Unveiling the Apple's CVE-2024-40834 - A "shortcut" to the bypass road, Marcio Almeida - BSidesCbr24

we're about to kick off the next Talk of the day uh we have Marcio almea and his talk today is unveiling the Apple CV 2024 4834 a shortcut to the bypass road big round of applause for [Applause] Mario good morning everyone I hope everyone is all right not much hung over people I hope like it left the party yesterday um welcome to my talk uh pretty exciting to be here first time like a presenting besides camera I come every year but decided to submit some talks this year like after some recision devs with my team and I'm going to talk about like a really interesting bug that's pretty simple please don't be disappointed that um we found I found

like a during analyzing the shortcuts application uh and explain to you guys where everything is but that's the title of the top um a shortcut to the PIP road but let's start with a better presentation showing that's like a basically the talk so okay to the people that don't know me my name is masio I'm the technical director and the tental security I really enjoy playing ctfs but mostly like a retired retired player today don't play too much the only one that I usually play every year is still the the CTF I recommend you to play If you guys don't do please try it out it's pretty cool and I'm been more than 15 years in that industry um I'm Brazilian

but here in Australia have been I don't know since 2015 if you want to connect with me that's my ex my linking and my GitHub you can find some pieces of code or some kind of like a exploits I wrote in the past and yeah have fun so cool so that's the talko line we going to explain to you guys what's the shortcut application some building um protections it they have like in place to avoid people doing Nest stuff because they're really powerful tool use for Automation and then show you guys some like a read write execute primitive actions that we can use then I just jump straight to the CV um explain how we bypass the enable

script right that's one of the main protections to avoid peopleas acute code um then how we can share malicious s shortcuts with people and then the patch applied by Apple and some final considerations cool so what is this what's the shortcut um it's basically an application that's like a the continuation of the automator too pretty much I think like apple still have the automator but the shortcut basically lets you automate uh tasks with actions okay tasks let's say if you want to transform like a a JPEG and a PNG basically you you can do that with actions and actions would be like open the file then another action will be convert the file and other action will

be save that file to disk and after that you can share your shortcuts with people and

sorry I can share shortcuts with people and the cool thing is because those shortcuts probably going to be signed by Apple by itself what just this fact already bypass some protections they have in place that allows you just to run the shortcut smoothly and they also have like a marketplace where you can put it there and just wait people to download your shortcut or sometimes if you if you have like a can even put a shortcut there let people start like a get familiarize it with it and then you can day to code and yeah so they have like this Marketplace that's pretty cool where people can go there and download chart cut to do some

actions and let's talk now about like a debuting protection so here is the advanced configuration of shortcuts where you can see they have like a allow running scripts so to run like a show script JavaScript or any kind of automation app script like using shortcuts you need to enable this checkbox and then you'll be able to to run them otherwise they'll be blocked by default um it also not allows you to share a large amount of data uh do not allow you to Del delete like a uh any file with of Confirmation and also a large amount of files like let's say if you have a folder that's full of of files inside you cannot delete that

instead unless you enable this protection okay and also it has like a the Privacy control like a when you run a shortcut for the first time it's asking for some permissions like access to home folder the privac the Privacy uh pop up we show and say hey the shortcut X is asking access to your home folder you want to allow it but that's just only runs the first time and after you click okay that will never be asked again and it's also like a pre common with normal shortcuts like let's say if you use stuff to change everything inside of your documents folder or you downloads folder or whatever every time like a a common shortcut that actually

do uh not malicious stuff we that privacy consent pop up we will show up for you and the users actually they're like a pretty pretty common for them to click okay so they use okay asking permission okay go for it unless you will a little bit paranoid of course and then um only signage shortcodes now can be shared because before basically you could write a shortcut share with everyone and that was kind of a problem and Apple started like a signing the shortcut so if you want to share a shortcut that wrote with someone you need to submit that to Apple so they you have a copy of it and they will sign it for

you but like in this presentation we're going to tackle the first uh protection here that they allow running scripts right so we want to execute code but we we want to execute that in any machine and we know that that protections enable is is enabled by default and want to buy pass it so what actions are so this is a list of actions if you if you want to talk about each one of them is and that's I don't know that's not even a third of the options are here it's just like a the ones related to files and open open applications so if you go to shortcuts you see like a many many many actions so

