SlideShare a Scribd company logo
1 of 64
Download to read offline
#BHUSA @BlackHatEvents
20+ WAYS TO BYPASS YOUR
MACOS SECURITY
MECHANISMS
#BHUSA @BlackHatEvents
WHOAMI - CSABA
• Lead content developer of “macOS Control Bypasses” (EXP-
312) training @ Offensive Security
• Developer of Shield.app – exploit protection for macOS
• Ex red and blue teamer
• Husband, father
• Hiking, trail running
#BHUSA @BlackHatEvents
WHOAMI - WOJCIECH
• Principal IT Security Consultant @ SecuRing
• Focused on iOS/macOS #appsec
• Blogger – https://wojciechregula.blog
• iOS Security Suite Creator
• macOS environments security
#BHUSA @BlackHatEvents
AGENDA
1. Introduction to macOS Privacy
2. TCC bypasses through:
• plugins
• privileged helpers
• process injection
• mounting
• app behavior
• /usr/bin/grep
3. Our thoughts on the Apple Security Bounty
4. Conclusion
#BHUSA @BlackHatEvents
INTRO – MACOS SECURITY MECHANISMS
System Integrity Protection (SIP):
• Based on Sandbox kernel extension
• Restricts access to many directories on macOS
• Denies debugger attachments to processes signed directly by Apple
• Also known as rootless, because even root cannot do the above-mentioned
operations when the SIP is turned on
#BHUSA @BlackHatEvents
TRANSPARENCY, CONSENT, AND CONTROL (TCC)
#BHUSA @BlackHatEvents
TRANSPARENCY, CONSENT, AND CONTROL (TCC)
#BHUSA @BlackHatEvents
• SQLite3 Database
• /Library/Application Support/com.apple.TCC
• ~/Library/Application Support/com.apple.TCC
TRANSPARENCY, CONSENT, AND CONTROL (TCC)
#BHUSA @BlackHatEvents
• User Intent
• Extended attribute: com.apple.macl
• Managed by the Sandbox
• Can’t be added/deleted
TRANSPARENCY, CONSENT, AND CONTROL (TCC)
#BHUSA @BlackHatEvents
TRANSPARENCY, CONSENT, AND CONTROL (TCC)
#BHUSA @BlackHatEvents
• com.apple.macl
• Header
• UUID
TRANSPARENCY, CONSENT, AND CONTROL (TCC)
#BHUSA @BlackHatEvents
TCC BYPASSES THROUGH PLUGINS
• TCCd validates entitlements held by the main executable
• Plugins execute code in the context of the main application
• So, plugins inherit the private tcc entitlements
System app with plugin TCC daemon
Kernel
System app with plugin TCC daemon
Kernel
I want to
access files
from Desktop
System app with plugin TCC daemon
Kernel
I want to
access files
from Desktop
Hey TCC, check the
permissions of the
requesting app
System app with plugin TCC daemon
Kernel
I want to
access files
from Desktop
Hey TCC, check the
permissions of the
requesting app
Validate Code Signing requirement
System app with plugin TCC daemon
Kernel
I want to
access files
from Desktop
Hey TCC, check the
permissions of the
requesting app
Validate Code Signing requirement
Access Granted
System app with plugin TCC daemon
Kernel
I want to
access files
from Desktop
Hey TCC, check the
permissions of the
requesting app
Validate Code Signing requirement
Access Granted
Access Granted
System app with
malicious plugin
System app with plugin TCC daemon
Kernel
I want to
access files
from Desktop
Hey TCC, check the
permissions of the
requesting app
Validate Code Signing requirement
Access Granted
Access Granted
#BHUSA @BlackHatEvents
Changing NFSHomeDirectory aka CVE-2020-27937
TCC BYPASSES THROUGH PLUGINS
#BHUSA @BlackHatEvents
Changing NFSHomeDirectory aka CVE-2020-27937
TCC BYPASSES THROUGH PLUGINS
#BHUSA @BlackHatEvents
Changing NFSHomeDirectory aka CVE-2020-27937
1. Copy Directory Utility to location not protected by the SIP
2. Inject a malicious plugin that will be executed with the Directory Utility’s private
TCC entitlements
3. Prepare a fake TCC SQLite3 database with fake permissions
4. Modify the NFSHomeDirectory
5. Restart TCCd, so it will load our fake database basing on the NFSHomeDirectory
6. Full user TCC bypass achieved 😎
TCC BYPASSES THROUGH PLUGINS
https://vimeo.com/653698755
#BHUSA @BlackHatEvents
Privileged Helper tools TCC bypass aka CVE-2020-10008:
• Applications can use SMJobBless() API to register privileged helpers
• These helpers are stored in the /Library/PrivilegedHelperTools
• The helpers have launchd plists embedded that point to their main apps’ csreqs
• When helper tries accessing protected resources, TCC validates permissions of
the main application
TCC BYPASSES THROUGH PRIVILEGED HELPERS
#BHUSA @BlackHatEvents
Wait what? A security mechanism guesses the responsible process? 😂
#BHUSA @BlackHatEvents
#BHUSA @BlackHatEvents
#BHUSA @BlackHatEvents
#BHUSA @BlackHatEvents
#BHUSA @BlackHatEvents
#BHUSA @BlackHatEvents
#BHUSA @BlackHatEvents
CVE-2020-10008 - attack scenario:
1. Find application (Donor) that has suitable TCC permission already granted
2. Create a malicious Privileged Helper and embed the Donor’s codesigning
requirement
