Successfully reported this slideshow.
Your SlideShare is downloading. ×

Abusing & Securing XPC in macOS apps

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 50 Ad

Abusing & Securing XPC in macOS apps

Download to read offline

XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.

This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!

XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.

This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to Abusing & Securing XPC in macOS apps (20)

Advertisement

More from SecuRing (20)

Recently uploaded (20)

Advertisement

Abusing & Securing XPC in macOS apps

  1. 1. www.securing.biz Wojciech Reguła Abusing & Securing XPC in macOS apps XPC
  2. 2. www.securing.bizwww.securing.biz WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on iOS apps security -Blogger https://wojciechregula.blog/ -iOS Security Suite creator @_r3ggi wojciech.regula@securing.pl
  3. 3. www.securing.bizwww.securing.biz XPC VULNERABILITIES ARE EVERYWHERE
  4. 4. www.securing.bizwww.securing.biz AGENDA 1. Introduction to XPC 2. Building secure Helper 3. Exploiting previous step 4. Hardening 5. IF bypass_available() { GOTO 2. } 6. Summary
  5. 5. www.securing.bizwww.securing.biz (NS)XPC - Fundamental IPC mechanism in Apple environment - Built on top of Mach messages - Dictionary based communication - Possible multiple clients and one server - You can send and serialize ObjC/Swift objects
  6. 6. www.securing.bizwww.securing.biz Server
  7. 7. www.securing.bizwww.securing.biz Client
  8. 8. www.securing.bizwww.securing.biz INTER-PROCESS COMMUNICATION Application Privileged XPC server
  9. 9. www.securing.bizwww.securing.biz uid=501 (user) uid=0 (root)
  10. 10. www.securing.bizwww.securing.biz LOCATIONS OF THE XPC SERVERS - /Library/PrivilegedHelperTools - /Library/LaunchDaemons - /Library/LaunchAgents
  11. 11. www.securing.bizwww.securing.biz TIME FOR EXPLOITATION
  12. 12. www.securing.bizwww.securing.biz BUG #1 – NO CLIENT VALIDATION
  13. 13. www.securing.bizwww.securing.biz Malicious Application uid= 501 (user) Privileged XPC server uid = 0 (root) 😈 Perform privileged action for me OK, I don’t even verify you
  14. 14. www.securing.bizwww.securing.biz BUG #1 – NO CLIENT VALIDATION Bug found by Adam Chester (@_xpn_) Methods exposed: - remove - move - createDirectory - addToPath - kextInstall Keybase.io
  15. 15. www.securing.bizwww.securing.biz BUG #1 – NO CLIENT VALIDATION
  16. 16. www.securing.bizwww.securing.biz BUG #1 – FIX
  17. 17. www.securing.bizwww.securing.biz BUG #2 – POOR SIGNATURE CHECK
  18. 18. www.securing.bizwww.securing.biz BUG #2 – POOR SIGNATURE CHECK - Checking only bundle ID - Verifying only static code - Using kSecCSBasicValidateOnly flag - Too loose SecRequirement string - and more…
  19. 19. www.securing.bizwww.securing.biz
  20. 20. www.securing.bizwww.securing.biz Exposed methods: - uninstallDaemon - terminateDaemonWithOptions - deleteQuarantineItemsWithInfo - quarantineItemsWithInfo - cancelScan - startScanWithPaths - getDaemonInfoWithOptions
  21. 21. www.securing.bizwww.securing.biz BUG #2 – FIX
  22. 22. www.securing.bizwww.securing.biz BUG #3 – USING PID TO GET CODE OBJECT Kudos for Samuel Groß (@5aelo) and Ian Beer (@I41nbeer) 👏
  23. 23. www.securing.bizwww.securing.biz pid: 1337 😈 Perform privileged action
  24. 24. www.securing.bizwww.securing.biz pid: 1337 😈 1. Get process identifier of the client 2. Create code object basing on that PID 3. Perform signature check 4. isValid() -> false 5. Invalidating the XPC connection INVALIDATED
  25. 25. www.securing.bizwww.securing.biz pid: 1337 😈 😈 fork() fork() fork() fork() pid: 1338 pid: 1339 pid: 1340 pid: 1341 😈 😈 😈
  26. 26. www.securing.bizwww.securing.biz pid: 1337 😈 😈 fork() fork() fork() fork() pid: 1338 pid: 1339 pid: 1340 pid: 1341 Perform privileged action 😈 😈 😈 Perform privileged action Perform privileged action Perform privileged action
  27. 27. www.securing.bizwww.securing.biz 1. Get process identifier of the client 2. Create code object based on that PID 😇 3. Perform signature check 4. isValid() -> true 5. Establish valid connection connection1 connection2 connection3 connection4 XPC connections queue
