My Journey to find vulnerabilities in macOS

so we are still on the line of having Legends on stage people who have been doing uh cybering for long and long time next presenter comes to us from uh Finland who's going to talk about finding vulnerabilities in Mac OS we do know that Macos OS is completely not vulnerable to anything it sees the very secure thing so how is it possible to find something there that's what we are going here during the next 45 minutes

wait wait [Music]

[Music] these signs Legacy hello hello fellow hackers it's good to be over here I'm uh really honored to see that there's so many of you over here uh I want to give a round of applause for all the organizations and also the sponsors May sponsors to make this event happen so let's do that [Applause] all right so I'm going to talk about uh Mac OS some Mac OS vulnerabilities and walk you through uh what was happening under the hood uh when I found a couple of interesting vulnerabilities but before that a little bit about me so my name is Mikko cantala I'm a founder and CEO of sensorflow uh we do a product which continuously monitors at

how well the network isolation is working but I'm not going to talk about that today I'm more going to talk about the my happy hacker hobby project which which is related to the vulnerable one vulnerability research I have multiple hats in other organizations but the and you can find me from the Twitter previously I did done research I started to do some research related to the Mac OS when I got a little bit more time during the 2020 because of obvious reasons so I had more I didn't travel so much and had a bit more time to do and check out some of the things what I used myself so I've been doing this since the

well forever that the whatever software or operating system or applications I am using I tend to check out that the uh what is actually going on under the hood and what might be maybe there's some security challenges and I want to really know that how the things work I've done uh secure technical security audits as a profession over 10 years so maybe I'm not doing those that much anymore but the maybe that has something to do with it so previously I found on uh zero click vulnerability from the Mac OS mail and you get mail application uh and you can find the right I've wrote about it you can find the block from there but

basically what that vulnerability was about was that I was able to craft an email as an attacker and send it to the victim and after immediately after the victim received the email the email his his mail application configuration changed in a way that after that all the emails were also forwarded to me so that was arbitrary file right issue in the Mac OS mail so but uh this time I'm going to talk about a little bit different case it is actually a bit more complicated in the sense that it includes vulnerability chain what I needed to explore exploit to gain the uh access to all the sensitive data that the user might have I also walk you through about the

different security methods what actually is implemented in Mac OS and and I needed to circulate those to actually achieve the goal goal so I saw you on video This is actually the same video where I sent to the Apple uh so it's the original uh version of the video to prove that there's some challenges and I'm going to walk you through that what's what's happening on this video so during that time Pixar was out there or it's in the beta phase uh I just saw you that I have all the security mechanics implemented in a way that it is enabled so uh even there if even if you open a terminal you cannot access the files on

that on your desktop or in the other folders because there's a restrictions for that so however in this case when user downloads a specific file from the internet it may be uh fishing or something like that but in this case it's like a raw demo it's downloading a zip file and now zip file is downloaded and you saw the pop-ups that do you really want to download it and that's the one click which is needed from the user input and next time when the user launches a terminal something weird will happen and you can see that your machine is owned and some databases has been taken and after that it seems that there's now a terminal can now access to

the all the files in the different places so something definitely went wrong because that should never happen so uh a little bit about the background and how I normally operate so I tend to find out different vulnerabilities in rather simple methods there's three steps and with the first one is quite obvious that try to learn as much as possible and you can do that by reading the documentation reading what's written at the internet about it about the same thing what you are researching and especially for me the reverse engineering is the really key thing to actually find out that how different applications are working so I normally use softwares rather simple softwares maybe I'm old school guy so I use uh D trace

for example tracing this is calls in the Mac OS or other systems I use DCP dump to see the traffic and really Advance analysis methods like strings to analyze the binaries and so on so rather simple things but with that combined to the things what I uh play around and I see the results what's happening under the hood I can make up on my mind that how exactly the application or the service is working uh find the anomaly when you know how the process or application actually works uh if there's a place is for user input so try to play around with the user input see if you can cause some anomaly under the hood so you have a visibility with

