SlideShare a Scribd company logo

Exploiting XPC in AntiVirus

C
Csaba Fitzl

In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services.

Technology
1 of 58
Download to read offline
Exploiting XPC in AntiVirus Csaba Fitzl Twitter: @theevilbit Wojciech Reguła Twitter: @_r3ggi
whoami - Wojciech • Senior IT Security Consultant @ SecuRing • Focused on iOS/macOS #appsec • Blogger - https://wojciechregula.blog • iOS Security Suite Creator
whoami - Csaba • content developer at Offensive Security • ex red/blue teamer • macOS researcher • husband, father • hiking 🥾 🏔 • yoga 🧘
agenda 1. intro 2. statistics 3. typical issues 4. demos, bugs 5. recommendations for developers 6. the future
intro
Intro • Our XPC background • a lot of XPC bugs in the past • 2 separate talks • it’s time to team up
Intro to XPC Source: „Auditing and Exploiting Apple IPC”, Ian Beer
Intro to XPC • Mach Messages: • Fundamental IPC mechanism for macOS • You can send a message with data, memory or even another port • One receiver and possible multiple senders • Sent messages are placed in a message queue • Similar to POSIX pipes
Intro to XPC • XPC • Built on top of Mach messages • Dictionary based communication • Strongly typed - strings, int64s, uint64s, booleans, dates, UUIDs, data, doubles, arrays • NSXPC • More convenient than Mach Ports and XPC • Objective-C/Swift API for XPC C functions • Send messages that conform your ObjC/Swift protocol • Send serialized Swift objects
statistics
statistics • Sample • 28 AntiVirus software • Tested only those we had access to • 14/28 used XPC for IPC • 14/28 used different IPC methods (mostly sockets or Mach messages) • We assessed only XPC AVs ( ͡ ° ͜ ʖ ͡ °)
typical issues
typical issues 1. No client validation in XPC server 2. Lack of / Broken runtime protections in XPC client 3. Improper runtime protections veri fi cation in XPC server 4. Using insecure process identi fi er (PID) to perform client validation
Privileged XPC server running as root Valid XPC client running as user Malicious application running as user typical issues
1. No client validation in XPC server Perform privileged action Sure! 👍
2. Lack of / Broken runtime protections in XPC client Perform privileged action Sure, you are a trusted app 👍 Inject malicious code 💉
3. Improper runtime protections veri fi cation in XPC server Inject malicious code 💉 Nope, I’m hardened! 🛡
3. Improper runtime protections veri fi cation in XPC server Inject malicious code 💉 OK, In my times there were no runtime protections 👍
3. Improper runtime protections veri fi cation in XPC server SecRequirement = “anchor apple generic and identi fi er ‘com.yourcompany.app’ and certi fi cate leaf[subject.OU] = ‘ABCDEFG’” SecRequirement = “anchor apple generic and identi fi er ‘com.yourcompany.app’ and certi fi cate leaf[subject.OU] = ‘ABCDEFG’” ==
3. Improper runtime protections veri fi cation in XPC server Perform privileged action Sure, you are a trusted app 👍 Inject malicious code 💉 Hmm, code signature matches the right one 🤔
4. Using insecure process identi fi er (PID) to perform client validation Perform privileged action No, your code signature doesn’t meet my requirements 😡
4. Using insecure process identi fi er (PID) to perform client validation fork() fork() fork()
fork() perform action fork() perform action perform action 🤯 fork()
🤯 I have to put that action requests on a queue perform action perform action perform action perform action perform action action perform action perform action perform action perform
pop Connection 1 PID Action to perform Connection 2 PID Action to perform … PID Action to perform Connection n PID Action to perform 4. Using insecure process identi fi er (PID) to perform client validation
4. Using insecure process identi fi er (PID) to perform client validation Change process’ image to the legit executable using posix_spawn()
