Soumettre la recherche
Mettre en ligne
Exploit generation and javascript analysis automation with WinDBG lu
•
0 j'aime
•
102 vues
C
Csaba Fitzl
Suivre
hack.lu 2016 and Hacktivity 2016 presentation
Lire moins
Lire la suite
Technologie
Signaler
Partager
Signaler
Partager
1 sur 28
Télécharger maintenant
Télécharger pour lire hors ligne
Recommandé
본 강의에서는 프로그램의 작성과 컴파일 및 실행과정에 대해 살펴봅니다. 그리고 컴파일러와 링커에 대해서도 살펴봅니다. - Youtube 강의동영상 https://youtu.be/chspNSbIW3w - 코드는 여기에서 다운 받으세요 https://github.com/dongupak/Basic-C-Programming
02 1 프로그램 작성 과정
02 1 프로그램 작성 과정
Changwon National University
In this talk I will talk about two mitigations which Apple introduced in order to protect against many types of logic vulnerabilities. Launch Constraints was introduced in macOS Ventura, and they can control who can launch a built-in system application and how. Environment Constraints were introduced in Sonoma, and it's basically the extension of Launch Constraints for third party apps. These two features are probably the most impactful when it comes to exploitation. I will review them in detail, how they are set up, what they do exactly, and what kind of vulnerability classes they mitigate. I will also go through a couple of past vulnerabilities, which could not have been exploited with these constraints present. Finally I will walk through how various third party apps should be set up in order to be secure.
Launch and Environment Constraints Overview
Launch and Environment Constraints Overview
Csaba Fitzl
Sometimes when we publish details and writeups about vulnerabilities we are so focused on the actual bug, that we don’t notice others, which might be still hidden inside the details. The same can happen when we read these issues, but if we keep our eyes open we might find hidden gems. In this talk I will cover three macOS vulnerabilities that I found while reading the writeup of other vulnerabilities, where some of them were public for over four years. I also only spotted them after multiple reads, and once found I realized that it was right there in front of us every single time. In the 2017 pwn2own macOS exploit chain the authors found a privilege escalation vulnerability is the disk arbitration service. What I found that the same logic flaw was present in another part of he code segment (literally right next to the original), which allowed an attacker to perform a full sandbox escape. In the pwn2own 2020 macOS exploit chain there was a vulnerability concerning the preferences daemon. The patch was presented later by the authors and after reading through the patch for the ~20st time, I spotted a new privilege escalation possibility. In 2021, the macOS XCSSET malware used a TCC 0day bypass, which was later patched. Mickey Jin found a bypass for the patch and presented a new TCC bypass. While reading through his analysis for the n-th time, it hit me, that not only possible to bypass the new patch but there is an underlying fundamental issue with the TCC framework, which allowed us to generically bypass TCC.
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain Sight
Csaba Fitzl
Slides to my talk "Beyond the good ol' LaunchAgents" at Security fest about macOS persistence.
SecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdf
Csaba Fitzl
I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links. When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source. In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it. Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
The slides of my ObjectiveByTheSea v4 conference talk. Abstract --------- In this talk we will dive into mount operation internals on macOS and discuss several vulnerabilities impacted the system. In the first half we will introduce how mounting is happening, how the sandbox is tied to the mount operation. We will also discuss the diskarbitration service, which is also responsible some of the mounting which can be done by the user. Next we will detail different bugs impacted macOS in the past, where mounting had a key role. These range from privilege escalation to complete privacy (TCC) bypasses. Lastly we will review how we can use the mount command for our own advantage when exploiting third party applications.
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of Bugs
Csaba Fitzl
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent. In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges. In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent. Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources. The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
This talk covers how we can exploit applications on macOS (including macOS itself), where some of the directory / file permissions are incorrectly set. The incorrectness of these settings is not trivial at first sight because understanding these permissions are not intuitive. We will see bugs from simple arbitrary overwrites, to file disclosures and privilege escalation. The concepts applicable to *nix based system as well, however this talk focuses on macOS bugs only. We will also cover different techniques about how to control contents of files, to what we don’t have direct write access. We will do a deep dive overview of the various r / w / x permissions, what do they mean in case of files, and more importantly in case of directories. We will also take a look at the additional settings, like ownership and the ‘lock’ flag and how do they affect the previous permissions. As part of this we will see how to find such bugs. We will see a file information disclosure bug affecting macOS Mojave, where we can get read access to files which would normally be accessible only for root users. We will also cover 4 vulnerabilities that are caused due to our ability to control the location of certain files. As we have direct control over only the file location, but not the contents, we will explore tricky techniques how we can influence the contents of some of these files to our benefit.
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
Csaba Fitzl
Recommandé
본 강의에서는 프로그램의 작성과 컴파일 및 실행과정에 대해 살펴봅니다. 그리고 컴파일러와 링커에 대해서도 살펴봅니다. - Youtube 강의동영상 https://youtu.be/chspNSbIW3w - 코드는 여기에서 다운 받으세요 https://github.com/dongupak/Basic-C-Programming
02 1 프로그램 작성 과정
02 1 프로그램 작성 과정
Changwon National University
In this talk I will talk about two mitigations which Apple introduced in order to protect against many types of logic vulnerabilities. Launch Constraints was introduced in macOS Ventura, and they can control who can launch a built-in system application and how. Environment Constraints were introduced in Sonoma, and it's basically the extension of Launch Constraints for third party apps. These two features are probably the most impactful when it comes to exploitation. I will review them in detail, how they are set up, what they do exactly, and what kind of vulnerability classes they mitigate. I will also go through a couple of past vulnerabilities, which could not have been exploited with these constraints present. Finally I will walk through how various third party apps should be set up in order to be secure.