the external tools for tools for it or maybe you get immediate feedback via user interface but the you try to play around and try to call some error or something like that and that might be it that might be the actual vulnerability then when you have found it do specific testing related to that anomaly and try to exploit that so rather straightforward as a in a fundamentals but might take some time to actually actually get it done so to achieve code execution in Mac OS with one click we need to really evade evade multiple different security mechanisms and I quickly walk those through so we need to find the anomaly we need to exploit it after that if we want to get

more done we need to evade the gatekeeper which is uh well I explain it a bit later which is taking care of the takes care of the that what application should be able to run on the system uh there's a TCC which is taking care of the restrictions to and doing this providing the sandbox in the Mac OS and sip is providing protecting most important files in Mac OS based system and its zip protection is built into the kernel and the TCC is in the user land so the GateKeeper the main role if you use Mac OS you might be seeing pop-ups like these these are basically how you see the gatekeeper in action so whenever you download new

binaries you open things that you have downloaded from the internet it is typically marked as an uh potentially malicious file and the gatekeeper will trigger this warning to show you that the uh I really want to run this and so a little bit a little bit of information about where you have downloaded it and so on

then there's the TCC which which is basically controlling the sandboxing in the sense that you have a sensitive data on your system including web camera information location information your emails your files your photos there's the controls for all of that and TCC is the component which basically is the user interface to control that data so normally when you run your application your application is only should be only accessing the files which are related to that specific application if you need to access some files on your desktop or something like that you really need to Grant the permission for that application and provide the possibility to access the files in specific places this is rather good

thing to be in to have in the Mac OS then there's a sip which is the system Integrity protection uh here's an example what it does so even though I have a file in my home directory I cannot access it so even though if I I should be the owner I and from the Unix BSD point of view I should have access to read that file that sip is protecting that file to be accessed by myself from the terminal I need to use specific software to get the access to that specific database so uh this is internal level so it is making the attacker's life quite much more harder so let's dive into the actual

vulnerability chain now you have some understanding about the background in this phase can you raise the hand how many of you are actually using uh Apple devices or Mac OS all right about half of you I would say so quite quite too many so the vulnerability chain uh Alias file to rule them all so uh in this chain we will gain the access to compromise the user's sensitive data with the only one click you and meaning user interaction so when the user clicked once this pop-up after that the game is over so but in in a nutshell you I saw the video so when the user actually assets the download the zip file will be downloaded and and

the Mac OS is infected and what is happening under the hood the zip file is in general considered as a save file format in a Mac OS Safari at least in and in also in some other places so what that means is that when that is downloaded it will be automatically uncompressed and extract to the downloads folder so in my case the zip file actually included an application with an alias file and this is important because it need to look like an application because we want to well I'll explain it later on but the uh in that zip file it's an application and in Mac OS the applications are just a bunch of directories in a certain

structure and in instructions and the original binary and I did it so that the Alias file was the binary in that application uh Mac OS Alias files how many of you have heard about the Mac OS Alias files couple of you great it is interesting because it's mostly promo that in 91 when when it was originally introduced in the Mac OS 7. so quite a while ago and the biggest benefit with the Mac OS Alias files compared to the traditional links or Zoom links or so on is the fact that it is pointer for certain objective in your system object in your system so even though if you move the original file to different place all of these Alias files will be

automatically updated also so you can move the uh the original filed from place to place and the links will still work or the Alias files will still work so it's quite an ancient history and still working uh well in the Mac OS system I rarely see this in action uh maybe maybe more in the if you install a new application to the Mac OS and you do the track and drop for the application and it points to the application folder that's the only case where you see it but you can use it for other things like a PDFs or so on so the applicants normally includes the executable inside of the directory structure and the in in my example it was exactly

over there where the Alias was so the main executable was the Alias but the good the trick in my case was that it was pointing out to the external resource and this is one of the cool things of about the Mac OS Alias files is that you can actually do it in a way that it completely links to the out some resource which is outside of your computer like a Samba month for example so I did that and whenever that application inside of that zip is downloaded there's an uh background process called LSD launch service Daemon and it will automatically figure out oh this looks like an application I need to go and index that