1. Get PID from the connection object 2. Create a code object based on that PID 3. Perform signature check 4. isValid() 5. Establish connection or not 4. Using insecure process identi fi er (PID) to perform client validation
pop Connection 1 PID Action to perform Connection 2 PID Action to perform … PID Action to perform Connection n PID Action to perform
fork() perform action fork() perform action perform action fork()
shell time (bugz)
MacKeeper • multiple issues: • uses process ID • missing client "hardening" validation • attack: old MacKeeper client
MacKeeper • LPE - how? • Many exposed NSXPC methods • initializeWithOpenVPNPath: callback: • Exploit: inject to the old client and establish valid NSXPC connection
Intego Mac Security • Multiple issues: • uses process ID • missing client "hardening" validation • Attack: old Intego installer (2014)
Intego Mac Security • Over 10 XPC services • Full AV control • setGlobalProtectionState: authorization:completion Handler: • Attack: inject to the Intego installer and establish valid XPC connection
Avast & AVG • Those AVs share the same XPC codebase • Issue: • missing client "hardening" validation • Attack: Old Avast (2017)
Avast & AVG • Full AV control • sendAvRequest:withAuthorizationData:rights:replyBlock • Exploit: Again 😉 inject to the old Avast and establish valid XPC connection • Requires user to authenticate • … but it’s a legit popup
F-Secure (CVE-2020-14977 & CVE-2020-14978) • multiple issues: • missing client "hardening" validation • uses process ID • attack: pid reuse, old client • authorization limits exposure (client requires: system.privilege.admin) • but, is this popup legit?
ClamXAV (CVE-2020-26893) • multiple issues: • missing client "hardening" validation • uses process ID • attack: old client (ClamXAV2)
ClamXAV (CVE-2020-26893) • LPE - how? • Helper offers useful functions • trashFile, MoveFile 😎 • Control AV • writeSettings 😎 • Exploit: move plist to LaunchDaemons
demo
Acronis • issue: • missing client "hardening" validation • attack: old client (2020) • LPE • executeProcess 😎 • signature of process is veri fi ed, but we can use, old injectable process + DYLD_INSERT_LIBRARIES
demo
recommendations for developers
the client • signed with hardened runtime or library validation • doesn't have any of these entitlements • com.apple.security.cs.disable-library-validation • com.apple.security.get-task-allow • doesn't have script fi les (those are not veri fi ed for code signing on every run)
the XPC service • The client process veri fi cation in the shouldAcceptNewConnection call should verify the the following: 1. The connecting process is signed by valid cert from Apple 2. The connecting process is signed by your team ID 3. (The connecting process is identi fi ed by your bundle ID) 4. The connecting process has a minimum software version, where the fi x has been implemented or it’s hardened against injection attacks. • uses audit_token to identify the client
secure sample • https://github.com/securing/SimpleXPCApp • brought to you by Wojciech
recommendations for users
Shield.app • free and open source app to protect against injection attacks • developed by Csaba • https://github.com/theevilbit/Shield
the future
the future • no secure public API • Apple's sample code is insecure • many AVs used KEXT in the past -> won't work past Big Sur • SEXT - IPC recommendation and sample (not secure) is XPC • vendors have no XPC experience • => vulnerabilities 😎
Further resources • Wojciech Reguła ( @_r3ggi ): Abusing and Securing XPC in macOS Apps, Objective by the Sea v3 • Julia Vashchenko ( @iaronskaya ): Job(s) Bless Us! Privileged Operations on macOS, Objective by the Sea v3 • Tyler Bohan ( @1blankwall1 ): OSX XPC Revisited - 3rd Party Application Flaws, OffensiveCon 19 • Ian Beer ( @i41nbeer ): A deep-dive into the many fl avors of IPC available on OS X, Jailbreak Security Summit 2015 • Csaba Fitzl (@theevilbit): XPC exploitation on macOS, Hacktivity 2020
Thank you!

