My Journey to find vulnerabilities in macOS

so we are still on the line of having Legends on stage people who have been doing uh cybering for long and long time next presenter comes to us from uh Finland who's going to talk about finding vulnerabilities in Mac OS we do know that Macos OS is completely not vulnerable to anything it sees the very secure thing so how is it possible to find something there that's what we are going here during the next 45 minutes wait wait [Music] [Music] these signs Legacy hello hello fellow hackers it's good to be over here I'm uh really honored to see that there's so many of you over here uh I want to give a round of applause for all the organizations and also the sponsors May sponsors to make this event happen so let's do that [Applause] all right so I'm going to talk about uh Mac OS some Mac OS vulnerabilities and walk you through uh what was happening under the hood uh when I found a couple of interesting vulnerabilities but before that a little bit about me so my name is Mikko cantala I'm a founder and CEO of sensorflow uh we do a product which continuously monitors at how well the network isolation is working but I'm not going to talk about that today I'm more going to talk about the my happy hacker hobby project which which is related to the vulnerable one vulnerability research I have multiple hats in other organizations but the and you can find me from the Twitter previously I did done research I started to do some research related to the Mac OS when I got a little bit more time during the 2020 because of obvious reasons so I had more I didn't travel so much and had a bit more time to do and check out some of the things what I used myself so I've been doing this since the well forever that the whatever software or operating system or applications I am using I tend to check out that the uh what is actually going on under the hood and what might be maybe there's some security challenges and I want to really know that how the things work I've done uh secure technical security audits as a profession over 10 years so maybe I'm not doing those that much anymore but the maybe that has something to do with it so previously I found on uh zero click vulnerability from the Mac OS mail and you get mail application uh and you can find the right I've wrote about it you can find the block from there but basically what that vulnerability was about was that I was able to craft an email as an attacker and send it to the victim and after immediately after the victim received the email the email his his mail application configuration changed in a way that after that all the emails were also forwarded to me so that was arbitrary file right issue in the Mac OS mail so but uh this time I'm going to talk about a little bit different case it is actually a bit more complicated in the sense that it includes vulnerability chain what I needed to explore exploit to gain the uh access to all the sensitive data that the user might have I also walk you through about the different security methods what actually is implemented in Mac OS and and I needed to circulate those to actually achieve the goal goal so I saw you on video This is actually the same video where I sent to the Apple uh so it's the original uh version of the video to prove that there's some challenges and I'm going to walk you through that what's what's happening on this video so during that time Pixar was out there or it's in the beta phase uh I just saw you that I have all the security mechanics implemented in a way that it is enabled so uh even there if even if you open a terminal you cannot access the files on that on your desktop or in the other folders because there's a restrictions for that so however in this case when user downloads a specific file from the internet it may be uh fishing or something like that but in this case it's like a raw demo it's downloading a zip file and now zip file is downloaded and you saw the pop-ups that do you really want to download it and that's the one click which is needed from the user input and next time when the user launches a terminal something weird will happen and you can see that your machine is owned and some databases has been taken and after that it seems that there's now a terminal can now access to the all the files in the different places so something definitely went wrong because that should never happen so uh a little bit about the background and how I normally operate so I tend to find out different vulnerabilities in rather simple methods there's three steps and with the first one is quite obvious that try to learn as much as possible and you can do that by reading the documentation reading what's written at the internet about it about the same thing what you are researching and especially for me the reverse engineering is the really key thing to actually find out that how different applications are working so I normally use softwares rather simple softwares maybe I'm old school guy so I use uh D trace for example tracing this is calls in the Mac OS or other systems I use DCP dump to see the traffic and really Advance analysis methods like strings to analyze the binaries and so on so rather simple things but with that combined to the things what I uh play around and I see the results what's happening under the hood I can make up on my mind that how exactly the application or the service is working uh find the anomaly when you know how the process or application actually works uh if there's a place is for user input so try to play around with the user input see if you can cause some anomaly under the hood so you have a visibility with the external tools for tools for it or maybe you get immediate feedback via user interface but the you try to play around and try to call some error or something like that and that might be it that might be the actual vulnerability then when you have found it do specific testing related to that anomaly and try to exploit that so rather straightforward as a in a fundamentals but might take some time to actually actually get it done so to achieve code execution in Mac OS with one click we need to really evade evade multiple different security mechanisms and I quickly walk those through so we need to find the anomaly we need to exploit it after that if we want to get more done we need to evade the gatekeeper which is uh well I explain it a bit later which is taking care of the takes care of the that what application should be able to run on the system uh there's a TCC which is taking care of the restrictions to and doing this providing the sandbox in the Mac OS and sip is providing protecting most