3. Manually copy the Privileged Helper to the /Library/PrivilegedHelperTools
4. TCC privileges of the Donor’s app taken over 😎
TCC BYPASSES THROUGH PRIVILEGED HELPERS
#BHUSA @BlackHatEvents
https://vimeo.com/653703584
#BHUSA @BlackHatEvents
TCC BYPASSES THROUGH PROCESS INJECTION
• We execute code again in the context of an entitled application
• 3rd party apps are especially vulnerable to this kind of attacks
• If you manually give the vulnerable app TCC permissions, malware can abuse that
app
• Electron apps are vulnerable by default 😅
• We have found such vulnerabilities in many apps including:
o Firefox (0day / won’t fix)
o StreamLabs OBS (0day / won’t fix)
o Signal (CVE-2020-24259, fixed)
o Snaglt (fixed)
https://wojciechregula.blog/post/how-to-rob-a-firefox/
#BHUSA @BlackHatEvents
TCC BYPASSES THROUGH MOUNTING
CVE-2020-9771 - mount_apfs TCC bypass
• APFS supports snapshots
• Mount the snapshot in custom location
• Access all files (read-only)
• Mount with ”noowners” à access every user’s files
• FIX: requires Full Disk Access 😭
#BHUSA @BlackHatEvents
TCC BYPASSES THROUGH MOUNTING
CVE-2021-1784 - TCC bypass via disk mounting
• User’s TCC DB file is protected
• But! We can mount over the directory
• Prepare a new TCC.db file, new disk image
• Mount over “~/Library/Application Support/com.apple.TCC”
• Profit 🤑
https://vimeo.com/653701892
#BHUSA @BlackHatEvents
TCC BYPASSES THROUGH MOUNTING V2
CVE-2021-30808 - TCC bypass via disk mounting
• The reborn of CVE-2021-1784
• Found in Monterey Beta1, Big Sur was not impacted
• Can’t mount over “~/Library/Application Support/com.apple.TCC”
• But! Can munt over “~/Library/”
#BHUSA @BlackHatEvents
https://vimeo.com/653705598
#BHUSA @BlackHatEvents
TCC BYPASSES THROUGH APP BEHAVIOR
• Some apps can access private files
• Some apps move files when they do something
• Some apps can do both
Malicious app
App with access to
private files
Hi app! I see you can access XYZ
private files.
Yes! Why?
Could you move those files for me
to location ABC?
Of course! Here they are.
Thank you!
Anytime! It was my pleasure.
#BHUSA @BlackHatEvents
TCC BYPASSES THROUGH APP BEHAVIOR
CVE-2021-30751 – Notes.app
• Open files with notes -> auto attach to notes
• Notes are unprotected
#BHUSA @BlackHatEvents
TCC BYPASSES THROUGH APP BEHAVIOR
CVE-2021-30751 – Notes.app
#BHUSA @BlackHatEvents
TCC BYPASSES THROUGH APP BEHAVIOR
CVE-2021-30782 – App translocation
• Makes NULLFS mount (not copy) when downloaded app first run
• Destination: $TMPDIR/AppTranslocation/d/d/Some.app
• Open source as part of Security.
• Library: libsecurity_translocate
• Binary: /usr/libexec/lsd
#BHUSA @BlackHatEvents
TCC BYPASSES THROUGH APP BEHAVIOR
CVE-2021-30782 – App translocation
• Add Quarantine attribute to “Library”
• Call the com.apple.security.translocation XPC service
• (XPC client is also open source)
• Map Library to $TMPDIR/AppTranslocation/d/d/Library
• Access all files
#BHUSA @BlackHatEvents
TCC BYPASSES THROUGH APP BEHAVIOR
CVE-2021-30782 – App translocation
https://vimeo.com/653709886
#BHUSA @BlackHatEvents
TCC BYPASSES WITH /USR/BIN/GREP 😅
• Private info is everywhere
• Various DBs, caches, configuration files – keep / leak bits of info
• How to find them? grep to the rescue 🤣
#BHUSA @BlackHatEvents
TCC info leaks
• CVE-2020-9963 - QuickLook thumbnails DB (filenames)
• CVE-2021-1803 - CloudDocs DBs (filenames)
• CVE-2021-1781 - UITextInputContextIdentifiers.plist (contacts)
• CVE-2021-30803 - com.apple.identityservices.idstatuscache.plist (contacts)
• CVE-2021-30750 - Recents database (contacts)
#BHUSA @BlackHatEvents
TCC info leaks
• CVE-2021-30817 - CircleCache.plist (family contacts, birth date)
• CVE-2021-30804 - com.apple.findmy.fmipcore cache (family contacts)
• CVE-2021-???? - knowledgeC.db (full iMessages, contacts, etc..)
• WON’T FIX - Quarantine database (full download history)
• And many more… (yet to be fixed)
#BHUSA @BlackHatEvents
APPLE SECURITY BOUNTY (ASB)
https://developer.apple.com/security-bounty/payouts/
#BHUSA @BlackHatEvents
APPLE SECURITY BOUNTY (ASB)
• Apple pays what promised
• Bug fixes are often slow – especially design issues
• Some reports were fixed in Monterey only, although they were reported in Catalina
à 2 major OS versions!! (architectural issues)
• Lack of communication, often no updates for months
• ASB eligibility decision timeline is long, but started to improve recently
#BHUSA @BlackHatEvents
CONCLUSION
• We appreciate the effort
• Step in the right direction
• Other vendors should do the same
• Still lots of issues
1. Apple’s binaries have too many exceptions
2. Third parties are vulnerable to injection attacks
• ASB has to improve
#BHUSA @BlackHatEvents
Q&A

