Hunting Lateral Movement in Windows Infrastructure
Le téléchargement de votre SlideShare est en cours.
×
![www.securing.bizwww.securing.biz
BYPASSING APPS WITH HARDENED RUNTIME
- SecRequirement(Certificate[teamID]) -> inject to a...](https://image.slidesharecdn.com/abusingsecuringxpcinmacosapps-16-9-200316122846/75/abusing-securing-xpc-in-macos-apps-42-2048.jpg?cb=1666971957)
![www.securing.bizwww.securing.biz
SECURING XPC SERVICES - GUIDELINE
1. [Client] Turn on hardened runtime and notarize your ...](https://image.slidesharecdn.com/abusingsecuringxpcinmacosapps-16-9-200316122846/75/abusing-securing-xpc-in-macos-apps-46-2048.jpg?cb=1666971957)
Consultez-les par la suite
Suggestions
Plus De Contenu Connexe
Diaporamas pour vous (20)
Similaire à Abusing & Securing XPC in macOS apps (20)
Plus par SecuRing (20)
Plus récents (20)
Abusing & Securing XPC in macOS apps
- 1. www.securing.biz Wojciech Reguła Abusing & Securing XPC in macOS apps XPC
- 2. www.securing.bizwww.securing.biz WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on iOS apps security -Blogger https://wojciechregula.blog/ -iOS Security Suite creator @_r3ggi wojciech.regula@securing.pl
- 3. www.securing.bizwww.securing.biz XPC VULNERABILITIES ARE EVERYWHERE
- 4. www.securing.bizwww.securing.biz AGENDA 1. Introduction to XPC 2. Building secure Helper 3. Exploiting previous step 4. Hardening 5. IF bypass_available() { GOTO 2. } 6. Summary
- 5. www.securing.bizwww.securing.biz (NS)XPC - Fundamental IPC mechanism in Apple environment - Built on top of Mach messages - Dictionary based communication - Possible multiple clients and one server - You can send and serialize ObjC/Swift objects
- 6. www.securing.bizwww.securing.biz Server
- 7. www.securing.bizwww.securing.biz Client
- 8. www.securing.bizwww.securing.biz INTER-PROCESS COMMUNICATION Application Privileged XPC server
- 9. www.securing.bizwww.securing.biz uid=501 (user) uid=0 (root)
- 10. www.securing.bizwww.securing.biz LOCATIONS OF THE XPC SERVERS - /Library/PrivilegedHelperTools - /Library/LaunchDaemons - /Library/LaunchAgents
- 11. www.securing.bizwww.securing.biz TIME FOR EXPLOITATION
- 12. www.securing.bizwww.securing.biz BUG #1 – NO CLIENT VALIDATION
- 13. www.securing.bizwww.securing.biz Malicious Application uid= 501 (user) Privileged XPC server uid = 0 (root) 😈 Perform privileged action for me OK, I don’t even verify you
- 14. www.securing.bizwww.securing.biz BUG #1 – NO CLIENT VALIDATION Bug found by Adam Chester (@_xpn_) Methods exposed: - remove - move - createDirectory - addToPath - kextInstall Keybase.io
- 15. www.securing.bizwww.securing.biz BUG #1 – NO CLIENT VALIDATION
- 16. www.securing.bizwww.securing.biz BUG #1 – FIX
- 17. www.securing.bizwww.securing.biz BUG #2 – POOR SIGNATURE CHECK
- 18. www.securing.bizwww.securing.biz BUG #2 – POOR SIGNATURE CHECK - Checking only bundle ID - Verifying only static code - Using kSecCSBasicValidateOnly flag - Too loose SecRequirement string - and more…
- 19. www.securing.bizwww.securing.biz
- 20. www.securing.bizwww.securing.biz Exposed methods: - uninstallDaemon - terminateDaemonWithOptions - deleteQuarantineItemsWithInfo - quarantineItemsWithInfo - cancelScan - startScanWithPaths - getDaemonInfoWithOptions
- 21. www.securing.bizwww.securing.biz BUG #2 – FIX
- 22. www.securing.bizwww.securing.biz BUG #3 – USING PID TO GET CODE OBJECT Kudos for Samuel Groß (@5aelo) and Ian Beer (@I41nbeer) 👏
- 23. www.securing.bizwww.securing.biz pid: 1337 😈 Perform privileged action
- 24. www.securing.bizwww.securing.biz pid: 1337 😈 1. Get process identifier of the client 2. Create code object basing on that PID 3. Perform signature check 4. isValid() -> false 5. Invalidating the XPC connection INVALIDATED
- 25. www.securing.bizwww.securing.biz pid: 1337 😈 😈 fork() fork() fork() fork() pid: 1338 pid: 1339 pid: 1340 pid: 1341 😈 😈 😈
- 26. www.securing.bizwww.securing.biz pid: 1337 😈 😈 fork() fork() fork() fork() pid: 1338 pid: 1339 pid: 1340 pid: 1341 Perform privileged action 😈 😈 😈 Perform privileged action Perform privileged action Perform privileged action
