SlideShare une entreprise Scribd logo

20+ Ways to Bypass macOS Privacy

C
Csaba Fitzl

"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent. In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges. In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent. Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources. The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.

Technologie
1  sur  58
Télécharger pour lire hors ligne
20+ Ways to Bypass Your macOS Privacy Mechanisms Wojciech Reguła & Csaba Fitzl #BHUSA @BlackHatEvents
#BHUSA @BlackHatEvents Whoami - Csaba • Author of “macOS Control Bypasses” training @ Offensive Security • Developer of Shield.app – exploit protection for macOS • Ex red and blue teamer • Husband, father • Hiking
#BHUSA @BlackHatEvents Whoami - Wojciech • Senior IT Security Consultant @ SecuRing • Focused on iOS/macOS #appsec • Blogger – https://wojciechregula.blog • iOS Security Suite Creator • macOS environments security
#BHUSA @BlackHatEvents Agenda 1. Introduction to macOS Privacy 2. TCC bypasses through: • plugins • process injection • mounting • app behavior • /usr/bin/grep 3. Our thoughts on the Apple Security Bounty 4. Conclusion
#BHUSA @BlackHatEvents Intro – macOS Security Mechanisms System Integrity Protection (SIP): • Based on Sandbox kernel extension • Restricts access to many directories on macOS • Denies debugger attachments to processes signed directly by Apple • Also known as rootless, because even root cannot do the above-mentioned operations when the SIP is turned on
#BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC)
#BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC)
#BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC) • SQLite3 Database • /Library/Application Support/com.apple.TCC • ~/Library/Application Support/com.apple.TCC
#BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC) • User Intent • Extended attribute: com.apple.macl • Managed by the Sandbox • Can’t be added/deleted
#BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC)
#BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC) • com.apple.macl • Header • UUID
#BHUSA @BlackHatEvents TCC bypasses through plugins • TCCd validates entitlements held by the main executable • Plugins execute code in the context of the main application • So, plugins inherit the private tcc entitlements
System app with plugin TCC daemon Kernel
System app with plugin TCC daemon Kernel I want to access files from Desktop
System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app
System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement
System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted
System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted Access Granted
System app with malicious plugin
System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted Access Granted
#BHUSA @BlackHatEvents Changing NFSHomeDirectory aka CVE-2020-27937 TCC bypasses through plugins
#BHUSA @BlackHatEvents Changing NFSHomeDirectory aka CVE-2020-27937 TCC bypasses through plugins
#BHUSA @BlackHatEvents TCC bypasses through plugins Changing NFSHomeDirectory aka CVE-2020-27937 1. Copy Directory Utility to location not protected by the SIP 2. Inject a malicious plugin that will be executed with the Directory Utility’s private TCC entitlements 3. Prepare a fake TCC SQLite3 database with fake permissions 4. Modify the NFSHomeDirectory 5. Restart TCCd, so it will load our fake database basing on the NFSHomeDirectory 6. Full user TCC bypass achieved 😎
#BHUSA @BlackHatEvents Full TCC bypass via coreaudiod aka CVE-2020-29621 TCC bypasses through plugins
#BHUSA @BlackHatEvents Full TCC bypass via coreaudiod aka CVE-2020-29621 1. Create a malicious macOS bundle with “.driver” extension 2. Plant it in /Library/Audio/Plug-Ins/HAL/ 3. Restart the coreaudiod 4. We can now fully control TCCd 😎 TCC bypasses through plugins
#BHUSA @BlackHatEvents Full TCC bypass via coreaudiod aka CVE-2020-29621 TCC bypasses through plugins