More Related Content

What's hot

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 

What's hot (20)

Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
 
Cisco asa fire power services
Cisco asa fire power servicesCisco asa fire power services
Cisco asa fire power services
 
Grafana Dashboards as Code
Grafana Dashboards as CodeGrafana Dashboards as Code
Grafana Dashboards as Code
 
OpenStackで始めるクラウド環境構築入門
OpenStackで始めるクラウド環境構築入門OpenStackで始めるクラウド環境構築入門
OpenStackで始めるクラウド環境構築入門
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rules
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
AWSとReactで始めるShopifyアプリ開発
AWSとReactで始めるShopifyアプリ開発AWSとReactで始めるShopifyアプリ開発
AWSとReactで始めるShopifyアプリ開発
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Command injection
Command injectionCommand injection
Command injection
 
Keycloakのステップアップ認証について
Keycloakのステップアップ認証についてKeycloakのステップアップ認証について
Keycloakのステップアップ認証について
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 

Similar to 20+ Ways To Bypass Your Macos Privacy Mechanisms

20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain Sight
Csaba Fitzl
 
ContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack KubernetesContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack Kubernetes
Nico Meisenzahl
 

Similar to 20+ Ways To Bypass Your Macos Privacy Mechanisms (20)

20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of Bugs
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain Sight
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
 
ContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack KubernetesContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack Kubernetes
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
Common primitives in Docker environments
Common primitives in Docker environmentsCommon primitives in Docker environments
Common primitives in Docker environments
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team Apocalypse
 
Securing Source Code on Endpoints
Securing Source Code on EndpointsSecuring Source Code on Endpoints
Securing Source Code on Endpoints
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughContainer Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
 

More from SecuRing

Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
SecuRing
 

More from SecuRing (20)

Developer in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4DevelopersDeveloper in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4Developers
 
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
 
Developer in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameDeveloper in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON Name
 
Is persistency on serverless even possible?!
Is persistency on serverless even possible?!Is persistency on serverless even possible?!
Is persistency on serverless even possible?!
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments
 
Developer in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 editionDeveloper in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 edition
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?
 
Serverless security: attack & defense
 Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defense
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scale
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
 
Budowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOSBudowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOS
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS Apps
 
Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?
 