- 27. www.securing.bizwww.securing.biz 1. Get process identifier of the client 2. Create code object based on that PID 😇 3. Perform signature check 4. isValid() -> true 5. Establish valid connection connection1 connection2 connection3 connection4 XPC connections queue
- 28. www.securing.bizwww.securing.biz Change process’ image to the legit executable using posix_spawn() 😈 😇
- 29. www.securing.bizwww.securing.biz pid: 1337 😈 😈 fork() fork() fork() fork() pid: 1338 pid: 1339 pid: 1340 pid: 1341 😈 😈 😈 Perform privileged action 😇 INVALIDATED INVALIDATED INVALIDATED
- 30. www.securing.bizwww.securing.biz Exposed methods: - removeWithFile - copyWithSource Avast Cleanup
- 31. www.securing.bizwww.securing.biz Exposed methods: - startDatabaseUpdate - restoreApplicationLauncherWithCompletion - uninstallProduct - installProductUpdate - startProductUpdateWith - buildPurchaseSiteURLWithCompletion - triggerLicenseRelatedChecks - buildRenewalLinkWith - cancelTrialWith - startTrialWith - applyLicenseWith - controlProtectionWithRawFeatures - confirmScanJobWith - resumeScanJob - pauseScanJob - stopScanJob - startScanJob - disposeOperationBy - pingWithTag Malwarebytes
- 32. www.securing.bizwww.securing.biz
- 33. www.securing.bizwww.securing.biz BUG #3 – FIX
- 34. www.securing.bizwww.securing.biz BUG #3 – FIX
- 35. www.securing.bizwww.securing.biz BUG #4 – NO CODE INJECTION PREVENTION
- 36. www.securing.bizwww.securing.biz BUG #4 – NO CODE INJECTION PREVENTION 1. Get audit token of the client 2. Create code object based on that token 3. Perform signature check 4. isValid() -> false 5. Invalidating the XPC connection
- 37. www.securing.bizwww.securing.biz BUG #4 – NO CODE INJECTION PREVENTION - Apple’s signature checking API doesn’t detect: • code injected with DYLD_INSERT_LIBRARIES • or via task_for_pid() neither…
- 38. www.securing.bizwww.securing.biz LuLu Exposed methods: - loadKext - getPreferences - updatePreferences - getRules - addRule - updateRule - deleteRule - importRules - alertReply
- 39. www.securing.bizwww.securing.biz
- 40. www.securing.bizwww.securing.biz
- 41. www.securing.bizwww.securing.biz
- 42. www.securing.bizwww.securing.biz BYPASSING APPS WITH HARDENED RUNTIME - SecRequirement(Certificate[teamID]) -> inject to another app from the same company - SecRequirement(Certificate[teamID] + bundleID) -> inject to older version of the app without hardened runtime 😉 - Also, look for following problematic entitlements: - com.apple.security.get-task-allow - com.apple.security.disable-library-validation
- 43. www.securing.bizwww.securing.biz DEMO 🎦 HTTPS://VIMEO.COM/397568495
- 44. www.securing.bizwww.securing.biz BUG #4 – FIX …
- 45. www.securing.bizwww.securing.biz SUMMARY
- 46. www.securing.bizwww.securing.biz SECURING XPC SERVICES - GUIDELINE 1. [Client] Turn on hardened runtime and notarize your clients 2. [Server] Verify if the clients have been properly signed using restrictive SecRequirement string 3. [Server] Create Sec(Static)Code objects from audit tokens 4. [Server] Check if the clients have the hardened runtime capability turned on 5. [Server] Make sure if the clients are not signed with entitlements that may allow bypassing the hardened runtime @_r3ggi wojciech.regula@securing.pl
- 47. www.securing.bizwww.securing.biz OPEN SOURCING SECURE PRIVILEGED HELPER EXAMPLE @_r3ggi wojciech.regula@securing.pl https://github.com/securing
- 48. www.securing.bizwww.securing.biz OPEN SOURCING THE SECURE HELPER
- 49. www.securing.bizwww.securing.biz REFERENCES - https://hackerone.com/reports/397478 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1223 - https://saelo.github.io/presentations/warcon18_dont_trust_the_pid.pdf - https://blog.obdev.at/what-we-have-learned-from-a-vulnerability/ - https://developer.apple.com/documentation/xcode/notarizing_macos_soft ware_before_distribution - https://github.com/erikberglund/SwiftPrivilegedHelper - https://developer.apple.com/videos/play/wwdc2019/701/
- 50. www.securing.biz SecuRing Kalwaryjska 65/6 30-504 Kraków, Poland info@securing.pl tel. +48 124252575 http://www.securing.biz/ Contact Wojciech Reguła wojciech.regula@securing.pl @_r3ggi wojciech-regula