  28. 28. www.securing.bizwww.securing.biz Change process’ image to the legit executable using posix_spawn() 😈 😇
  29. 29. www.securing.bizwww.securing.biz pid: 1337 😈 😈 fork() fork() fork() fork() pid: 1338 pid: 1339 pid: 1340 pid: 1341 😈 😈 😈 Perform privileged action 😇 INVALIDATED INVALIDATED INVALIDATED
  30. 30. www.securing.bizwww.securing.biz Exposed methods: - removeWithFile - copyWithSource Avast Cleanup
  31. 31. www.securing.bizwww.securing.biz Exposed methods: - startDatabaseUpdate - restoreApplicationLauncherWithCompletion - uninstallProduct - installProductUpdate - startProductUpdateWith - buildPurchaseSiteURLWithCompletion - triggerLicenseRelatedChecks - buildRenewalLinkWith - cancelTrialWith - startTrialWith - applyLicenseWith - controlProtectionWithRawFeatures - confirmScanJobWith - resumeScanJob - pauseScanJob - stopScanJob - startScanJob - disposeOperationBy - pingWithTag Malwarebytes
  32. 32. www.securing.bizwww.securing.biz
  33. 33. www.securing.bizwww.securing.biz BUG #3 – FIX
  34. 34. www.securing.bizwww.securing.biz BUG #3 – FIX
  35. 35. www.securing.bizwww.securing.biz BUG #4 – NO CODE INJECTION PREVENTION
  36. 36. www.securing.bizwww.securing.biz BUG #4 – NO CODE INJECTION PREVENTION 1. Get audit token of the client 2. Create code object based on that token 3. Perform signature check 4. isValid() -> false 5. Invalidating the XPC connection
  37. 37. www.securing.bizwww.securing.biz BUG #4 – NO CODE INJECTION PREVENTION - Apple’s signature checking API doesn’t detect: • code injected with DYLD_INSERT_LIBRARIES • or via task_for_pid() neither…
  38. 38. www.securing.bizwww.securing.biz LuLu Exposed methods: - loadKext - getPreferences - updatePreferences - getRules - addRule - updateRule - deleteRule - importRules - alertReply
  39. 39. www.securing.bizwww.securing.biz
  40. 40. www.securing.bizwww.securing.biz
  41. 41. www.securing.bizwww.securing.biz
  42. 42. www.securing.bizwww.securing.biz BYPASSING APPS WITH HARDENED RUNTIME - SecRequirement(Certificate[teamID]) -> inject to another app from the same company - SecRequirement(Certificate[teamID] + bundleID) -> inject to older version of the app without hardened runtime 😉 - Also, look for following problematic entitlements: - com.apple.security.get-task-allow - com.apple.security.disable-library-validation
  43. 43. www.securing.bizwww.securing.biz DEMO 🎦 HTTPS://VIMEO.COM/397568495
  44. 44. www.securing.bizwww.securing.biz BUG #4 – FIX …
  45. 45. www.securing.bizwww.securing.biz SUMMARY
  46. 46. www.securing.bizwww.securing.biz SECURING XPC SERVICES - GUIDELINE 1. [Client] Turn on hardened runtime and notarize your clients 2. [Server] Verify if the clients have been properly signed using restrictive SecRequirement string 3. [Server] Create Sec(Static)Code objects from audit tokens 4. [Server] Check if the clients have the hardened runtime capability turned on 5. [Server] Make sure if the clients are not signed with entitlements that may allow bypassing the hardened runtime @_r3ggi wojciech.regula@securing.pl
  47. 47. www.securing.bizwww.securing.biz OPEN SOURCING SECURE PRIVILEGED HELPER EXAMPLE @_r3ggi wojciech.regula@securing.pl https://github.com/securing
  48. 48. www.securing.bizwww.securing.biz OPEN SOURCING THE SECURE HELPER
  49. 49. www.securing.bizwww.securing.biz REFERENCES - https://hackerone.com/reports/397478 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1223 - https://saelo.github.io/presentations/warcon18_dont_trust_the_pid.pdf - https://blog.obdev.at/what-we-have-learned-from-a-vulnerability/ - https://developer.apple.com/documentation/xcode/notarizing_macos_soft ware_before_distribution - https://github.com/erikberglund/SwiftPrivilegedHelper - https://developer.apple.com/videos/play/wwdc2019/701/
  50. 50. www.securing.biz SecuRing Kalwaryjska 65/6 30-504 Kraków, Poland info@securing.pl tel. +48 124252575 http://www.securing.biz/ Contact Wojciech Reguła wojciech.regula@securing.pl @_r3ggi wojciech-regula

×