so we can launch it easily via other uh like a spotlight or something like that you can launch it via that way so it does it automatically so with this way attacker can trick the victim to download and automatically mount a network share but that's not yet there there's I was thinking on this was the original thing what basically uh give me the uh gave me the idea that maybe this is something what should be looked more closely this is not like a this is a kind of bad thing but not something what you can exploit immediately so so what now attacker can trigger some amount but what can you do with that uh you can try to fool out the user to

actually click it open uh some malware which is inside of that but it will be prevented by the gatekeeper because it's flagged as a potentially malicious file because it's downloaded from the internet and on the other hand victim need to do some clicking so it's kind of boring boring way to approach it that way okay and then there's a uh finding a way that how we can affect the uh that process when when the moon is actually actually automatically mounted so I was trying to figure out that what I can do with this capability right now so I started to think about that it would be great if I can mount the samba Mount to some specific directory instead

of normally used slash volumes uh and and typically when you install or double click the image or the network share it will be mounted under this last volumes and the uh last part of that URL is actually used as a name of the directory so obviously I started to do some trickery with dot dot slash type of naming and pretty much try it all kind of different kind of tricks but none of the tricks actually seem to work in a way that it would be beneficial for me X there was one anomaly for some reason naming logic was failing if I had that percent 0 0 to the name of the last part path of the URL so that's

new typically and it broke something related to the parsing in the background so after that when that triggered uh after that the naming for the volumes slash the directory will use actually the fully qualified domain name in that URL which basically in my example case is the fileserver.local in that example case so I started to figure out that can I use that maybe there's some different code path actually in the background and maybe I can play around with the domain name although I was a bit worried that it is quite restricted what I can do with the domain names however I decided that I configured the wildcard domain name for this test so it is more

easily to go through different variations and so on and it turns out that the fully qualified domain name is not sanitized by any means so even though there was a really strict sanitation done for the uh URLs and the last part last part of the URL there was no sanitation at all in a fully qualified domain name so the solution looks like something like this so uh there's a quite a lot of going on so but at first we break the default naming method uh with the setting the last part of the URL as a null and after that the Korean part is used as an uh as a as an for naming that first part I needed to use

uh double URL encoding to make the DNS query actually work so in that example uh I I leveraged the Wild Card domain name in a way that I entered the dot dot slash private slash temp slash test and uh in the third phase I added yet another null to actually terminate the uh parsing in a way that the rest of the fully qualified domain name was not used for the mounting and after that the mount point will be slash volumes less dot dot slash private slash temps last test so now I have a arbitrary access in a way that I can mount Samba Mount to whatever pad I wanted however there was a limitation on that

that only non-existing directories can be used as a mount point and this will be important in later phases so phase 3 we still don't have a code execution but we have the arbitrary Mount path uh for the samba Mount which can be triggered with the one click so how we can get the code execution this shouldn't be too hard in the sense that the traditionally in this phase it's more like you just need to do a lot of reading and sitting and on on the at your computer and just figure it out however it was surprisingly painful and finally uh this was the phase which actually took most of the time in this exploit chain

so normally there's a couple of potential paths but you can take when you actually want to find out uh way to get code running when you have that kind of like arbitrary file mode uh situation so you try to find out what existing softwares there are maybe there's some plugins or other features what you can leverage that whenever the software is launched it will automatically load the plugins from specific directory and so on however there's plenty of speed bumps still to go cover uh gatekeeper sandboxing and that the fact that the mount Point directory need to be a new directory there was plenty of options to actually get the plugins in and running while you are using normally some

applications but there was an existing directory so I couldn't use that so that was great limitation for me to actually figure this out just a reminder that gatekeeper is different one which provides these pop-ups and prevent the external applications which may be malicious to actually run on your Mac so but I found a solution and uh most straightforward way for this demonstration was to actually use Z dot Z keyboard directory it is uh directory which includes normally or could include normally some configuration to your shell so jet sh is the normal common shell in Mac OS nowadays and if you have a you can set up configuration files which are basically can be sales scripts for example to that

