SlideShare ist ein Scribd-Unternehmen logo

Mitigating Exploits Using Apple's Endpoint Security

C
Csaba Fitzl

I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links. When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source. In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it. Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.

Technologie
1 von 44
Downloaden Sie, um offline zu lesen
Mitigating exploits using Apple's Endpoint Security Csaba Fitzl Twitter: @theevilbit
whoami • author of "macOS Control Bypasses" @ Offensive Security • ex red/blue teamer • macOS researcher • husband, father • hiking 🥾 🏔 • yoga 🧘
agenda 1. process injection attacks 2. symlink attacks 3. Endpoint Security framework 4. developing the app 5. the app's logic 6. demos
process injection attacks
why important? • process injection is a big ⛔ on macOS • access to process's privileges • TCC • keychain • impersonate XPC client (XPC LPEs) • impersonate KEXT client
DYLD_INSERT_LIBRARIES • classic • SIP kills it (hardened runtime, platform binaries) • still can enable it with entitlement -> if possible don't 🙏
DYLIB hijacking and proxying • discussed in detail by Patrick Wardle in 2015 • plant a dylib the app looks for, or replace one with your own • SIP / library validation kills it • still can enable it with entitlement -> NOOOO!!!! • problem: app needs to support 3rd party plugins => bypass TCC (Apple & 3rd parties)
task for pid • inject by getting the task port • ⚠ debug builds with bad entitlement ⚠ • SIP kills this • notarization checks for `com.apple.security.get-task-allow`
Electron • so much broken • env vars • debug ports
vulnerabilities • CVE-2020-26893 - ClamXAV AntiVirus XPC LPE • CVE-2020-29621 - coreaudiod TCC bypass • CVE-2020-25736 - Acronis True Image 2021 XPC LPE • CVE-2020-24259 - Signal macOS TCC bypass • CVE-2020-14978 - F-Secure XPC • ...
symlink attacks
the approach • process running as root writes or modi fi es fi les at a user controllable location • place a symlink or hardlink, pointing to a root accessible location
vulnerabilities • CVE-2020-9900 - Crash Reporter LPE • CVE-2021-1786 - Crash Reporter arbitrary fi le deletion • CVE-2020-3855 - macOS DiagnosticMessages arbitrary fi le overwrite • CVE-2020-3762 - Adobe installer LPE • ...
MACF - Mandatory Access Control Framework
MACF • origin: TrustedBSD MAC • implemented in kernel • policy modules extend the kernel • can place hooks in supported location • very powerful
MACF • very - very powerful • was part of KDK till OS X 10.12 (never of fi cially supported) • mac.h header was removed • available in xnu: `security/mac.h`, `security/mac_framework.h` • examples: AppleMobileFileIntegrity, Sandbox, EndpointSecurity, Quarantine (=Gatekeeper)
MACF • typical callout from xnu: mac_......
MACF
MACF • MAC_CHECK • iterates over all policy frameworks • mpo_... (mac_policy.h)
Endpoint Security
ES • KEXT - MACF, kauth • dylib - C API for clients • endpointsecurityd - loading SEXT via launchd • sysextd - validation and copy • SystemExtension.framework - activation and deactivation of the extension • systemextensionsctl - basic control of sysxextd • more: Scott Knight's OBTS talk 1: Scott Knight, https://knight.sc/reverse%20engineering/2019/10/31/macos-catalina-privilege-escalation.html