Recommended

[NDC18] 만들고 붓고 부수고 - 〈야생의 땅: 듀랑고〉 서버 관리 배포 이야기
[NDC18] 만들고 붓고 부수고 - 〈야생의 땅: 듀랑고〉 서버 관리 배포 이야기[NDC18] 만들고 붓고 부수고 - 〈야생의 땅: 듀랑고〉 서버 관리 배포 이야기
[NDC18] 만들고 붓고 부수고 - 〈야생의 땅: 듀랑고〉 서버 관리 배포 이야기
Chanwoong Kim
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
Sam Bowne
 
[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇
[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇
[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇
CODE BLUE
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
Beau Bullock
 

Recommended

[NDC18] 만들고 붓고 부수고 - 〈야생의 땅: 듀랑고〉 서버 관리 배포 이야기
[NDC18] 만들고 붓고 부수고 - 〈야생의 땅: 듀랑고〉 서버 관리 배포 이야기[NDC18] 만들고 붓고 부수고 - 〈야생의 땅: 듀랑고〉 서버 관리 배포 이야기
[NDC18] 만들고 붓고 부수고 - 〈야생의 땅: 듀랑고〉 서버 관리 배포 이야기
Chanwoong Kim
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
Sam Bowne
 
[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇
[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇
[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇
CODE BLUE
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
Beau Bullock
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
Stenio Ferreira
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 
Dockerライフサイクルの基礎 地雷を踏み抜けろ!
Dockerライフサイクルの基礎 地雷を踏み抜けろ!Dockerライフサイクルの基礎 地雷を踏み抜けろ!
Dockerライフサイクルの基礎 地雷を踏み抜けろ!
Masahito Zembutsu
 
Windows Registered I/O (RIO) vs IOCP
Windows Registered I/O (RIO) vs IOCPWindows Registered I/O (RIO) vs IOCP
Windows Registered I/O (RIO) vs IOCP
Seungmo Koo
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Keycloak入門-OpenID ConnectによるAPIセキュリティ
Keycloak入門-OpenID ConnectによるAPIセキュリティKeycloak入門-OpenID ConnectによるAPIセキュリティ
Keycloak入門-OpenID ConnectによるAPIセキュリティ
Yuichi Nakamura
 
서버 아키텍처 이해를 위한 프로세스와 쓰레드
서버 아키텍처 이해를 위한 프로세스와 쓰레드서버 아키텍처 이해를 위한 프로세스와 쓰레드
서버 아키텍처 이해를 위한 프로세스와 쓰레드
KwangSeob Jeong
 
SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021
Hiroshi Tokumaru
 
Multithread & shared_ptr
Multithread & shared_ptrMultithread & shared_ptr
Multithread & shared_ptr
내훈 정
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure Deserialization
Sukhpreet Singh
 
선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기
선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기
선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기
Chris Ohk
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
이벤트 기반 분산 시스템을 향한 여정
이벤트 기반 분산 시스템을 향한 여정이벤트 기반 분산 시스템을 향한 여정
이벤트 기반 분산 시스템을 향한 여정
Arawn Park
 
.NET最先端技術によるハイパフォーマンスウェブアプリケーション
.NET最先端技術によるハイパフォーマンスウェブアプリケーション.NET最先端技術によるハイパフォーマンスウェブアプリケーション
.NET最先端技術によるハイパフォーマンスウェブアプリケーション
Yoshifumi Kawai
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
SSL
SSLSSL
SSL
Badrul Alam bulon
 
CI / CD ( 지속적인 통합 / 지속적인 전달 ) 발표 자료 다운로드
CI / CD ( 지속적인 통합 / 지속적인 전달 ) 발표 자료 다운로드CI / CD ( 지속적인 통합 / 지속적인 전달 ) 발표 자료 다운로드
CI / CD ( 지속적인 통합 / 지속적인 전달 ) 발표 자료 다운로드
Opennaru, inc.
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
pentest
pentestpentest
pentest
mevom8177
 
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc groupNtxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
North Texas Chapter of the ISSA
 