directory and those will be automatically loaded whenever the zsh is initially sized so now we got finally we had the code execution capabilities and we can get our own shell scripts running on the system whenever the terminal is launched so but then we had still the problem and by the way the gatekeeper because it is of this is actually affecting the existing software and the configuration in that existing software meaning the zsh and the uh terminal so these are existing software so whenever uh those are allowance the gatekeeper won't prevent of launching those applications because it is original application and we only infected the configuration which will cause the code execution so what now we still still don't have

the access to the all the personal uh information what could be over there because of the TCC limitations uh and this is as a reminder this is how the TCC looks like it's taking care of the sandboxing related to the applications so the TCC works so that all the user content is actually stored in the sqlite in that specific path all of the macro users you have that in place and it includes the all the configuration it is sqlite uh so it's not that complicated system but it is protected by the Sip so you cannot in normal situation you cannot manipulate it by any means because it will prevent that even if you are rude you cannot access that

so this means we need to circumvate the ship to get access to that tccd how hard it can be actually works so that you you have a user process called tccd running and it's owned by your user account so I was thinking of immediately that okay basic unique stuff I'm the owner of that process maybe I can manipulate the environment in a way that something fancy will happen and I can fool the uh tccd to actually load some other sqlite database instead of mine I am and you as a user you can kill the tccd process but it will be automatically launched immediately after you have killed it but you are able to do that you the only restriction is that

you cannot manipulate the TCC database because it's prevented by the Sip so I have to be honest this was the first thing what I tried and it worked it might be hard to see but the I will walk you through so this was Lucky Strike for me because uh I was playing around with the moans before in the uh in the previous phases so this was the first thing what to came what came to my mind that what if I just killed the tccd process and quickly mount a new image to that specific path and that specific image will include my customized uh DCC database and this was basically the first thing what I tried

and it worked and I was really stunned that what the heck is going on that this should be preventing all the attackers to stay in the sandbox and this was the first thing what came to my mind but it was the Lucky Strike and if you do if you do uh like a technical security outage you find out that these Lucky Strikes are surprisingly common because for any reason or maybe it was a hunch that maybe I should try this because maybe the developers didn't think about this kind of scenario at all and don't repeat that way so tccd process will start after I have killed it and mounted to New Image to that exact path where the TCC database

is when the process will start again it will just gladly pick the path load the new sqlite database and that's it so now whole puzzle was basically sold with this and now we got an access to all the files and we are able to run code in the system in a way that this attacker Samba Mount mounted to arbitrary file path and the attacker has fully control and it can do what whatever the attacker wants so this was rather complicated process in the sense that the if we look at this the all the steps so the user downloads the zip file it will be automatically extracted by Safari then there's a LSD process which will

automatically go and index it it finds out that oh there's a Alias file with the external resource it will automatically Mount that external resource because why not and after that we have an initial access then later on when the user does some things on normal things on on his or her laptop like a launcher terminal I know this is not there like a like a best scenario but the it was good enough for the proof of concept and the demo when the terminal actually launches it loads the con out it's launches it that sh and it will load configuration for it which actually includes my payload all the shell commands and the that will be

automatically done and then we have the evasions for the TCC and the ship to actually gain full access to that terminal to access all the different places and we are there

then this this was basically done the timeline this was done during the 2020 I found the issue it took quite a while to make it make it like a good proof of concept of it I actually reported this to the Apple when the picture was in the beta phase uh quite fairly quickly they did the fixes so both of the main vulnerabilities were fixed in quite quickly the Alias issue was silently fixed so maybe they didn't consider that as an vulnerability the fact that it will be automatically mounted if you have a Alias file in your Mac OS application main binary it's a functionality I guess so however they silently fixed it and it's now all the