important files in Mac OS based system and its zip protection is built into the kernel and the TCC is in the user land so the GateKeeper the main role if you use Mac OS you might be seeing pop-ups like these these are basically how you see the gatekeeper in action so whenever you download new binaries you open things that you have downloaded from the internet it is typically marked as an uh potentially malicious file and the gatekeeper will trigger this warning to show you that the uh I really want to run this and so a little bit a little bit of information about where you have downloaded it and so on then there's the TCC which which is basically controlling the sandboxing in the sense that you have a sensitive data on your system including web camera information location information your emails your files your photos there's the controls for all of that and TCC is the component which basically is the user interface to control that data so normally when you run your application your application is only should be only accessing the files which are related to that specific application if you need to access some files on your desktop or something like that you really need to Grant the permission for that application and provide the possibility to access the files in specific places this is rather good thing to be in to have in the Mac OS then there's a sip which is the system Integrity protection uh here's an example what it does so even though I have a file in my home directory I cannot access it so even though if I I should be the owner I and from the Unix BSD point of view I should have access to read that file that sip is protecting that file to be accessed by myself from the terminal I need to use specific software to get the access to that specific database so uh this is internal level so it is making the attacker's life quite much more harder so let's dive into the actual vulnerability chain now you have some understanding about the background in this phase can you raise the hand how many of you are actually using uh Apple devices or Mac OS all right about half of you I would say so quite quite too many so the vulnerability chain uh Alias file to rule them all so uh in this chain we will gain the access to compromise the user's sensitive data with the only one click you and meaning user interaction so when the user clicked once this pop-up after that the game is over so but in in a nutshell you I saw the video so when the user actually assets the download the zip file will be downloaded and and the Mac OS is infected and what is happening under the hood the zip file is in general considered as a save file format in a Mac OS Safari at least in and in also in some other places so what that means is that when that is downloaded it will be automatically uncompressed and extract to the downloads folder so in my case the zip file actually included an application with an alias file and this is important because it need to look like an application because we want to well I'll explain it later on but the uh in that zip file it's an application and in Mac OS the applications are just a bunch of directories in a certain structure and in instructions and the original binary and I did it so that the Alias file was the binary in that application uh Mac OS Alias files how many of you have heard about the Mac OS Alias files couple of you great it is interesting because it's mostly promo that in 91 when when it was originally introduced in the Mac OS 7. so quite a while ago and the biggest benefit with the Mac OS Alias files compared to the traditional links or Zoom links or so on is the fact that it is pointer for certain objective in your system object in your system so even though if you move the original file to different place all of these Alias files will be automatically updated also so you can move the uh the original filed from place to place and the links will still work or the Alias files will still work so it's quite an ancient history and still working uh well in the Mac OS system I rarely see this in action uh maybe maybe more in the if you install a new application to the Mac OS and you do the track and drop for the application and it points to the application folder that's the only case where you see it but you can use it for other things like a PDFs or so on so the applicants normally includes the executable inside of the directory structure and the in in my example it was exactly over there where the Alias was so the main executable was the Alias but the good the trick in my case was that it was pointing out to the external resource and this is one of the cool things of about the Mac OS Alias files is that you can actually do it in a way that it completely links to the out some resource which is outside of your computer like a Samba month for example so I did that and whenever that application inside of that zip is downloaded there's an uh background process called LSD launch service Daemon and it will automatically figure out oh this looks like an application I need to go and index that so we can launch it easily via other uh like a spotlight or something like that you can launch it via that way so it does it automatically so with this way attacker can trick the victim to download and automatically mount a network share but that's not yet there there's I was thinking on this was the original thing what basically uh give me the uh gave me the idea that maybe this is something what should be looked more closely this is not like a this is a kind of bad thing but not something what you can exploit immediately so so what now attacker can trigger some amount but what can you do with that uh you can try to fool out the user to actually click it open uh some malware which is inside of that but it will be prevented by the gatekeeper because it's flagged as a potentially malicious file because it's downloaded from the internet and on the other hand victim need to do some clicking so it's kind of boring boring way to approach it that way okay and then there's a uh finding a way that how we can affect the uh that process when when the moon is actually actually automatically mounted so I was trying to figure out that what I can do with this capability right now so I started to think about that it would be great if I can mount the samba Mount to some specific directory instead of normally used slash volumes uh and and typically when you install or double click the image or the network share it will be mounted under this last volumes and the uh last part of that URL is actually used as a name of the directory so obviously I started to do some trickery with dot dot