More Related Content

What's hot

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021
Hiroshi Tokumaru
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
.NET最先端技術によるハイパフォーマンスウェブアプリケーション
.NET最先端技術によるハイパフォーマンスウェブアプリケーション.NET最先端技術によるハイパフォーマンスウェブアプリケーション
.NET最先端技術によるハイパフォーマンスウェブアプリケーション
Yoshifumi Kawai
 
CI / CD ( 지속적인 통합 / 지속적인 전달 ) 발표 자료 다운로드
CI / CD ( 지속적인 통합 / 지속적인 전달 ) 발표 자료 다운로드CI / CD ( 지속적인 통합 / 지속적인 전달 ) 발표 자료 다운로드
CI / CD ( 지속적인 통합 / 지속적인 전달 ) 발표 자료 다운로드
Opennaru, inc.
 

What's hot (20)

Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
 
Secure code
Secure codeSecure code
Secure code
 
Dockerライフサイクルの基礎 地雷を踏み抜けろ!
Dockerライフサイクルの基礎 地雷を踏み抜けろ!Dockerライフサイクルの基礎 地雷を踏み抜けろ!
Dockerライフサイクルの基礎 地雷を踏み抜けろ!
 
Windows Registered I/O (RIO) vs IOCP
Windows Registered I/O (RIO) vs IOCPWindows Registered I/O (RIO) vs IOCP
Windows Registered I/O (RIO) vs IOCP
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Keycloak入門-OpenID ConnectによるAPIセキュリティ
Keycloak入門-OpenID ConnectによるAPIセキュリティKeycloak入門-OpenID ConnectによるAPIセキュリティ
Keycloak入門-OpenID ConnectによるAPIセキュリティ
 
서버 아키텍처 이해를 위한 프로세스와 쓰레드
서버 아키텍처 이해를 위한 프로세스와 쓰레드서버 아키텍처 이해를 위한 프로세스와 쓰레드
서버 아키텍처 이해를 위한 프로세스와 쓰레드
 
SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021
 
Multithread & shared_ptr
Multithread & shared_ptrMultithread & shared_ptr
Multithread & shared_ptr
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure Deserialization
 
선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기
선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기
선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
이벤트 기반 분산 시스템을 향한 여정
이벤트 기반 분산 시스템을 향한 여정이벤트 기반 분산 시스템을 향한 여정
이벤트 기반 분산 시스템을 향한 여정
 
.NET最先端技術によるハイパフォーマンスウェブアプリケーション
.NET最先端技術によるハイパフォーマンスウェブアプリケーション.NET最先端技術によるハイパフォーマンスウェブアプリケーション
.NET最先端技術によるハイパフォーマンスウェブアプリケーション
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
SSL
SSLSSL
SSL
 
CI / CD ( 지속적인 통합 / 지속적인 전달 ) 발표 자료 다운로드
CI / CD ( 지속적인 통합 / 지속적인 전달 ) 발표 자료 다운로드CI / CD ( 지속적인 통합 / 지속적인 전달 ) 발표 자료 다운로드
CI / CD ( 지속적인 통합 / 지속적인 전달 ) 발표 자료 다운로드
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 

Similar to Exploiting XPC in AntiVirus

Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 

Similar to Exploiting XPC in AntiVirus (20)

pentest
pentestpentest
pentest
 
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc groupNtxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
Security at Greenhouse
Security at GreenhouseSecurity at Greenhouse
Security at Greenhouse
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Security testing
Security testingSecurity testing
Security testing
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 

More from Csaba Fitzl

Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints Overview
Csaba Fitzl
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain Sight
Csaba Fitzl
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
Csaba Fitzl
 

More from Csaba Fitzl (12)

Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints Overview
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain Sight
 
SecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfSecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdf
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of Bugs
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store apps
 
Exploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luExploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG lu
 
Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)Exploit generation automation with WinDBG (Hacktivity 2017)
Exploit generation automation with WinDBG (Hacktivity 2017)
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Exploiting XPC in AntiVirus

