Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

Abusing & Securing XPC in macOS apps

Download to read offline

XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.

This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Abusing & Securing XPC in macOS apps

  1. 1. www.securing.biz Wojciech ReguΕ‚a Abusing & Securing XPC in macOS apps XPC
  2. 2. www.securing.bizwww.securing.biz WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on iOS apps security -Blogger https://wojciechregula.blog/ -iOS Security Suite creator @_r3ggi wojciech.regula@securing.pl
  3. 3. www.securing.bizwww.securing.biz XPC VULNERABILITIES ARE EVERYWHERE
  4. 4. www.securing.bizwww.securing.biz AGENDA 1. Introduction to XPC 2. Building secure Helper 3. Exploiting previous step 4. Hardening 5. IF bypass_available() { GOTO 2. } 6. Summary
  5. 5. www.securing.bizwww.securing.biz (NS)XPC - Fundamental IPC mechanism in Apple environment - Built on top of Mach messages - Dictionary based communication - Possible multiple clients and one server - You can send and serialize ObjC/Swift objects
  6. 6. www.securing.bizwww.securing.biz Server
  7. 7. www.securing.bizwww.securing.biz Client
  8. 8. www.securing.bizwww.securing.biz INTER-PROCESS COMMUNICATION Application Privileged XPC server
  9. 9. www.securing.bizwww.securing.biz uid=501 (user) uid=0 (root)
  10. 10. www.securing.bizwww.securing.biz LOCATIONS OF THE XPC SERVERS - /Library/PrivilegedHelperTools - /Library/LaunchDaemons - /Library/LaunchAgents
  11. 11. www.securing.bizwww.securing.biz TIME FOR EXPLOITATION
  12. 12. www.securing.bizwww.securing.biz BUG #1 – NO CLIENT VALIDATION
  13. 13. www.securing.bizwww.securing.biz Malicious Application uid= 501 (user) Privileged XPC server uid = 0 (root) 😈 Perform privileged action for me OK, I don’t even verify you
  14. 14. www.securing.bizwww.securing.biz BUG #1 – NO CLIENT VALIDATION Bug found by Adam Chester (@_xpn_) Methods exposed: - remove - move - createDirectory - addToPath - kextInstall Keybase.io
  15. 15. www.securing.bizwww.securing.biz BUG #1 – NO CLIENT VALIDATION
  16. 16. www.securing.bizwww.securing.biz BUG #1 – FIX
  17. 17. www.securing.bizwww.securing.biz BUG #2 – POOR SIGNATURE CHECK
  18. 18. www.securing.bizwww.securing.biz BUG #2 – POOR SIGNATURE CHECK - Checking only bundle ID - Verifying only static code - Using kSecCSBasicValidateOnly flag - Too loose SecRequirement string - and more…
  19. 19. www.securing.bizwww.securing.biz
  20. 20. www.securing.bizwww.securing.biz Exposed methods: - uninstallDaemon - terminateDaemonWithOptions - deleteQuarantineItemsWithInfo - quarantineItemsWithInfo - cancelScan - startScanWithPaths - getDaemonInfoWithOptions
  21. 21. www.securing.bizwww.securing.biz BUG #2 – FIX
  22. 22. www.securing.bizwww.securing.biz BUG #3 – USING PID TO GET CODE OBJECT Kudos for Samuel Groß (@5aelo) and Ian Beer (@I41nbeer) πŸ‘
  23. 23. www.securing.bizwww.securing.biz pid: 1337 😈 Perform privileged action
  24. 24. www.securing.bizwww.securing.biz pid: 1337 😈 1. Get process identifier of the client 2. Create code object basing on that PID 3. Perform signature check 4. isValid() -> false 5. Invalidating the XPC connection INVALIDATED
  25. 25. www.securing.bizwww.securing.biz pid: 1337 😈 😈 fork() fork() fork() fork() pid: 1338 pid: 1339 pid: 1340 pid: 1341 😈 😈 😈
  26. 26. www.securing.bizwww.securing.biz pid: 1337 😈 😈 fork() fork() fork() fork() pid: 1338 pid: 1339 pid: 1340 pid: 1341 Perform privileged action 😈 😈 😈 Perform privileged action Perform privileged action Perform privileged action
  27. 27. www.securing.bizwww.securing.biz 1. Get process identifier of the client 2. Create code object based on that PID πŸ˜‡ 3. Perform signature check 4. isValid() -> true 5. Establish valid connection connection1 connection2 connection3 connection4 XPC connections queue
  28. 28. www.securing.bizwww.securing.biz Change process’ image to the legit executable using posix_spawn() 😈 πŸ˜‡
  29. 29. www.securing.bizwww.securing.biz pid: 1337 😈 😈 fork() fork() fork() fork() pid: 1338 pid: 1339 pid: 1340 pid: 1341 😈 😈 😈 Perform privileged action πŸ˜‡ INVALIDATED INVALIDATED INVALIDATED
