$30 off During Our Annual Pro Sale. View Details »

Job(s) Bless Us! Privileged Operations on macOS

vashchenko
March 13, 2020
Programming
1
1.7k

Job(s) Bless Us! Privileged Operations on macOS

Operation system's security depends a lot on the way developers handle privileged operations. Is it easy to make a mistake? Is the recommended way actually better than a deprecated API?

Recently, we gained insight into these questions during our company's bug bounty program, which led to some surprising conclusions.

vashchenko

March 13, 2020
Tweet

More Decks by vashchenko

See All by vashchenko
iOS Application Security
vashchenko
4
3.2k
Swift Code Reuse Made Simple
vashchenko
2
380
Catalyst Overview: port your iPad apps to macOS
vashchenko
0
56
IPC on macOS
vashchenko
2
210
macOS app development for iOS devs: expand your horizons
vashchenko
0
140
Intro into Daemons & Agents on macOS
vashchenko
0
160
Intro to XPC inter-process communication
vashchenko
0
260
Simplify your life: build apps from reusable libraries
vashchenko
0
110
ARKit overview
vashchenko
0
120

Other Decks in Programming

See All in Programming
ブランチ運用とデプロイフローを見直してリリースを楽にする
syukai
3
390
Foreign Function & Memory API ( FFM API )を用いたNativeライブラリ呼び出しと既存ライブラリの比較 ( JJUG CCC 2023 Fall )
hiroisojp
1
350
JJUG 2023 fall トラブルシューティング・ヒープダンプ・スレッドダンプ解析チューニング
toricky6
1
180
Input object ではじめる入力値検証/input-value-validation-using-input-object
sanfrecce_osaka
0
200
弊社の開発体験の良いところは?メンバーに訊いてみた!
texmeijin
0
180
Angular 17 - Rainaissance
gregonnet
0
130
実践PubSubマイクロサービス / Implementation Pub Sub microservice
nrslib
3
950
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
1.3k
if 式と switch 式による SwiftUI のプレビューエラー対策
ojun9
1
100
Kyo - Functional Scala 2023
fwbrasil
0
240
動くコードを書こう / let's code a process
kishida
21
6k
DartによるBFF構築・運用 〜 Dart Frog × Melos 〜
yumnumm
1
1.3k

Featured

See All Featured
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k
Making Projects Easy
brettharned
105
5.2k
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
Done Done
chrislema
178
15k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.2k
Visualization
eitanlees
131
13k
Designing for humans not robots
tammielis
246
24k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.5k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.7k
How to train your dragon (web standard)
notwaldorf
71
4.8k
Being A Developer After 40
akosma
52
580k

Transcript

  1. Job(s) Bless Us!
    Privileged Operations on macOS

    View Slide

  2. @aronskaya
    WWC Kyiv macOS Chapter Lead
    Software Engineer,
    Anti-malware team,
    Triage team
    iaronskaya

    View Slide

  3. Agenda
    Intro to privileged operations API on macOS
    First CleanMyMac's security issue, reported by
    CleanMyMac on
    Comparison of privileged operations implementation on and
    Summary & Takeaways

    View Slide

  4. Intro to privileged
    operations API on macOS
    Intro

    View Slide

  5. High-level APIs
    SMJobBless() AuthorizationExecuteWithPrivileges()
    Intro

    View Slide

  6. High-level APIs
    SMJobBless() AuthorizationExecuteWithPrivileges()
    Intro

    View Slide

  7. High-level APIs
    SMJobBless() AuthorizationExecuteWithPrivileges()
    Intro

    View Slide

  8. Intro
    There is no ‘UnBless’

    View Slide

  9. Signing requirements


    Client Privileged Helper
    Client has requirements for Helper(s)
    Helper has requirements for Client(s)
    OS performs validation of the requirements ONLY on install & update of the Helper
    NO validation is performed on establishing XPC connection
    Intro

    View Slide

  10. SMJobBless()
    1. Client has the Privileged Helper
    executable in the bundle
    2. Signing requirements are met
    • Both client and Helper are signed
    • Privileged Helper has a plist file for launchd
    embedded into __TEXT section
    • Privileged Helper has Info.plist embedded
    • Client has signing requirements listed in its Info.plist
    Intro