#BHUSA @BlackHatEvents TCC bypasses through process injection Injecting to xsanctl aka CVE-2020-10006: • We execute code again in the context of an entitled application • However you cannot inject to Apple’s signed apps • But there are exceptions… com.apple.security.get-task-allow 😎
#BHUSA @BlackHatEvents TCC bypasses through process injection • 3rd party apps are especially vulnerable to this kind of attacks • If you manually give the vulnerable app TCC permissions, malware can abuse that app • Electron apps are vulnerable by default 😅 • We have found such vulnerabilities in many apps including: o Firefox (0day / won’t fix) o StreamLabs OBS (0day / won’t fix) o Signal (CVE-2020-24259, fixed) o Snaglt (fixed)
https://wojciechregula.blog/post/how-to-rob-a-firefox/
#BHUSA @BlackHatEvents TCC bypasses through mounting CVE-2020-9771 - mount_apfs TCC bypass • APFS supports snapshots • Mount the snapshot in custom location • Access all files (read-only) • Mount with ”noowners” à access every user’s files • FIX: requires Full Disk Access 😭
#BHUSA @BlackHatEvents TCC bypasses through mounting CVE-2021-1784 - TCC bypass via disk mounting • User’s TCC DB file is protected • But! We can mount over the directory • Prepare a new TCC.db file, new disk image • Mount over “~/Library/Application Support/com.apple.TCC” • Profit 🤑
#BHUSA @BlackHatEvents TCC bypasses through app behavior • Some apps can access private files • Some apps move files when they do something • Some apps can do both
Malicious app App with access to private files
Hi app! I see you can access XYZ private files. Yes! Why? Could you move those files for me to location ABC?
Of course! Here they are. Thank you! Anytime! It was my pleasure.
#BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-30751 – Notes.app • Open files with notes -> auto attach to notes • Notes are unprotected
#BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-30751 – Notes.app
#BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-XXXX – App translocation • Makes NULLFS mount (not copy) when downloaded app first run • Destination: $TMPDIR/AppTranslocation/d/d/Some.app • Open source as part of Security. • Library: libsecurity_translocate • Binary: /usr/libexec/lsd
#BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-XXXX – App translocation • Add Quarantine attribute to “Library” • Call the com.apple.security.translocation XPC service • (XPC client is also open source) • Map Library to $TMPDIR/AppTranslocation/d/d/Library • Access all files
#BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-XXXX – App translocation
#BHUSA @BlackHatEvents TCC bypasses with /usr/bin/grep 😅 • Private info is everywhere • Various DBs, caches, configuration files – keep / leak bits of info • How to find them? grep to the rescue 🤣
#BHUSA @BlackHatEvents TCC info leaks • CVE-2020-9963 - QuickLook thumbnails DB (filenames) • CVE-2021-1803 - CloudDocs DBs (filenames) • CVE-2021-1781 - UITextInputContextIdentifiers.plist (contacts) • CVE-2021-XXXX - com.apple.identityservices.idstatuscache.plist (contacts) • CVE-2021-30750 - Recents database (contacts)
#BHUSA @BlackHatEvents TCC info leaks • CVE-2021-XXXX - CircleCache.plist (family contacts, birth date) • CVE-2021-XXXX - knowledgeC.db (full iMessages, contacts, etc..) • WON’T FIX - Quarantine database (full download history) • And many more… (yet to be fixed)
#BHUSA @BlackHatEvents Apple Security Bounty (ASB) https://developer.apple.com/security-bounty/payouts/
#BHUSA @BlackHatEvents Apple Security Bounty (ASB) • Apple pays what promised • Bug fixes are often slow – especially design issues • Some reports will be fixed in Monterey only, although they were reported in Catalina à 2 major OS versions!! • Lack of communication, often no updates for months • ASB eligibility decision timeline is unacceptable, often more than 6-7 months!!!
#BHUSA @BlackHatEvents Conclusion • We appreciate the effort • Step in the right direction • Other vendors should do the same • Still lots of issues 1. Apple’s binaries have too many exceptions 2. Third parties are vulnerable to injection attacks • ASB has to improve
#BHUSA @BlackHatEvents Q&A