because of like a time constraint I just talk about the ones that are like important for the stock so we have like a the open app and quit app basically when you use this one you can point to an app that's installed in the system and the ones that in the right is the one that are like a related to file so you have like a file that will generate a file handle for you you can rename a file you can save files to dis you can delete of course move append text to file and open a file as well and the cool thing about shortcuts because every every action is like a block so you can

intwine blocks as well and use one as input of the other all right right and many many more like if you if you if you if you open the shortcuts you'll see how many and how powerful this two is and also we're not even talking here the ones that like Ena running JavaScript for instance that's is is showing that to execute code directly Okay cool so what we learned so far that's like a execution of scripts is blocked by default however we can read write move rename and open applications without any kind of special permissions that we need to give to the application okay so my first idea when I when I look into that like can we use The Primitives

maybe to aute code and with like a cfer mindset the first thing that comes in mind that you usually exploit this kind of Primitives and CF challenge is okay can I write maybe a public key to the authorized keys if it has s s enabled maybe can I write a chrome job and just wait that Chrome job runs and execute my code and another one is maybe can I write to the bash RC or Zell RC that's like a special files in the system that when we open the terminal application they will automatically run um the content of this file right so it's pretty common used to people when you need to set up like environment

variables New Shell you go to this file put your environment variables that to be mounted and when you run terminal everything will be ready and nice for you to use so for all those options the one that we going to tackle is this idea so it's a pretty simple idea so can we bypass it using this this this idea and that's like a the shortcut that I wrote to prove that that concept so here we have like a Decor like a running the download of like a sh script and running in bash I didn't need to do that I could just put open calculator there I just did this way because you it's just an

example that you can download anything could be anything and the cool stuff is because everything that you download with Co going to bypass like a gate keeper so not going to ask you permission to run it saying that it was downloaded from the internet so you could like a put like a I don't know a Cobalt strike or any kind of like a C2 code here to run or even like install persistence you mind will'll tell you what you want to do but in this case like just for the sake of the pock we just going to open the calculator application and then we use the append where I'm going to put the the quent of

this text uh making a new line in the end of the zshell RC file and then I open Terminal and then close terminal okay so that is like a just a short video showing that happening but here first I need actually to create the zshell RC file because it does not exist cool that's it and then I run the shortcut to show then nice this works the idea was successful nice so so I got like a exploit I managed to bypass this and cool but and if the file does not exist on dis right because that could be a problem not everyone is a Dev not Everyone likes to create like a you know the a zshell file inside of the system

to see if they will be working so that going to maybe potential limit our attack let's see how that will work when the file does not exist in disk so just showing the file do not exist and I'm listing another type of file here with a text extension because we'll be important in a minute and run again and the calculator does not pop up so our code do not run then okay just showing to you guys what going to happen is because by default when the file that you want to write with a pen does not exist it actually always add the to. text extension to it and that's not cool because for our attack to work we actually need the file

to be like a Zell script so that's not Bueno so then I needed to find a way to to bypass this because if always add text and after I don't know multiple Tri are trying to use different actions to to the shortcuts um I end up like a trying to find a better way right so challenge accepted let's do it so this is the payload that I came up with initially here what I needed to do was like uh save the text file to the master directory ah another important thing here when we say we see Mar is because of my home user shortcuts um by default a cool thing is because it treats the

the the home user no matter the name if I send that file to a different user like let's say the name of the will be Peter so it automatically transfer that home fold inside of M be pet because it's just a pointer to the home directory so it's pretty conventional right because you can basically share with anyone and that idea going to work so what I do is I just append save the text of like a my exploit inside of the file XXX and then I chain that with like a setting the name of the file so I rename that then to CC but since it will be saved instead of like that subp XXX I

need to use the move file and then I move that inside inside back to my home folder and this trick actually going to bypass uh the dot text extension that's always appended when you use text content to save to files so here's the exploit

working showing the does not exist I run it and it works nicely cool thank you and then just like a showing the contents yep exploits there nice all right so that's the final payload they one that end up like a submitting to Apple and showing hey that was like a bypass that I that I got and the cool thing is because this this exploit in the case like a Works any scenario so this is just like excalon right you could add actually this action anything that's actually useful to the user to convince them to install this this shortcut or even like maybe publish some stuff inside of like a the market workplace for the for the shortcuts and