  • 1. Exploiting XPC in AntiVirus Csaba Fitzl Twitter: @theevilbit Wojciech Reguła Twitter: @_r3ggi
  • 2. whoami - Wojciech • Senior IT Security Consultant @ SecuRing • Focused on iOS/macOS #appsec • Blogger - https://wojciechregula.blog • iOS Security Suite Creator
  • 3. whoami - Csaba • content developer at Offensive Security • ex red/blue teamer • macOS researcher • husband, father • hiking 🥾 🏔 • yoga 🧘
  • 4. agenda 1. intro 2. statistics 3. typical issues 4. demos, bugs 5. recommendations for developers 6. the future
  • 6. Intro • Our XPC background • a lot of XPC bugs in the past • 2 separate talks • it’s time to team up
  • 7. Intro to XPC Source: „Auditing and Exploiting Apple IPC”, Ian Beer
  • 8. Intro to XPC • Mach Messages: • Fundamental IPC mechanism for macOS • You can send a message with data, memory or even another port • One receiver and possible multiple senders • Sent messages are placed in a message queue • Similar to POSIX pipes
  • 9. Intro to XPC • XPC • Built on top of Mach messages • Dictionary based communication • Strongly typed - strings, int64s, uint64s, booleans, dates, UUIDs, data, doubles, arrays • NSXPC • More convenient than Mach Ports and XPC • Objective-C/Swift API for XPC C functions • Send messages that conform your ObjC/Swift protocol • Send serialized Swift objects
  • 11. statistics • Sample • 28 AntiVirus software • Tested only those we had access to • 14/28 used XPC for IPC • 14/28 used different IPC methods (mostly sockets or Mach messages) • We assessed only XPC AVs ( ͡ ° ͜ ʖ ͡ °)
  • 12.
  • 13.
  • 15. typical issues 1. No client validation in XPC server 2. Lack of / Broken runtime protections in XPC client 3. Improper runtime protections veri fi cation in XPC server 4. Using insecure process identi fi er (PID) to perform client validation
  • 16. Privileged XPC server running as root Valid XPC client running as user Malicious application running as user typical issues
  • 17. 1. No client validation in XPC server Perform privileged action Sure! 👍
  • 18. 2. Lack of / Broken runtime protections in XPC client Perform privileged action Sure, you are a trusted app 👍 Inject malicious code 💉
  • 19. 3. Improper runtime protections veri fi cation in XPC server Inject malicious code 💉 Nope, I’m hardened! 🛡
  • 20. 3. Improper runtime protections veri fi cation in XPC server Inject malicious code 💉 OK, In my times there were no runtime protections 👍
  • 21. 3. Improper runtime protections veri fi cation in XPC server SecRequirement = “anchor apple generic and identi fi er ‘com.yourcompany.app’ and certi fi cate leaf[subject.OU] = ‘ABCDEFG’” SecRequirement = “anchor apple generic and identi fi er ‘com.yourcompany.app’ and certi fi cate leaf[subject.OU] = ‘ABCDEFG’” ==
  • 22. 3. Improper runtime protections veri fi cation in XPC server Perform privileged action Sure, you are a trusted app 👍 Inject malicious code 💉 Hmm, code signature matches the right one 🤔
  • 23. 4. Using insecure process identi fi er (PID) to perform client validation Perform privileged action No, your code signature doesn’t meet my requirements 😡
  • 24. 4. Using insecure process identi fi er (PID) to perform client validation fork() fork() fork()
  • 26. 🤯 I have to put that action requests on a queue perform action perform action perform action perform action perform action action perform action perform action perform action perform
  • 27. pop Connection 1 PID Action to perform Connection 2 PID Action to perform … PID Action to perform Connection n PID Action to perform 4. Using insecure process identi fi er (PID) to perform client validation
  • 28. 4. Using insecure process identi fi er (PID) to perform client validation Change process’ image to the legit executable using posix_spawn()