    View Slide

  11. SMJobBless()
    3. Obtain Authorization object:
    call AuthorizationCreate()
    4. Call SMJobBless() with acquired
    Authorization object
    Intro

    View Slide

  12. SMJobBless()
    5. OS validates code signing requirements in client and helper’s
    Info.plist and copies the executable from the bundle to
    /Library/PrivilegedHelperTools
    Intro

    View Slide

  13. SMJobBless()
    5. Client can establish XPC connection to the Privileged Helper
    Intro

    View Slide

  14. Apple’s Sample Code
    Intro

    View Slide

  15. Apple’s Sample Code
    Intro

    View Slide

  16. Apple’s Sample Code

    Intro

    View Slide

  17. Issue #1

    Intro

    View Slide

  18. First security issue,
    reported by
    Talos

    View Slide

  19. Zero-Day Reports
    • November 2018
    Talos

    View Slide

  20. Talos

    View Slide

  21. Stumbled upon Talos’es
    Zero-Day reports
    Contacted Talos for details,
    they answer the same day
    We release
    a patched update
    v. 4.2.0
    Talos reports
    insufficient fix
    We release
    a patch
    v. 4.3.0
    Tyler Bohan (Talos)
    delivers a talk
    at OffenciveCon19
    Timeline
    Talos
    0 1

    View Slide

  22. Tyler Bohan: ‘OSX XPC Revisited - 3rd Party Application
    Flaws’ at OffensiveCon19
    https://www.youtube.com/watch?v=KPzhTqwf0bA
    Talos

    View Slide

  23. Tyler Bohan: ‘OSX XPC Revisited - 3rd Party Application
    Flaws’ at OffensiveCon19
    https://www.youtube.com/watch?v=KPzhTqwf0bA
    Talos

    View Slide

  24. Fix
    Talos

    View Slide

  25. Fix #1
    Talos

    View Slide

  26. on
    h1

    View Slide

  27. Timeline
    March 2018
    MacPaw launched a private h1 program
    for our other product Setapp
    May 2019
    CleanMyMac desktop client is added to the scope
    h1

    View Slide

  28. Client’s requirements
    {
    Bundle identifier Signing identity (team id)
    {
    h1

    View Slide

  29. Client’s requirements
    Privileged helper’s executable can be replaced with old version
    {
    Bundle identifier Signing identity (team id)
    {
    h1

    View Slide

  30. What’s the fuss about old versions?
    h1

    View Slide

  31. What’s the fuss about old versions?
    El Capitan 10.11 Sierra 10.12 High Sierra 10.13 Mojave 10.14 Catalina 10.15
    Hardened Runtime introduced in Mojave:
    • libraries signing validation == protect from dylib injection
    • remove get-task-allow from entitlements == protect from attaching with debugger
    (and other things)
    h1

    View Slide

  32. Issue #2: steps
    Preconditions: Privileged Helper is not authorized yet. A malicious
    executable is present on the user’s computer.
    1. Download an app version, vulnerable to dylib injection
    2. Replace the Privileged Helper executable in the installed app with the
    vulnerable one
    3. User authorizes the Helper
    4. Perform a dylib injection into the Helper—it is run as root!
    h1

    View Slide

  33. What about code signing?
    Replacing the Privileged Helper in the signed bundle
    doesn’t change anything, because
    OS validates the signature only when app is quarantined
    After the first launch no signature validation is
    performed on Mojave.
    Time-to-time signature checks were announced in Catalina.
    h1

    View Slide

  34. Fix #2
    h1
    {
    Version check

    View Slide

  35. Privileged Helper’s requirements
    {
    Signing identity (team id)
    h1

    View Slide

  36. old client versions can connect
    Privileged Helper’s requirements
    {
    Signing identity (team id)
    h1

    View Slide

  37. Issue #3: steps
    Preconditions: Privileged Helper is authorized. A malicious executable is
    present on the user’s computer.
    • Download an old app version, vulnerable to dylib injection
    • Launch client executable with a dylib injection
    • Call privileged helper’s methods from the injected code
    • In our case it leads to LPE to root
    h1

    View Slide

  38. Issue #3: steps
    Preconditions: Privileged Helper is authorized. A malicious executable is
    present on the user’s computer.
    • Download an old app version, vulnerable to dylib injection
    • Launch client executable with a dylib injection
    • Call privileged helper’s methods from the injected code
    • In our case it leads to LPE to root
    Takeaway: Dylib injection does NOT break the code signature
    h1