  30. 30. www.securing.bizwww.securing.biz Exposed methods: - removeWithFile - copyWithSource Avast Cleanup
  31. 31. www.securing.bizwww.securing.biz Exposed methods: - startDatabaseUpdate - restoreApplicationLauncherWithCompletion - uninstallProduct - installProductUpdate - startProductUpdateWith - buildPurchaseSiteURLWithCompletion - triggerLicenseRelatedChecks - buildRenewalLinkWith - cancelTrialWith - startTrialWith - applyLicenseWith - controlProtectionWithRawFeatures - confirmScanJobWith - resumeScanJob - pauseScanJob - stopScanJob - startScanJob - disposeOperationBy - pingWithTag Malwarebytes
  32. 32. www.securing.bizwww.securing.biz
  33. 33. www.securing.bizwww.securing.biz BUG #3 – FIX
  34. 34. www.securing.bizwww.securing.biz BUG #3 – FIX
  35. 35. www.securing.bizwww.securing.biz BUG #4 – NO CODE INJECTION PREVENTION
  36. 36. www.securing.bizwww.securing.biz BUG #4 – NO CODE INJECTION PREVENTION 1. Get audit token of the client 2. Create code object based on that token 3. Perform signature check 4. isValid() -> false 5. Invalidating the XPC connection
  37. 37. www.securing.bizwww.securing.biz BUG #4 – NO CODE INJECTION PREVENTION - Apple’s signature checking API doesn’t detect: β€’ code injected with DYLD_INSERT_LIBRARIES β€’ or via task_for_pid() neither…
  38. 38. www.securing.bizwww.securing.biz LuLu Exposed methods: - loadKext - getPreferences - updatePreferences - getRules - addRule - updateRule - deleteRule - importRules - alertReply
  39. 39. www.securing.bizwww.securing.biz
  40. 40. www.securing.bizwww.securing.biz
  41. 41. www.securing.bizwww.securing.biz
  42. 42. www.securing.bizwww.securing.biz BYPASSING APPS WITH HARDENED RUNTIME - SecRequirement(Certificate[teamID]) -> inject to another app from the same company - SecRequirement(Certificate[teamID] + bundleID) -> inject to older version of the app without hardened runtime πŸ˜‰ - Also, look for following problematic entitlements: - com.apple.security.get-task-allow - com.apple.security.disable-library-validation
  43. 43. www.securing.bizwww.securing.biz DEMO 🎦 HTTPS://VIMEO.COM/397568495
  44. 44. www.securing.bizwww.securing.biz BUG #4 – FIX …
  45. 45. www.securing.bizwww.securing.biz SUMMARY
  46. 46. www.securing.bizwww.securing.biz SECURING XPC SERVICES - GUIDELINE 1. [Client] Turn on hardened runtime and notarize your clients 2. [Server] Verify if the clients have been properly signed using restrictive SecRequirement string 3. [Server] Create Sec(Static)Code objects from audit tokens 4. [Server] Check if the clients have the hardened runtime capability turned on 5. [Server] Make sure if the clients are not signed with entitlements that may allow bypassing the hardened runtime @_r3ggi wojciech.regula@securing.pl
  47. 47. www.securing.bizwww.securing.biz OPEN SOURCING SECURE PRIVILEGED HELPER EXAMPLE @_r3ggi wojciech.regula@securing.pl https://github.com/securing
  48. 48. www.securing.bizwww.securing.biz OPEN SOURCING THE SECURE HELPER
  49. 49. www.securing.bizwww.securing.biz REFERENCES - https://hackerone.com/reports/397478 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1223 - https://saelo.github.io/presentations/warcon18_dont_trust_the_pid.pdf - https://blog.obdev.at/what-we-have-learned-from-a-vulnerability/ - https://developer.apple.com/documentation/xcode/notarizing_macos_soft ware_before_distribution - https://github.com/erikberglund/SwiftPrivilegedHelper - https://developer.apple.com/videos/play/wwdc2019/701/
  50. 50. www.securing.biz SecuRing Kalwaryjska 65/6 30-504 KrakΓ³w, Poland info@securing.pl tel. +48 124252575 http://www.securing.biz/ Contact Wojciech ReguΕ‚a wojciech.regula@securing.pl @_r3ggi wojciech-regula

XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more. This presentation: 1.Explain how XPC/NSXPC work 2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t) 3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib 4.Show you how to fix that vulnz finally!

Views

Total views

1,649

On Slideshare

0

From embeds

0

Number of embeds

1,316

Actions

Downloads

12

Shares

0

Comments

0

Likes

0

Γ—