Recommandé

20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightCsaba Fitzl
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealitySally Feller
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
버전관리를 들어본적 없는 사람들을 위한 DVCS - Git
버전관리를 들어본적 없는 사람들을 위한 DVCS - Git버전관리를 들어본적 없는 사람들을 위한 DVCS - Git
버전관리를 들어본적 없는 사람들을 위한 DVCS - Git민태 김
 
Firmware analysis 101
Firmware analysis 101Firmware analysis 101
Firmware analysis 101veerababu penugonda(Mr-IoT)
 
초보자를 위한 Git & GitHub
초보자를 위한 Git & GitHub초보자를 위한 Git & GitHub
초보자를 위한 Git & GitHubYurim Jin
 

Recommandé

20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightCsaba Fitzl
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealitySally Feller
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
버전관리를 들어본적 없는 사람들을 위한 DVCS - Git
버전관리를 들어본적 없는 사람들을 위한 DVCS - Git버전관리를 들어본적 없는 사람들을 위한 DVCS - Git
버전관리를 들어본적 없는 사람들을 위한 DVCS - Git민태 김
 
Firmware analysis 101
Firmware analysis 101Firmware analysis 101
Firmware analysis 101veerababu penugonda(Mr-IoT)
 
초보자를 위한 Git & GitHub
초보자를 위한 Git & GitHub초보자를 위한 Git & GitHub
초보자를 위한 Git & GitHubYurim Jin
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiWEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiBGA Cyber Security
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Intro to Git and GitHub
Intro to Git and GitHubIntro to Git and GitHub
Intro to Git and GitHubPanagiotis Papadopoulos
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
 
Yocto Project introduction
Yocto Project introductionYocto Project introduction
Yocto Project introductionYi-Hsiu Hsu
 
OS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringOS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringPositive Hack Days
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalNSConclave
 
Secure boot general
Secure boot generalSecure boot general
Secure boot generalPrabhu Swamy
 
Workshop on Git and GitHub
Workshop on Git and GitHubWorkshop on Git and GitHub
Workshop on Git and GitHubDSCVSSUT
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Introduction to Version Control
Introduction to Version ControlIntroduction to Version Control
Introduction to Version ControlJeremy Coates
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure CodingPrathan Phongthiproek
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
KeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long timeKeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long timen|u - The Open Security Community
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
Developing High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxDeveloping High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxElvin Gentiles
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba Fitzl
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 

Contenu connexe

Tendances

Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiWEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiBGA Cyber Security
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
 
Yocto Project introduction
Yocto Project introductionYocto Project introduction
Yocto Project introductionYi-Hsiu Hsu
 
OS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringOS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringPositive Hack Days
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalNSConclave
 
Secure boot general
Secure boot generalSecure boot general
Secure boot generalPrabhu Swamy
 
Workshop on Git and GitHub
Workshop on Git and GitHubWorkshop on Git and GitHub
Workshop on Git and GitHubDSCVSSUT
 
Introduction to Version Control
Introduction to Version ControlIntroduction to Version Control
Introduction to Version ControlJeremy Coates
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
KeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long timeKeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long timen|u - The Open Security Community
 
Developing High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxDeveloping High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxElvin Gentiles
 

Tendances (20)

Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesiWEBSOCKET Protokolünün Derinlemesine İncelenmesi
WEBSOCKET Protokolünün Derinlemesine İncelenmesi
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Intro to Git and GitHub
Intro to Git and GitHubIntro to Git and GitHub
Intro to Git and GitHub
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
 
Yocto Project introduction
Yocto Project introductionYocto Project introduction
Yocto Project introduction
 
OS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringOS X Drivers Reverse Engineering
OS X Drivers Reverse Engineering
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan Raval
 
Secure boot general
Secure boot generalSecure boot general
Secure boot general
 
Workshop on Git and GitHub
Workshop on Git and GitHubWorkshop on Git and GitHub
Workshop on Git and GitHub
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Introduction to Version Control
Introduction to Version ControlIntroduction to Version Control
Introduction to Version Control
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
 
KeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long timeKeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long time
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCE
 
Developing High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxDeveloping High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptx
 

Similaire à 20+ Ways to Bypass macOS Privacy

Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba Fitzl
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxbriancrawford30935
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS EnvironmentsSecuRing
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesSysdig
 
Common primitives in Docker environments
Common primitives in Docker environmentsCommon primitives in Docker environments
Common primitives in Docker environmentsalexandru giurgiu
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Holehackersuli
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Vasile
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...PranavPatil822557
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022MichaelM85042
 
Continuous Security
Continuous SecurityContinuous Security
Continuous SecuritySysdig
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 

Similaire à 20+ Ways to Bypass macOS Privacy (20)

Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of Bugs
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 
Common primitives in Docker environments
Common primitives in Docker environmentsCommon primitives in Docker environments
Common primitives in Docker environments
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
 
Continuous Security
Continuous SecurityContinuous Security
Continuous Security
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
 

Plus de Csaba Fitzl

Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints OverviewCsaba Fitzl
 
SecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfSecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfCsaba Fitzl
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirusCsaba Fitzl
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?Csaba Fitzl
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store appsCsaba Fitzl
 
Exploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luExploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luCsaba Fitzl
 
Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Csaba Fitzl
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 

Plus de Csaba Fitzl (8)

Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints Overview
 
SecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfSecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdf
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store apps
 
Exploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luExploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG lu
 
Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 

Dernier

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 

Dernier (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 

20+ Ways to Bypass macOS Privacy

  • 1. 20+ Ways to Bypass Your macOS Privacy Mechanisms Wojciech Reguła & Csaba Fitzl #BHUSA @BlackHatEvents
  • 2. #BHUSA @BlackHatEvents Whoami - Csaba • Author of “macOS Control Bypasses” training @ Offensive Security • Developer of Shield.app – exploit protection for macOS • Ex red and blue teamer • Husband, father • Hiking
  • 3. #BHUSA @BlackHatEvents Whoami - Wojciech • Senior IT Security Consultant @ SecuRing • Focused on iOS/macOS #appsec • Blogger – https://wojciechregula.blog • iOS Security Suite Creator • macOS environments security
  • 4. #BHUSA @BlackHatEvents Agenda 1. Introduction to macOS Privacy 2. TCC bypasses through: • plugins • process injection • mounting • app behavior • /usr/bin/grep 3. Our thoughts on the Apple Security Bounty 4. Conclusion
  • 5. #BHUSA @BlackHatEvents Intro – macOS Security Mechanisms System Integrity Protection (SIP): • Based on Sandbox kernel extension • Restricts access to many directories on macOS • Denies debugger attachments to processes signed directly by Apple • Also known as rootless, because even root cannot do the above-mentioned operations when the SIP is turned on
  • 8. #BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC) • SQLite3 Database • /Library/Application Support/com.apple.TCC • ~/Library/Application Support/com.apple.TCC
  • 9.
  • 10.
  • 11. #BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC) • User Intent • Extended attribute: com.apple.macl • Managed by the Sandbox • Can’t be added/deleted
  • 13. #BHUSA @BlackHatEvents Transparency, Consent, and Control (TCC) • com.apple.macl • Header • UUID
  • 14. #BHUSA @BlackHatEvents TCC bypasses through plugins • TCCd validates entitlements held by the main executable • Plugins execute code in the context of the main application • So, plugins inherit the private tcc entitlements
  • 15. System app with plugin TCC daemon Kernel
  • 16. System app with plugin TCC daemon Kernel I want to access files from Desktop
  • 17. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app
  • 18. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement
  • 19. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted
  • 20. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted Access Granted
  • 22. System app with plugin TCC daemon Kernel I want to access files from Desktop Hey TCC, check the permissions of the requesting app Validate Code Signing requirement Access Granted Access Granted
  • 23. #BHUSA @BlackHatEvents Changing NFSHomeDirectory aka CVE-2020-27937 TCC bypasses through plugins
  • 24. #BHUSA @BlackHatEvents Changing NFSHomeDirectory aka CVE-2020-27937 TCC bypasses through plugins
  • 25.
  • 26.
  • 27.
  • 28.
  • 29. #BHUSA @BlackHatEvents TCC bypasses through plugins Changing NFSHomeDirectory aka CVE-2020-27937 1. Copy Directory Utility to location not protected by the SIP 2. Inject a malicious plugin that will be executed with the Directory Utility’s private TCC entitlements 3. Prepare a fake TCC SQLite3 database with fake permissions 4. Modify the NFSHomeDirectory 5. Restart TCCd, so it will load our fake database basing on the NFSHomeDirectory 6. Full user TCC bypass achieved 😎
  • 30.
  • 31. #BHUSA @BlackHatEvents Full TCC bypass via coreaudiod aka CVE-2020-29621 TCC bypasses through plugins
  • 32. #BHUSA @BlackHatEvents Full TCC bypass via coreaudiod aka CVE-2020-29621 1. Create a malicious macOS bundle with “.driver” extension 2. Plant it in /Library/Audio/Plug-Ins/HAL/ 3. Restart the coreaudiod 4. We can now fully control TCCd 😎 TCC bypasses through plugins