wait users to run and yeah so what I needed to do was save the payload to the temp file to Temp directory then rename it to Z CRC and then move the file back to the home directory and profit and okay so comes now this the next part how we can use that actually to abuse fishing engagement so to share a shortcut when you clicking the share button it going to generate a link for you and that link like once you navigate to the to the browser basically it comes uh this page from Apple where you can just get the shortcut and when you click that get button basically is a web request and if you put that through burp

like a uh probably is like a Prisma for you guys see but the link to download the sign shortcuts there so can simply use that link download the the shortcut file and serve it in a different way like email emailing it to users and convincing them or adding them to a different page and telling them they need to install that like let's say if you have like a company that have like a process to onboard people if you go to LinkedIn for instance and investigate the people that work there and then just the new hires because people like to put like when they join a company and then you could for instance send a fake email

to them send saying then they need to install this shortcut to automate some of the the tasks and if they install and run it this pretty much like a game over and the cool thing is because this payload going to bypass the gatekeeper and the only thing they they they going to they going to see is because since the short cuts signed by Apple will be the Privacy consent for them to click okay and once they click okay ons you can get access to the machine and here's like will be like a pretty shitty kind of like a fishing uh attempts not even close to the ones that been presented here just like to show

how it would work so when you click in the in the the link link you can download it directly um yep and once you run it in a apple system it just accepts it because a sign if you add the shortcut and then if you run it it just going to pop it the Privacy consent and if you click okay it runs and execute perfectly in a different system even everything in my system when I create that was saying the home directory was named M and whatever everything going to work okay so I submitted that to to Apple so I the vulnerability in February and took them some time almost like a month to trage the the vulnerability and

they started investigating the root cause and I asked it about some updates regarding the patching progress and saying that I was planning to submit uh the content of the stock to some security conferences uh then Apple informing me they are like a planning to patch this VAB in Summit to 2024 that was like inside of the time frame of this this talk and was that was cool and then they released the patch um in July end of July and assigned this CV and yesterday when I was like finishing up like the touch this slide I end up like a sending a message to them to ask hey any kind of like a bug bouting related to to that

and they say like informally because um it required is doer interaction so it's mostly like a kind of bug that would be uh used for fishing attempts uh does not qualify for a bounty so yeah thanks Appo okay so let's have a look now in which was the patch that applied for Apple so if you see here uh on the top right we they basically just added a new popup saying to the user hey you really want to run this shortcut maybe it's it's in like a shell configuration file maybe could be malicious but if you click okay still can run it right so they have already like some blocks like for instance where you need to enable in

the configuration of the file like a by default so I guess like a in my idea if like you want to avoid uses like a clicking stuff like it's a pretty hard task to do if you're working a blue team you know how hard it is to teach users to not clicking stuff they end up like a clicking okay again you still going to work so will be this sufficient I don't know maybe yes maybe no but the time will say I guess uh don't heard like before if people using that for as like a as a payload to get first access in engagements but definitely we will start using that so yeah so here is an example uh

how the patch works so if you click in play it will say to you hey that changeed some if you click okay it still runs and the difference is because it runs every time that you click in play and another thing is even if you're clicking do not allow it does not block definitely so if you run again it will just pop and allow you to to run if you want so it's not like a hard block if you're clicking do not allow um yeah so final considerations about this talk told you guys that going to be a quick one so yeah so the shortcuts has like a massive attack surface guys so as you guys

saw it has a lot of potential a lot of like a dangerous things that can be used a lot of file manipulation and not even touching the the surface here like uh as an example uh there's actions like get content of or open XC that allows you to use the file handle right so one of the things that you can do like for instance is read files inside of the system system and leak through uh ssrf other bugs are reported shortcuts uh leaking contents of users were actually using those two um action pre premises and they not only allow you to use file but anything that you can register like any kind of callback a cool thing in in

apple is because if you download a pist file that has like a specific specific um what he handle it automatically register that what handle for you so you can can maybe mix and match some different type of attacks and try it out and all easy bypass like a definitely I think still exist in the Apple ecosystem and you can find them too just need to start looking for them and that's it thank you for coming [Applause] yeah do we have any questions for Mario wave crazy if you do yep up the back what listen we can't hear you wait for the mic it's right I was just talking anyway um can you stop looking for bugs

and shortcuts cuz Apple will just rip the whole feature out sorry was it thanks for the talk I think he said stop looking for bugs otherwise Apple will rip the whole capability out or feature out is that right all right another big round of applause for M thank you guys