Building&Hacking modern iOS apps
Building&Hacking modern iOS appsBuilding&Hacking modern iOS apps
Building&Hacking modern iOS apps
 

Recently uploaded

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 

Recently uploaded (20)

WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
 

20+ Ways To Bypass Your Macos Privacy Mechanisms

  • 1. #BHUSA @BlackHatEvents 20+ WAYS TO BYPASS YOUR MACOS SECURITY MECHANISMS
  • 2. #BHUSA @BlackHatEvents WHOAMI - CSABA • Lead content developer of “macOS Control Bypasses” (EXP- 312) training @ Offensive Security • Developer of Shield.app – exploit protection for macOS • Ex red and blue teamer • Husband, father • Hiking, trail running
  • 3. #BHUSA @BlackHatEvents WHOAMI - WOJCIECH • Principal IT Security Consultant @ SecuRing • Focused on iOS/macOS #appsec • Blogger – https://wojciechregula.blog • iOS Security Suite Creator • macOS environments security
  • 4. #BHUSA @BlackHatEvents AGENDA 1. Introduction to macOS Privacy 2. TCC bypasses through: • plugins • privileged helpers • process injection • mounting • app behavior • /usr/bin/grep 3. Our thoughts on the Apple Security Bounty 4. Conclusion
  • 5. #BHUSA @BlackHatEvents INTRO – MACOS SECURITY MECHANISMS System Integrity Protection (SIP): • Based on Sandbox kernel extension • Restricts access to many directories on macOS • Denies debugger attachments to processes signed directly by Apple • Also known as rootless, because even root cannot do the above-mentioned operations when the SIP is turned on
  • 8. #BHUSA @BlackHatEvents • SQLite3 Database • /Library/Application Support/com.apple.TCC • ~/Library/Application Support/com.apple.TCC TRANSPARENCY, CONSENT, AND CONTROL (TCC)
  • 9.
  • 10.
  • 11. #BHUSA @BlackHatEvents • User Intent • Extended attribute: com.apple.macl • Managed by the Sandbox • Can’t be added/deleted TRANSPARENCY, CONSENT, AND CONTROL (TCC)
  • 13. #BHUSA @BlackHatEvents • com.apple.macl • Header • UUID TRANSPARENCY, CONSENT, AND CONTROL (TCC)
  • 14. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH PLUGINS • TCCd validates entitlements held by the main executable • Plugins execute code in the context of the main application • So, plugins inherit the private tcc entitlements
  • 15. System app with plugin TCC daemon Kernel
  • 16. System app with plugin TCC daemon Kernel I want to access files from Desktop
  • 17. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app
  • 18. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement
  • 19. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted
  • 20. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted Access Granted
  • 22. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted Access Granted
  • 23. #BHUSA @BlackHatEvents Changing NFSHomeDirectory aka CVE-2020-27937 TCC BYPASSES THROUGH PLUGINS
  • 24. #BHUSA @BlackHatEvents Changing NFSHomeDirectory aka CVE-2020-27937 TCC BYPASSES THROUGH PLUGINS
  • 25.
  • 26.
  • 27.
  • 28.
  • 29. #BHUSA @BlackHatEvents Changing NFSHomeDirectory aka CVE-2020-27937 1. Copy Directory Utility to location not protected by the SIP 2. Inject a malicious plugin that will be executed with the Directory Utility’s private TCC entitlements 3. Prepare a fake TCC SQLite3 database with fake permissions 4. Modify the NFSHomeDirectory 5. Restart TCCd, so it will load our fake database basing on the NFSHomeDirectory 6. Full user TCC bypass achieved 😎 TCC BYPASSES THROUGH PLUGINS
  • 31. #BHUSA @BlackHatEvents Privileged Helper tools TCC bypass aka CVE-2020-10008: • Applications can use SMJobBless() API to register privileged helpers • These helpers are stored in the /Library/PrivilegedHelperTools • The helpers have launchd plists embedded that point to their main apps’ csreqs • When helper tries accessing protected resources, TCC validates permissions of the main application TCC BYPASSES THROUGH PRIVILEGED HELPERS
  • 32. #BHUSA @BlackHatEvents Wait what? A security mechanism guesses the responsible process? 😂
  • 39. #BHUSA @BlackHatEvents CVE-2020-10008 - attack scenario: 1. Find application (Donor) that has suitable TCC permission already granted 2. Create a malicious Privileged Helper and embed the Donor’s codesigning requirement 3. Manually copy the Privileged Helper to the /Library/PrivilegedHelperTools 4. TCC privileges of the Donor’s app taken over 😎 TCC BYPASSES THROUGH PRIVILEGED HELPERS
