

×