over 100 million of Mac users are now in save uh it took all the way one year or over one year to actually qualify it for the Apple security boundary so uh it's not the fast process if you are planning to do some security research for the Mac OS your student hold your breath and wait the Mac OS bounty to come it will take some time however they pay at the end of the day and the uh it is like fairly good bound I would say and this is how the cve actually looks looks like so I think like over five years ago especially in the Apple's case uh the these like uh chains locks related to

the cyber security was always quite abstract and uh it seems that the things have been going to the better Direction I'm happy about it and they are actually quite quite well showing that what was going on and it gives you a better idea that what's what is going on and this is the uh the other vulnerability related to that uh I've asked quite a lot that how the cooperation with the Apple went so maybe I cover it because I have some time uh in general I'm reported also other not that serious vulnerabilities to Apple and generally nowadays they reply rather quickly they don't provide any information that how the research is going on only after when

you when the issue is fixed and released they give you Insight that the you were the first one to find that out and so on that kind of information but for example in this vulnerability chain they had some troubles or challenges to reproduce the samba Mount case so we basically cooperated had a hunter chat via email and after some discussions I just decided that I built a virtual machine for them which has the pre-configured the samba Samba server and so on and they were able to reproduce the exact issue so I think it's fairly good because they can do the fixes in a really short time two to three months and those are pushed to all

the users that's good thing obviously the back Bounty part will take heckloads of time that's something what most of the researchers complain but at least there's a park Bounty program so I think that's great okay but I think that's about it thank you everyone and I'm really happy to hear if you have any questions thank you [Applause] so any questions from the audience there is one here first and and the next one can also uh show their hands so the microphone can move during the answering and we get uh faster so please yeah based on your presentation the uh security research is like a walk in a park it's just find one vulnerability then the next one Etc

especially the phase four uh with the Lucky Strike but how many dead ends you you met per phase before you actually got these successful exploit working quite many so in all the faces basically I looked around quite a lot so except the Lucky Strike that was like went went right in the first try but I would say it's like uh one to ten ratio I tend to operate in a way that I try to poke around to find out a hunch that what might be the next step for example I went quite far with the one of plug-in type which is related to the Mac OS preview so whenever you uh if you have a picture in your desktop

and if you press space you get the preview about that file so there's a plugin system in that preview so I went quite far with that but it is really heavily sandbox and really limited but I spent many many evenings with that and then decided to just to take a step back and try to poke around the other things and it it started to go forward but it is really common too so for that reason I try to operate in the way that when it's Ico and poke and okay this feels a bit soft let's see how far I can push it and if it start to be harder I maybe come back and try something new in the next day

and and maybe come back to that same topic again later on so it's like a really common and and the about the comment related that it seems that you just walk walk through the different paths and look around at what you can find and that it seems for me that it's quite there's not too many researchers doing that kind of things because it's manual labor basically you cannot easily automate it this and and automatically find out this Logic box what I basically used all of them are like a kind of logic bugs there's more research on the things where what you can do automatically fasting for example which is still really effective and so on so that's something what you can also

do I think I felt that this challenge is what I puzzled what I was able to solve was more like playing a capture the flag or or doing that kind of challenges

hi so in the URL encoding part in the symbol part you URL encoded the path traversal and I understand that but what really surprised me is that you double URL encoded in the double URL decoded what do you think it did that I'm not exactly sure about the if I use one layer of URL encoding I think it broke the DNS query because it includes the dots or slashes maybe those are not the valid like a DNS queries most likely some of you know know about that so for that reason I needed to use the double encoding and I'm not sure what actually happens over there it might be I or I don't remember I've been checking

that so most likely what happens is that the first layer of the encoding is uh remote immediately in the first phase when the DNS query is done so the one layer is removed immediately and when the uh in the next part when that same information is used again then the second part will be removed but not sure but it is a fairly interesting and fairly old trick to fool the parcels I would say also to have the double encoding thank you next microphone is already there what recommendation can you give for the newbies who wants to start the bug bout this do you say that Apple Puck point is a harder to find than Windows