  • 41. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH PROCESS INJECTION • We execute code again in the context of an entitled application • 3rd party apps are especially vulnerable to this kind of attacks • If you manually give the vulnerable app TCC permissions, malware can abuse that app • Electron apps are vulnerable by default 😅 • We have found such vulnerabilities in many apps including: o Firefox (0day / won’t fix) o StreamLabs OBS (0day / won’t fix) o Signal (CVE-2020-24259, fixed) o Snaglt (fixed)
  • 43. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH MOUNTING CVE-2020-9771 - mount_apfs TCC bypass • APFS supports snapshots • Mount the snapshot in custom location • Access all files (read-only) • Mount with ”noowners” à access every user’s files • FIX: requires Full Disk Access 😭
  • 44. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH MOUNTING CVE-2021-1784 - TCC bypass via disk mounting • User’s TCC DB file is protected • But! We can mount over the directory • Prepare a new TCC.db file, new disk image • Mount over “~/Library/Application Support/com.apple.TCC” • Profit 🤑
  • 46. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH MOUNTING V2 CVE-2021-30808 - TCC bypass via disk mounting • The reborn of CVE-2021-1784 • Found in Monterey Beta1, Big Sur was not impacted • Can’t mount over “~/Library/Application Support/com.apple.TCC” • But! Can munt over “~/Library/”
  • 48. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH APP BEHAVIOR • Some apps can access private files • Some apps move files when they do something • Some apps can do both
  • 49. Malicious app App with access to private files
  • 50. Hi app! I see you can access XYZ private files. Yes! Why? Could you move those files for me to location ABC?
  • 51. Of course! Here they are. Thank you! Anytime! It was my pleasure.
  • 52. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH APP BEHAVIOR CVE-2021-30751 – Notes.app • Open files with notes -> auto attach to notes • Notes are unprotected
  • 53. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH APP BEHAVIOR CVE-2021-30751 – Notes.app
  • 54. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH APP BEHAVIOR CVE-2021-30782 – App translocation • Makes NULLFS mount (not copy) when downloaded app first run • Destination: $TMPDIR/AppTranslocation/d/d/Some.app • Open source as part of Security. • Library: libsecurity_translocate • Binary: /usr/libexec/lsd
  • 55. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH APP BEHAVIOR CVE-2021-30782 – App translocation • Add Quarantine attribute to “Library” • Call the com.apple.security.translocation XPC service • (XPC client is also open source) • Map Library to $TMPDIR/AppTranslocation/d/d/Library • Access all files
  • 56. #BHUSA @BlackHatEvents TCC BYPASSES THROUGH APP BEHAVIOR CVE-2021-30782 – App translocation
  • 58. #BHUSA @BlackHatEvents TCC BYPASSES WITH /USR/BIN/GREP 😅 • Private info is everywhere • Various DBs, caches, configuration files – keep / leak bits of info • How to find them? grep to the rescue 🤣
  • 59. #BHUSA @BlackHatEvents TCC info leaks • CVE-2020-9963 - QuickLook thumbnails DB (filenames) • CVE-2021-1803 - CloudDocs DBs (filenames) • CVE-2021-1781 - UITextInputContextIdentifiers.plist (contacts) • CVE-2021-30803 - com.apple.identityservices.idstatuscache.plist (contacts) • CVE-2021-30750 - Recents database (contacts)
  • 60. #BHUSA @BlackHatEvents TCC info leaks • CVE-2021-30817 - CircleCache.plist (family contacts, birth date) • CVE-2021-30804 - com.apple.findmy.fmipcore cache (family contacts) • CVE-2021-???? - knowledgeC.db (full iMessages, contacts, etc..) • WON’T FIX - Quarantine database (full download history) • And many more… (yet to be fixed)
  • 61. #BHUSA @BlackHatEvents APPLE SECURITY BOUNTY (ASB) https://developer.apple.com/security-bounty/payouts/
  • 62. #BHUSA @BlackHatEvents APPLE SECURITY BOUNTY (ASB) • Apple pays what promised • Bug fixes are often slow – especially design issues • Some reports were fixed in Monterey only, although they were reported in Catalina à 2 major OS versions!! (architectural issues) • Lack of communication, often no updates for months • ASB eligibility decision timeline is long, but started to improve recently
  • 63. #BHUSA @BlackHatEvents CONCLUSION • We appreciate the effort • Step in the right direction • Other vendors should do the same • Still lots of issues 1. Apple’s binaries have too many exceptions 2. Third parties are vulnerable to injection attacks • ASB has to improve