slash type of naming and pretty much try it all kind of different kind of tricks but none of the tricks actually seem to work in a way that it would be beneficial for me X there was one anomaly for some reason naming logic was failing if I had that percent 0 0 to the name of the last part path of the URL so that's new typically and it broke something related to the parsing in the background so after that when that triggered uh after that the naming for the volumes slash the directory will use actually the fully qualified domain name in that URL which basically in my example case is the fileserver.local in that example case so I started to figure out that can I use that maybe there's some different code path actually in the background and maybe I can play around with the domain name although I was a bit worried that it is quite restricted what I can do with the domain names however I decided that I configured the wildcard domain name for this test so it is more easily to go through different variations and so on and it turns out that the fully qualified domain name is not sanitized by any means so even though there was a really strict sanitation done for the uh URLs and the last part last part of the URL there was no sanitation at all in a fully qualified domain name so the solution looks like something like this so uh there's a quite a lot of going on so but at first we break the default naming method uh with the setting the last part of the URL as a null and after that the Korean part is used as an uh as a as an for naming that first part I needed to use uh double URL encoding to make the DNS query actually work so in that example uh I I leveraged the Wild Card domain name in a way that I entered the dot dot slash private slash temp slash test and uh in the third phase I added yet another null to actually terminate the uh parsing in a way that the rest of the fully qualified domain name was not used for the mounting and after that the mount point will be slash volumes less dot dot slash private slash temps last test so now I have a arbitrary access in a way that I can mount Samba Mount to whatever pad I wanted however there was a limitation on that that only non-existing directories can be used as a mount point and this will be important in later phases so phase 3 we still don't have a code execution but we have the arbitrary Mount path uh for the samba Mount which can be triggered with the one click so how we can get the code execution this shouldn't be too hard in the sense that the traditionally in this phase it's more like you just need to do a lot of reading and sitting and on on the at your computer and just figure it out however it was surprisingly painful and finally uh this was the phase which actually took most of the time in this exploit chain so normally there's a couple of potential paths but you can take when you actually want to find out uh way to get code running when you have that kind of like arbitrary file mode uh situation so you try to find out what existing softwares there are maybe there's some plugins or other features what you can leverage that whenever the software is launched it will automatically load the plugins from specific directory and so on however there's plenty of speed bumps still to go cover uh gatekeeper sandboxing and that the fact that the mount Point directory need to be a new directory there was plenty of options to actually get the plugins in and running while you are using normally some applications but there was an existing directory so I couldn't use that so that was great limitation for me to actually figure this out just a reminder that gatekeeper is different one which provides these pop-ups and prevent the external applications which may be malicious to actually run on your Mac so but I found a solution and uh most straightforward way for this demonstration was to actually use Z dot Z keyboard directory it is uh directory which includes normally or could include normally some configuration to your shell so jet sh is the normal common shell in Mac OS nowadays and if you have a you can set up configuration files which are basically can be sales scripts for example to that directory and those will be automatically loaded whenever the zsh is initially sized so now we got finally we had the code execution capabilities and we can get our own shell scripts running on the system whenever the terminal is launched so but then we had still the problem and by the way the gatekeeper because it is of this is actually affecting the existing software and the configuration in that existing software meaning the zsh and the uh terminal so these are existing software so whenever uh those are allowance the gatekeeper won't prevent of launching those applications because it is original application and we only infected the configuration which will cause the code execution so what now we still still don't have the access to the all the personal uh information what could be over there because of the TCC limitations uh and this is as a reminder this is how the TCC looks like it's taking care of the sandboxing related to the applications so the TCC works so that all the user content is actually stored in the sqlite in that specific path all of the macro users you have that in place and it includes the all the configuration it is sqlite uh so it's not that complicated system but it is protected by the Sip so you cannot in normal situation you cannot manipulate it by any means because it will prevent that even if you are rude you cannot access that so this means we need to circumvate the ship to get access to that tccd how hard it can be actually works so that you you have a user process called tccd running and it's owned by your user account so I was thinking of immediately that okay basic unique stuff I'm the owner of that process maybe I can manipulate the environment in a way that something fancy will happen and I can fool the uh tccd to actually load some other sqlite database instead of mine I am and you as a user you can kill the tccd process but it will be automatically launched immediately after you have killed it but you are able to do that you the only restriction is that you cannot manipulate the TCC database because it's prevented by the Sip so I have to be honest this was the first thing what I tried and it worked it might be hard to see but the I will walk you through so this was Lucky Strike for me because uh I was playing around with the moans before in the uh in the previous phases so this was the first thing what to came what came to my mind that what if I just killed the tccd process and quickly mount a new image