or some others depends on your background so if you are Unix Source admin if you have any experiences of uh hosting uh own Linux server or something like that the Mac OS is good because it's working as traditional Unique Systems under the hood most of the time there's some flavors for for Mac OS like the security control mechanisms and so on but the fundamentals are the same but for the for the new rubies I would start with something maybe smaller because the operating system includes quite a lot of new things if you know something already about the OSS not from the security point of view but yeah that if you know already how the system should

basically work it is definitely easy to dive into that topic but if you are it might be for total newbie it might be more you might be much more successful if you have a smaller scope maybe one application or one service and you learn that first and go piece by piece later on so maybe that would be but in general uh hacking the windows or hacking the Mac OS I don't see mass of difference I tend to approach it in the way that I don't do the same things what the others are doing so that's might be there might be low hanging fruits on the places where the nobody is looking at and this is one of

the examples it seems that everyone who is doing seriously some vulnerability research really and backbone is they are really into running automatically and systematically fossils and doing testing that way so I just think thought that maybe I should take a totally different approach and look to different directions and it seems that in general in cyber security see in this like a sauron's eye which is like in like in The Lord of the Rings that it's turning always to some direction and everybody is doing similar kind of things so I've been always trying to pick the leftovers because it seems that there's a plenty of research to do in those Avenues also so maybe that's something to consider if

you want to really get the boundaries also maybe do something what the others are not doing which is there is one more question there if there is another hand just show first yeah hi your disclosure timeline started with the actual disclosure to Apple but I was wondering uh before the time of disclosure how long were you working on that specific uh series of events and was the time spent in proportion with the bug Bounty from Apple the main Alias thing is really old one however I didn't ask if you remember where we started in the phase one it didn't didn't lead to too far so fortunately like 2000 and 15 I found out that there's an you can

sometimes automatically have a disk image Mount if you if you are using the Alias so that was something which was on back of my head that this is something what needed to be researched when I have a time and immediately after seven years I had more time on the or the five years I had more time for it so but when I started to do it and when it started to go forward I I started to get some results and for me I think it in I spent the evening time mainly with tea so three hours per evening and it took something like two weeks to go it through during the evenings and my family had had to be

quite flexible because when I saw that this is going to some direction and I cannot stop it now because it's like all the time on my mind so I need to solve this puzzle and at the same time it's rather serious thing if you can do that kind of thing so I felt that burden of 100 million users that maybe this would be fixed in a quite quick quickly so two weeks about what's the timeline for the for it okay we have one more question from there and then there is a time to pick the winning question so since this exploit is like from a user land and start with a single click do you think is it possible to get it to

a zero click state by using a webkit exploit yeah it could be so uh actually it went so that this actually refers to the previous question too that this is the thing where I started originally so I started to do the research for the Alias I started to try to find out the zero click possibility I ended up finding the male vulnerability with which was Zero click so I had a struggle inside of my mind that suit diets just combined this or get it working in a way that with that email I will of course but during that time I didn't have full chain for this specific thing however the male vulnerability was so big and like uh concerning that I didn't

want to sit on top of that vulnerability because after all it was Zero click and it was existing and there's a quite a lot of users using the mile app so I made a simple proof of concept for that and send it to the apple and continued with this and started to think about it maybe this is like a another chapter so uh definitely it could have been triggered we are that way okay uh thank you thank you first the GoPro booty back for you thank you and uh which of the questions you like most I think there was kind of like uh the URL the final one then the kind of start getting started I think I think

they're getting how to get started with the buck bound is is a good thing because one of them great motivations for me to come to speak about the vulnerabilities that this kind of events is to encourage the uh younger who are coming to the business to actually do some security research so I think that's the best one okay uh hello can find later the volunteer who will help so thank you and we have a coffee break of 26 minutes left we'll be back here at 15 30 and then we'll have two more Legends of cyber security going to talk us about thinking models based on attack and different tools that you don't do the work for you so see you back in 20 some

minutes