ES • MACF policy (EndpointSecurity) • ~60 hooks
ES • user mode events are mapped to kernel MACF hooks • examples: • ES_EVENT_TYPE_NOTIFY_CHROOT - es_vnode_check_chroot • ES_EVENT_TYPE_NOTIFY_MOUNT - es_mount_check_mount_late • ES_EVENT_TYPE_NOTIFY_MMAP - es_ fi le_check_mmap • ES_EVENT_TYPE_AUTH_GET_TASK - es_proc_check_get_task
ES • very powerful!!! • extending MACF to user mode • MACF was never of fi cially supported • now we have in user mode ❤
Shield.app development
requirements • entitlement: com.apple.developer.endpoint-security.client • Apple's good will
getting entitled • 2020 March - requested ES entitlement • 2020 April - got developer version • 2020 - emails going to "black hole" at Apple • ... • 2021 January - got the entitlement • frustration, demotivation, annoyed, extremely bad experience - luckily I don't do this for living
sources • used Patrick Wardle's ProcessMonitor and FileMonitor • also reviewed Stephen Davis’s Crescendo
es_client
the logic
ES_EVENT_TYPE_AUTH_EXEC • checks: • argument • --inspect, --inspect-brk, --remote-debugging-port • environment variables • DYLD_INSERT_LIBRARIES • CFNETWORK_LIBRARY_PATH • RAWCAMERA_BUNDLE_PATH • ELECTRON_RUN_AS_NODE
ES_EVENT_TYPE_AUTH_GET_TASK
ES_EVENT_TYPE_AUTH_MMAP • dylib injection protection • "enforce" library validation • slow - disk I/O
ES_EVENT_TYPE_AUTH_LINK • event for hardlinks • low privilege process isn't allowed to point to high privilege location
ES_EVENT_TYPE_NOTIFY_CREATE • track symbolic links • low privilege process isn't allowed to point to high privilege location • detect only - don't know the target before creation
demo - w/o Shield CVE-2020-26893 - ClamXAV AntiVirus XPC LPE
demo
demo - w/ Shield CVE-2020-26893 - ClamXAV AntiVirus XPC LPE
wrap up • injection and fi le link attacks responsible for many logic bugs • ES framework is based on MACF • ES extends MACF to user mode, very powerful • can be used to detect and block logic attacks • it's a pain to get the ES entitlement
Csaba Fitzl Twitter: @theevilbit
Further resources • Wojciech Reguła ( @_r3ggi ): Abusing and Securing XPC in macOS Apps Objective by the Sea v3 • Julia Vashchenko ( @iaronskaya ): Job(s) Bless Us! Privileged Operations on macOS Objective by the Sea v3 • Tyler Bohan ( @1blankwall1 ): OSX XPC Revisited - 3rd Party Application Flaws OffensiveCon 19 • Ian Beer ( @i41nbeer ): A deep-dive into the many fl avors of IPC available on OS X Jailbreak Security Summit 2015
Links • http://www.trustedbsd.org/mac.html • https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/ • https://www.offensive-security.com/offsec/am fi -syscall/ • https://www.semanticscholar.org/paper/New-approaches-to-operating-system-security-Watson/ f89682c6cf943ce349031270e685ee2dddee9376 • https://knight.sc/reverse%20engineering/2019/08/24/system-extension-internals.html • http://newosxbook.com/articles/eps.html • https://github.com/xorrior/goesf/blob/master/appmon.m • https://github.com/theevilbit/Shield
Icons • fl aticon.com • xnimrodx • Freepik