  • 29. 1. Get PID from the connection object 2. Create a code object based on that PID 3. Perform signature check 4. isValid() 5. Establish connection or not 4. Using insecure process identi fi er (PID) to perform client validation
  • 30. pop Connection 1 PID Action to perform Connection 2 PID Action to perform … PID Action to perform Connection n PID Action to perform
  • 33. MacKeeper • multiple issues: • uses process ID • missing client "hardening" validation • attack: old MacKeeper client
  • 34. MacKeeper • LPE - how? • Many exposed NSXPC methods • initializeWithOpenVPNPath: callback: • Exploit: inject to the old client and establish valid NSXPC connection
  • 35.
  • 36. Intego Mac Security • Multiple issues: • uses process ID • missing client "hardening" validation • Attack: old Intego installer (2014)
  • 37. Intego Mac Security • Over 10 XPC services • Full AV control • setGlobalProtectionState: authorization:completion Handler: • Attack: inject to the Intego installer and establish valid XPC connection
  • 38.
  • 39. Avast & AVG • Those AVs share the same XPC codebase • Issue: • missing client "hardening" validation • Attack: Old Avast (2017)
  • 40. Avast & AVG • Full AV control • sendAvRequest:withAuthorizationData:rights:replyBlock • Exploit: Again 😉 inject to the old Avast and establish valid XPC connection • Requires user to authenticate • … but it’s a legit popup
  • 41.
  • 42. F-Secure (CVE-2020-14977 & CVE-2020-14978) • multiple issues: • missing client "hardening" validation • uses process ID • attack: pid reuse, old client • authorization limits exposure (client requires: system.privilege.admin) • but, is this popup legit?
  • 43. ClamXAV (CVE-2020-26893) • multiple issues: • missing client "hardening" validation • uses process ID • attack: old client (ClamXAV2)
  • 44. ClamXAV (CVE-2020-26893) • LPE - how? • Helper offers useful functions • trashFile, MoveFile 😎 • Control AV • writeSettings 😎 • Exploit: move plist to LaunchDaemons
  • 45. demo
  • 46. Acronis • issue: • missing client "hardening" validation • attack: old client (2020) • LPE • executeProcess 😎 • signature of process is veri fi ed, but we can use, old injectable process + DYLD_INSERT_LIBRARIES
  • 47. demo
  • 49. the client • signed with hardened runtime or library validation • doesn't have any of these entitlements • com.apple.security.cs.disable-library-validation • com.apple.security.get-task-allow • doesn't have script fi les (those are not veri fi ed for code signing on every run)
  • 50. the XPC service • The client process veri fi cation in the shouldAcceptNewConnection call should verify the the following: 1. The connecting process is signed by valid cert from Apple 2. The connecting process is signed by your team ID 3. (The connecting process is identi fi ed by your bundle ID) 4. The connecting process has a minimum software version, where the fi x has been implemented or it’s hardened against injection attacks. • uses audit_token to identify the client
  • 53. Shield.app • free and open source app to protect against injection attacks • developed by Csaba • https://github.com/theevilbit/Shield
  • 54.
  • 56. the future • no secure public API • Apple's sample code is insecure • many AVs used KEXT in the past -> won't work past Big Sur • SEXT - IPC recommendation and sample (not secure) is XPC • vendors have no XPC experience • => vulnerabilities 😎
  • 57. Further resources • Wojciech Reguła ( @_r3ggi ): Abusing and Securing XPC in macOS Apps, Objective by the Sea v3 • Julia Vashchenko ( @iaronskaya ): Job(s) Bless Us! Privileged Operations on macOS, Objective by the Sea v3 • Tyler Bohan ( @1blankwall1 ): OSX XPC Revisited - 3rd Party Application Flaws, OffensiveCon 19 • Ian Beer ( @i41nbeer ): A deep-dive into the many fl avors of IPC available on OS X, Jailbreak Security Summit 2015 • Csaba Fitzl (@theevilbit): XPC exploitation on macOS, Hacktivity 2020