Launch and Environment Constraints Overview
Launch and Environment Constraints Overview
Csaba Fitzl
Sometimes when we publish details and writeups about vulnerabilities we are so focused on the actual bug, that we don’t notice others, which might be still hidden inside the details. The same can happen when we read these issues, but if we keep our eyes open we might find hidden gems. In this talk I will cover three macOS vulnerabilities that I found while reading the writeup of other vulnerabilities, where some of them were public for over four years. I also only spotted them after multiple reads, and once found I realized that it was right there in front of us every single time. In the 2017 pwn2own macOS exploit chain the authors found a privilege escalation vulnerability is the disk arbitration service. What I found that the same logic flaw was present in another part of he code segment (literally right next to the original), which allowed an attacker to perform a full sandbox escape. In the pwn2own 2020 macOS exploit chain there was a vulnerability concerning the preferences daemon. The patch was presented later by the authors and after reading through the patch for the ~20st time, I spotted a new privilege escalation possibility. In 2021, the macOS XCSSET malware used a TCC 0day bypass, which was later patched. Mickey Jin found a bypass for the patch and presented a new TCC bypass. While reading through his analysis for the n-th time, it hit me, that not only possible to bypass the new patch but there is an underlying fundamental issue with the TCC framework, which allowed us to generically bypass TCC.
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain Sight
Csaba Fitzl
Slides to my talk "Beyond the good ol' LaunchAgents" at Security fest about macOS persistence.
SecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdf
Csaba Fitzl
I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links. When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source. In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it. Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
The slides of my ObjectiveByTheSea v4 conference talk. Abstract --------- In this talk we will dive into mount operation internals on macOS and discuss several vulnerabilities impacted the system. In the first half we will introduce how mounting is happening, how the sandbox is tied to the mount operation. We will also discuss the diskarbitration service, which is also responsible some of the mounting which can be done by the user. Next we will detail different bugs impacted macOS in the past, where mounting had a key role. These range from privilege escalation to complete privacy (TCC) bypasses. Lastly we will review how we can use the mount command for our own advantage when exploiting third party applications.
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of Bugs
Csaba Fitzl
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent. In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges. In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent. Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources. The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
This talk covers how we can exploit applications on macOS (including macOS itself), where some of the directory / file permissions are incorrectly set. The incorrectness of these settings is not trivial at first sight because understanding these permissions are not intuitive. We will see bugs from simple arbitrary overwrites, to file disclosures and privilege escalation. The concepts applicable to *nix based system as well, however this talk focuses on macOS bugs only. We will also cover different techniques about how to control contents of files, to what we don’t have direct write access. We will do a deep dive overview of the various r / w / x permissions, what do they mean in case of files, and more importantly in case of directories. We will also take a look at the additional settings, like ownership and the ‘lock’ flag and how do they affect the previous permissions. As part of this we will see how to find such bugs. We will see a file information disclosure bug affecting macOS Mojave, where we can get read access to files which would normally be accessible only for root users. We will also cover 4 vulnerabilities that are caused due to our ability to control the location of certain files. As we have direct control over only the file location, but not the contents, we will explore tricky techniques how we can influence the contents of some of these files to our benefit.
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
Csaba Fitzl
In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services.
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
Csaba Fitzl
My presentation about Apple's macOS GateKeeper at Hacktivity 2019.
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?
Csaba Fitzl
SecurityFest 2019 talk
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
Troopers 19 presentation
Getting root with benign app store apps
Getting root with benign app store apps
Csaba Fitzl
Hacktivity 2017 presentation
Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)
Csaba Fitzl
Slides of my talk at SecurityFest 2017 conference.
How to convince a malware to avoid us
How to convince a malware to avoid us
Csaba Fitzl
Contenu connexe
Plus de Csaba Fitzl
In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services.
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
Csaba Fitzl
My presentation about Apple's macOS GateKeeper at Hacktivity 2019.
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?
Csaba Fitzl
SecurityFest 2019 talk
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
Troopers 19 presentation
Getting root with benign app store apps
Getting root with benign app store apps
Csaba Fitzl
Hacktivity 2017 presentation
Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)
Csaba Fitzl
Slides of my talk at SecurityFest 2017 conference.
How to convince a malware to avoid us
How to convince a malware to avoid us
Csaba Fitzl
Plus de Csaba Fitzl
(6)
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps
Getting root with benign app store apps
Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)
How to convince a malware to avoid us
How to convince a malware to avoid us
Exploit generation and javascript analysis automation with WinDBG lu
1.
2.
3.
• • •
4.
5.
• • • • • •
6.
• • • • • •
7.
• • •
8.
• • •
9.
• • • • • •
10.
• • • • • •
11.
12.
13.
• • •
14.
15.
• • •
16.
17.
• • • • •
18.
• • • • • •
19.
• • • • •
20.
21.
• • • •
22.
• • • • •
23.
• • • • bu jscript9!Js::ScriptContext::IsInEvalMap ".echo EVAL(dyn)-----;.printf
"%mu", poi(esp+0x18);.echo;g"
24.
• • • • • • • .foreach /s (exc
"ct et cpr ld ud ser ibp iml asrt aph eh clr clrn dm ip dz iov ch hc lsq isc 3c svh sse ssec vs vcpp wkd rto rtt wos *") {sxi ${exc}} .foreach /s (exc "epr sbo sov gp ii av") {sxe ${exc}}
25.
26.
27.
• •
28.
• • FITZL.CSABA@GMAIL.COM • • • SZIMEUS@GMAIL.COM
Télécharger maintenant