  • 33. #BHUSA @BlackHatEvents Full TCC bypass via coreaudiod aka CVE-2020-29621 TCC bypasses through plugins
  • 34.
  • 35. #BHUSA @BlackHatEvents TCC bypasses through process injection Injecting to xsanctl aka CVE-2020-10006: • We execute code again in the context of an entitled application • However you cannot inject to Apple’s signed apps • But there are exceptions… com.apple.security.get-task-allow 😎
  • 36.
  • 37. #BHUSA @BlackHatEvents TCC bypasses through process injection • 3rd party apps are especially vulnerable to this kind of attacks • If you manually give the vulnerable app TCC permissions, malware can abuse that app • Electron apps are vulnerable by default 😅 • We have found such vulnerabilities in many apps including: o Firefox (0day / won’t fix) o StreamLabs OBS (0day / won’t fix) o Signal (CVE-2020-24259, fixed) o Snaglt (fixed)
  • 39. #BHUSA @BlackHatEvents TCC bypasses through mounting CVE-2020-9771 - mount_apfs TCC bypass • APFS supports snapshots • Mount the snapshot in custom location • Access all files (read-only) • Mount with ”noowners” à access every user’s files • FIX: requires Full Disk Access 😭
  • 40. #BHUSA @BlackHatEvents TCC bypasses through mounting CVE-2021-1784 - TCC bypass via disk mounting • User’s TCC DB file is protected • But! We can mount over the directory • Prepare a new TCC.db file, new disk image • Mount over “~/Library/Application Support/com.apple.TCC” • Profit 🤑
  • 41.
  • 42. #BHUSA @BlackHatEvents TCC bypasses through app behavior • Some apps can access private files • Some apps move files when they do something • Some apps can do both
  • 43. Malicious app App with access to private files
  • 44. Hi app! I see you can access XYZ private files. Yes! Why? Could you move those files for me to location ABC?
  • 45. Of course! Here they are. Thank you! Anytime! It was my pleasure.
  • 46. #BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-30751 – Notes.app • Open files with notes -> auto attach to notes • Notes are unprotected
  • 47. #BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-30751 – Notes.app
  • 48. #BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-XXXX – App translocation • Makes NULLFS mount (not copy) when downloaded app first run • Destination: $TMPDIR/AppTranslocation/d/d/Some.app • Open source as part of Security. • Library: libsecurity_translocate • Binary: /usr/libexec/lsd
  • 49. #BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-XXXX – App translocation • Add Quarantine attribute to “Library” • Call the com.apple.security.translocation XPC service • (XPC client is also open source) • Map Library to $TMPDIR/AppTranslocation/d/d/Library • Access all files
  • 50. #BHUSA @BlackHatEvents TCC bypasses through app behavior CVE-2021-XXXX – App translocation
  • 51.
  • 52. #BHUSA @BlackHatEvents TCC bypasses with /usr/bin/grep 😅 • Private info is everywhere • Various DBs, caches, configuration files – keep / leak bits of info • How to find them? grep to the rescue 🤣
  • 53. #BHUSA @BlackHatEvents TCC info leaks • CVE-2020-9963 - QuickLook thumbnails DB (filenames) • CVE-2021-1803 - CloudDocs DBs (filenames) • CVE-2021-1781 - UITextInputContextIdentifiers.plist (contacts) • CVE-2021-XXXX - com.apple.identityservices.idstatuscache.plist (contacts) • CVE-2021-30750 - Recents database (contacts)
  • 54. #BHUSA @BlackHatEvents TCC info leaks • CVE-2021-XXXX - CircleCache.plist (family contacts, birth date) • CVE-2021-XXXX - knowledgeC.db (full iMessages, contacts, etc..) • WON’T FIX - Quarantine database (full download history) • And many more… (yet to be fixed)
  • 55. #BHUSA @BlackHatEvents Apple Security Bounty (ASB) https://developer.apple.com/security-bounty/payouts/
  • 56. #BHUSA @BlackHatEvents Apple Security Bounty (ASB) • Apple pays what promised • Bug fixes are often slow – especially design issues • Some reports will be fixed in Monterey only, although they were reported in Catalina à 2 major OS versions!! • Lack of communication, often no updates for months • ASB eligibility decision timeline is unacceptable, often more than 6-7 months!!!
  • 57. #BHUSA @BlackHatEvents Conclusion • We appreciate the effort • Step in the right direction • Other vendors should do the same • Still lots of issues 1. Apple’s binaries have too many exceptions 2. Third parties are vulnerable to injection attacks • ASB has to improve