    View Slide

  39. Fix #3
    h1

    View Slide

  40. old client versions can connect
    other apps of the same vendor can connect
    Privileged Helper’s requirements
    {
    Signing identity (team id)
    h1

    View Slide

  41. Fix #4
    h1

    View Slide

  42. Privileged Helper’s code
    h1

    View Slide

  43. anyone can impersonate the client due to pid checks logic performed by OS
    Privileged Helper’s code
    h1

    View Slide

  44. Issue #5: anyone can impersonate the client
    due to racy pid checks performed by OS
    h1

    View Slide

  45. h1

    View Slide

  46. Fix #5
    h1

    View Slide

  47. The APIs are private
    h1

    View Slide

  48. Privileged operations
    implementation on
    and
    Setapp

    View Slide

  49. SMJobBless() AuthorizationExecuteWithPrivileges()
    Application
    API
    # bugs
    reported*
    5
    Setapp
    * as for March 2020

    View Slide

  50. SMJobBless() AuthorizationExecuteWithPrivileges()
    Application
    API
    # bugs
    reported*
    5 0
    * as for March 2020
    Setapp

    View Slide

  51. Summary & Takeaways
    Summary

    View Slide

  52. Takeaways for developers
    1. Think about security in your project/company. A good start is creating a [email protected] email handle.
    2. Have one source of truth for Client’s signing requirements and one for Privileged Helper’s, e.g. put them in Preprocessor Macros and use it
    in:
    ℹ Info.plist file
    listener:shouldAcceptNewConnection:
    3. In signing requirements check at least for:
    signing identity
    bundle identifier
    #⃣ minimum version
    4. In SecCodeCopyGuestWithAttributes use audit token to obtain code reference for signature validation, not the pid
    5. In order to be a good citizen remember to unregister the Privileged Helper via launchctl or SMJobRemove API, remove the executable
    from /Library/PrivilegedHelperTools and the auto generated .plist from /Library/LaunchDaemons
    Summary

    View Slide

  53. Example set up requirements
    for Privileged Helper
    1. Add User-Defined Build Settings:
    CLIENT_REQUIREMENTS="@\"anchor trusted and certificate leaf
    [subject.CN] = \\\"$(CLIENT_SIGNING_IDENTITY)\\\" and
    info[CFBundleShortVersionString] >= \\\"$CLIENT_MIN_VERSION\\\"
    and identifier \\\"$CLIENT_IDENTIFIER\\\"\""
    2. Use them to create a macro definition
    Summary

    View Slide

  54. 3. Use your Build Settings in Info.plist client requirements:
    4. Use the Macro Definition from 2. in code to validate incoming connection:
    Example set up requirements
    for Privileged Helper
    Summary

    View Slide

  55. Summary/Wishlist
    Summary

    View Slide

  56. Summary/Wishlist
    1. We need the documentation
    There is no easily available Apple’s documentation about securing XPC connection with Privileged Helpers
    2. We need Code Samples
    Apple’s code samples are not secure
    3. Using pid to check the signature of a process is not secure. It should be clearly stated in docs
    Checks by pid are racy by nature
    4. Audit token should not be private
    It is the most secure way, but it is not available to 3rd party developers
    5. There should be some Uninstallation API
    When the app is being removed, the Helpers are usually forgotten in /Library/PrivilegedHelperTools
    Summary

    View Slide

  57. Further Reading
    1. project-zero ‘Issue 1223: MacOS/iOS userspace entitlement checking is racy’ by
    Ian Beer
    2. OffensiveCon19 'OSX XPC Revisited - 3rd Party Application Flaws' by Tyler Bohan
    3. Apple Developer Forums 'XPC restricted to processes with the same code
    signing?'
    4. Objective Development ‘The Story Behind CVE-2019-13013’ by Christian from
    Little Snitch
    5. ‘No Privileged Helper Tool Left Behind’ by Erik Berglund
    Summary

    View Slide

  58. Call to Action
    If I could ask you to do 1 thing, let it be:
    Summary

    View Slide

  59. Call to Action
    Summary
    reporting to Apple, that audit tokens should be made available for 3rd party
    developers:
    If I could ask you to do 1 thing, let it be:

    View Slide

  60. Thank you!
    iaronskaya

    View Slide