Empfohlen

20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightCsaba Fitzl
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Linux Hardening
Linux HardeningLinux Hardening
Linux HardeningMichael Boelen
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 

Empfohlen

20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightCsaba Fitzl
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Linux Hardening
Linux HardeningLinux Hardening
Linux HardeningMichael Boelen
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirusCsaba Fitzl
 
Exposé hackers
Exposé hackersExposé hackers
Exposé hackersPaulineBouveau
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Red + Blue, How Purple Are You
Red + Blue, How Purple Are YouRed + Blue, How Purple Are You
Red + Blue, How Purple Are YouJared Atkinson
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kalin|u - The Open Security Community
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with ZapSoluto
 
Metasploit
MetasploitMetasploit
Metasploithenelpj
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba Fitzl
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
 

Weitere ähnliche Inhalte

Was ist angesagt?

PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirusCsaba Fitzl
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Red + Blue, How Purple Are You
Red + Blue, How Purple Are YouRed + Blue, How Purple Are You
Red + Blue, How Purple Are YouJared Atkinson
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with ZapSoluto
 
Metasploit
MetasploitMetasploit
Metasploithenelpj
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 

Was ist angesagt? (20)

PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
 
Exposé hackers
Exposé hackersExposé hackers
Exposé hackers
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Red + Blue, How Purple Are You
Red + Blue, How Purple Are YouRed + Blue, How Purple Are You
Red + Blue, How Purple Are You
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
 
Metasploit
MetasploitMetasploit
Metasploit
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 

Ähnlich wie Mitigating Exploits Using Apple's Endpoint Security

Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba Fitzl
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDays Riga
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Resultsjtmelton
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Abdelkrim Hadjidj
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfOrtus Solutions, Corp
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017Mandi Walls
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Holehackersuli
 

Ähnlich wie Mitigating Exploits Using Apple's Endpoint Security (20)

Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of Bugs
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Results
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
 

Mehr von Csaba Fitzl

Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints OverviewCsaba Fitzl
 
SecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfSecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfCsaba Fitzl
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?Csaba Fitzl
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store appsCsaba Fitzl
 
Exploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luExploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luCsaba Fitzl
 
Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Csaba Fitzl
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 

Mehr von Csaba Fitzl (9)

Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints Overview
 
SecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfSecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdf
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store apps
 
Exploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luExploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG lu
 
Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 

Kürzlich hochgeladen

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 

Kürzlich hochgeladen (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

Mitigating Exploits Using Apple's Endpoint Security

  • 1. Mitigating exploits using Apple's Endpoint Security Csaba Fitzl Twitter: @theevilbit
  • 2. whoami • author of "macOS Control Bypasses" @ Offensive Security • ex red/blue teamer • macOS researcher • husband, father • hiking 🥾 🏔 • yoga 🧘
  • 3. agenda 1. process injection attacks 2. symlink attacks 3. Endpoint Security framework 4. developing the app 5. the app's logic 6. demos
  • 5. why important? • process injection is a big ⛔ on macOS • access to process's privileges • TCC • keychain • impersonate XPC client (XPC LPEs) • impersonate KEXT client
  • 6. DYLD_INSERT_LIBRARIES • classic • SIP kills it (hardened runtime, platform binaries) • still can enable it with entitlement -> if possible don't 🙏
  • 7. DYLIB hijacking and proxying • discussed in detail by Patrick Wardle in 2015 • plant a dylib the app looks for, or replace one with your own • SIP / library validation kills it • still can enable it with entitlement -> NOOOO!!!! • problem: app needs to support 3rd party plugins => bypass TCC (Apple & 3rd parties)
  • 8. task for pid • inject by getting the task port • ⚠ debug builds with bad entitlement ⚠ • SIP kills this • notarization checks for `com.apple.security.get-task-allow`
  • 9. Electron • so much broken • env vars • debug ports
  • 10. vulnerabilities • CVE-2020-26893 - ClamXAV AntiVirus XPC LPE • CVE-2020-29621 - coreaudiod TCC bypass • CVE-2020-25736 - Acronis True Image 2021 XPC LPE • CVE-2020-24259 - Signal macOS TCC bypass • CVE-2020-14978 - F-Secure XPC • ...
  • 12. the approach • process running as root writes or modi fi es fi les at a user controllable location • place a symlink or hardlink, pointing to a root accessible location
  • 13. vulnerabilities • CVE-2020-9900 - Crash Reporter LPE • CVE-2021-1786 - Crash Reporter arbitrary fi le deletion • CVE-2020-3855 - macOS DiagnosticMessages arbitrary fi le overwrite • CVE-2020-3762 - Adobe installer LPE • ...
  • 15. MACF • origin: TrustedBSD MAC • implemented in kernel • policy modules extend the kernel • can place hooks in supported location • very powerful
  • 16. MACF • very - very powerful • was part of KDK till OS X 10.12 (never of fi cially supported) • mac.h header was removed • available in xnu: `security/mac.h`, `security/mac_framework.h` • examples: AppleMobileFileIntegrity, Sandbox, EndpointSecurity, Quarantine (=Gatekeeper)
  • 17. MACF • typical callout from xnu: mac_......
  • 18. MACF
  • 19. MACF • MAC_CHECK • iterates over all policy frameworks • mpo_... (mac_policy.h)
  • 21. ES • KEXT - MACF, kauth • dylib - C API for clients • endpointsecurityd - loading SEXT via launchd • sysextd - validation and copy • SystemExtension.framework - activation and deactivation of the extension • systemextensionsctl - basic control of sysxextd • more: Scott Knight's OBTS talk 1: Scott Knight, https://knight.sc/reverse%20engineering/2019/10/31/macos-catalina-privilege-escalation.html
  • 22. ES • MACF policy (EndpointSecurity) • ~60 hooks
  • 23. ES • user mode events are mapped to kernel MACF hooks • examples: • ES_EVENT_TYPE_NOTIFY_CHROOT - es_vnode_check_chroot • ES_EVENT_TYPE_NOTIFY_MOUNT - es_mount_check_mount_late • ES_EVENT_TYPE_NOTIFY_MMAP - es_ fi le_check_mmap • ES_EVENT_TYPE_AUTH_GET_TASK - es_proc_check_get_task
  • 24. ES • very powerful!!! • extending MACF to user mode • MACF was never of fi cially supported • now we have in user mode ❤
  • 27. getting entitled • 2020 March - requested ES entitlement • 2020 April - got developer version • 2020 - emails going to "black hole" at Apple • ... • 2021 January - got the entitlement • frustration, demotivation, annoyed, extremely bad experience - luckily I don't do this for living
  • 28. sources • used Patrick Wardle's ProcessMonitor and FileMonitor • also reviewed Stephen Davis’s Crescendo
  • 31. ES_EVENT_TYPE_AUTH_EXEC • checks: • argument • --inspect, --inspect-brk, --remote-debugging-port • environment variables • DYLD_INSERT_LIBRARIES • CFNETWORK_LIBRARY_PATH • RAWCAMERA_BUNDLE_PATH • ELECTRON_RUN_AS_NODE
  • 33. ES_EVENT_TYPE_AUTH_MMAP • dylib injection protection • "enforce" library validation • slow - disk I/O
  • 34. ES_EVENT_TYPE_AUTH_LINK • event for hardlinks • low privilege process isn't allowed to point to high privilege location
  • 35. ES_EVENT_TYPE_NOTIFY_CREATE • track symbolic links • low privilege process isn't allowed to point to high privilege location • detect only - don't know the target before creation
  • 36. demo - w/o Shield CVE-2020-26893 - ClamXAV AntiVirus XPC LPE
  • 37. demo
  • 38. demo - w/ Shield CVE-2020-26893 - ClamXAV AntiVirus XPC LPE
  • 39.
  • 40. wrap up • injection and fi le link attacks responsible for many logic bugs • ES framework is based on MACF • ES extends MACF to user mode, very powerful • can be used to detect and block logic attacks • it's a pain to get the ES entitlement
  • 42. Further resources • Wojciech Reguła ( @_r3ggi ): Abusing and Securing XPC in macOS Apps Objective by the Sea v3 • Julia Vashchenko ( @iaronskaya ): Job(s) Bless Us! Privileged Operations on macOS Objective by the Sea v3 • Tyler Bohan ( @1blankwall1 ): OSX XPC Revisited - 3rd Party Application Flaws OffensiveCon 19 • Ian Beer ( @i41nbeer ): A deep-dive into the many fl avors of IPC available on OS X Jailbreak Security Summit 2015
  • 43. Links • http://www.trustedbsd.org/mac.html • https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/ • https://www.offensive-security.com/offsec/am fi -syscall/ • https://www.semanticscholar.org/paper/New-approaches-to-operating-system-security-Watson/ f89682c6cf943ce349031270e685ee2dddee9376 • https://knight.sc/reverse%20engineering/2019/08/24/system-extension-internals.html • http://newosxbook.com/articles/eps.html • https://github.com/xorrior/goesf/blob/master/appmon.m • https://github.com/theevilbit/Shield