ed2root - how ancient IPC mechanisms can benefit you today - Connor du Plooy | BSides Cape Town 2023

all right hi everyone I'm Connor from MWR cyber security and today I'm going to be talking to you about a um privilege escalation vulnerability using interprocess communication or the alternative name for this talk is how I chese my way to rout on a Mac so just some history we were doing an assessment on some mac specific software which obviously needed access to some sensitive functionality however when I clicked the button to use this functionality it just worked no root prompt nothing like that so at that point you should be on because something has happened in the background the process didn't magically just get those permissions and the first thing I thought of was maybe this is using some

form of interprocess communication this happened to be the case and it was using what's known as distributed objects on Mac OS which has been aggressively depricated for about eight years now so we did some research found some other software and today is essentially the culmination of that research so just for some context if everyone does not if anyone doesn't know what IPC is it's just a way for two two different processes to communicate a neat little potty trick is you can take TCP dump and pipe the output into a play which will make some beeps and Bops depending on what's going on on your network um there's many different ways to do that you have files sockets

signals Etc but again we'll be talking specifically about distributed objects so for whatever reason the kind of um thing they went for here is calling it vended classes I have absolutely no idea conceptually it doesn't actually match very well to what's happening but the point is you have a server and that can take a class and then vend it to a client and the client can use any method defined on this vended object again don't know where the vending machine comes from so the important bit is that the class executes in the context of the server and with the server's permission so that's where the privilege escalation comes from so now we're going to jump

into some objective c hide your kids um but this is very simple we need two things to reproduce a malicious client the name of the service as well as the definition of the function or the class that's being vended so if we just look at a very simple example we can see here at the top that would be the definition of one of the functions that are being vended we can see it returns an NS string pointer and takes in an NS integer so that's already one thing that we need we know the types now and the second thing would be the name of the service so here we can see the example main we create a NS connection object

pass it a service name so you don't bind to an IP in a port you bind to a service name and we then pass it the service object itself so that's the only two things you need to be able to reproduce a malicious client for one of these servers if we look at the client example we can see that we are importing the IPC service service object at the top then we use the NS connection class to get a pointer to our service object if we were able to connect to the vended object correctly we'll get a pointer back if not it's null so we've got a few different approaches we can take to find these

values you can do a static approach or a dynamic approach the static approach involves using Hopper or raria 2 and the dynamic approach use something like Freedom so this is the lazy mode where we can use grap or something like radar 2 to just list the classes and give us some more information about what they do U literally very easy just strings and then pipe into GB you can do this on the entire file system if you really wanted to it's a better of fun and then we have the easy mode which unfortunately only found after my assessment so if you open a binary of Hopper you can pick this option that just exports the entire thing in

Objective C header file which gives you this pretty verbose thing the only thing that you'll not is we don't have the actual types of the methods and without the types we don't really know what this thing is doing then we move on to Freeda so what I'm doing here I hope it's readable we're using Freeda to attach to the server and we're just dumping any method that belongs to the vended object and doing that we can also interact with the arguments and kind of get an idea for what they are so you'll see there's get info command 0x1 141 that's obviously not a pointer it's just a normal integer so get info command must then take in an

integer and there we have it we have that information from a dynamic perspective the only other thing we need is the name of the service object same thing we just use a Freeda Trace command and that will give us the service name in the middle of the screen there somewhere um I did want to give a shout out to the sense poost tool for some of sense poost team for some of the phenomenal tooling that they built you can also use objection to get this and much more information it's a really really great tool so at this point the next step is just simply copy pasting this into an editor unfortunately this doesn't work anymore so you can't build a new xcode

project and use this you have to clone an old project or Target an older runtime so at the time I did a lot of effort to get get this PC working I finally run it and absolutely nothing happens I absolutely crushed but luckily I tried just cloning an older project and that turns out to work the reason this happens is what I mean by aggressively deprecated if you try to use these interfaces targeting a newer runtime they just fell hard and fell Fast Very deliberately so you're not supposed to be building software with these anymore so then let's just very briefly chat about what's in the wild um we found two privilege escalation vulnerabilities for two separate sets of

software as well as then this third one where we were able to essentially change very sensitive configuration options using any process that's on the machine fairly interesting stuff now let's dive into the source code I'm hoping this is also readable can anyone spot the method that is dangerous if you weren't an

Oxon yeah not you John in want take a stab at it which one on yeah so actually bit of a disclaimer here any of these methods can be dangerous I explicitly focused on executing login shell because that's literally the lowest possible hanging fruit so you can see there that takes an NS string and then an array of NS strings so program name arguments very easy you don't even have to do any reverse engineering you could have literally just guessed this so what does this proof of concept actually look like I just want to clarify you do need code execution to be able to do this um we're going to be executing what's known as a Stager

Stager because it's going to Stage my Stager and then my Stager will execute a reverse shell only if macam was being run as

rude okay so just showing that there's no active sessions I can't actually see what's going on on the screen here or there so I'm just kind of guessing um we're building the process in xcode no active session nothing is happening then I'll be invoking maam from the terminal you can see at the bottom it says no connection because there's nothing there yet we'll see a yay because there's one connection and then we can go back but we get no shell back because it's not running as Ro so we don't particularly care about that shell go back run an alias to just invoke macam with route and you'll see one more yay followed by a reverse shell in a second

or two there we go and just to prove that the shell is running is root we can just do a quick who am I and you'll see that we are in fact roote something interesting about this that the Mac container pointed out is yes if you happen to be running this as root you get privilege escalation straight to route but also on Mac processors don't have access to all of your directories so your documents directory for example if you have a random piece of software tries to read it you'll get a prompt that says do you want to allow access to this program to read it however in this cas case if you're using maim presumably you're a

developer you would have granted a permission to some of those directories anyway so in this way we can not only you know prevest to Route we can also get access to sensitive directories that you'd otherwise not have access to and cool guys that's the demo um just for the closing remark I really thought this would not work I don't think there would be any software that uses this 8 years is a fairly long time but yeah turns out it was worth looking at I didn't look into iOS or any propri software I think there's some space for more research to be done there as well and then if you're interested in IPC mechanisms on Mac in

general go have a look at ianb from Project Zero's research really phenomenal stuff it's um miles above what just happened here and then yeah thanks for everyone who supported me during the research and thanks for the opportunity any [Applause] questions yeah I wanted to ask when you said there you had that list of functions that were exposed yeah sorry when you had that list of functions that were exposed you mentioned that any of them could be vulnerable right yeah and we zoomed in on the one particular what did you mean by that so at the end of the day it depends on what the function is doing cu the when I was talking to the MAA

maintainer his thought was why would you be able to have multiple clients connecting to the service which so his assumption was you couldn't have multiple clients but you can have multiple clients the other assumption was that only process ass signed by the same developer certificate would be able to connect to that service which isn't true either but at the end of the day all those interfaces have some kind of functionality associated with them and if the Assumption from the developer side was that only trusted things can use that then there's the potential for a vulnerability to exist because they weren't creating it with a defense in mind is what I was getting at right just

a following question uh can you give us like an example like something I know you wouldn't necessarily have looked at the other functions but like can you just give us some sort of example uh hold on let me let me process that um so the only other one is also just a run is root function and then the last example that I saw was just you've got a service running on the machine and you can just plan stop that service okay thanks cool any other questions all right thank you [Applause] guys