poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in...
Transcript of poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in...
![Page 2: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/2.jpg)
Agenda
1. Apple's OS Architecture and IPC
2. CVE-2018-4237 (Pwn2Own 2018)
3. Exploit 1: user -> root
4. Exploit 2: root -> kernel
5. Demo Safari WebContent
User Payload
CVE-2018-4233CVE-2018-4404
Root Payload
Exploit 1
Exploit 2
Kernel Payload
Sandboxed
We are here
![Page 3: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/3.jpg)
!3
/home/bob/secrets.txt rw-rw----
Alice
KernelKernel: • Manages all resources• Performs access control• Runs fully privileged
"Classic" OS Design
![Page 4: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/4.jpg)
!4
/home/bob/secrets.txt rw-rw----
???
???
Alice
KernelKernel: • Manages all resources• Performs access control• Runs fully privileged
"Classic" OS Design
open("/home/bob/secrets.txt", O_RDONLY)
![Page 5: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/5.jpg)
!5
/home/bob/secrets.txt rw-rw----
open("/home/bob/secrets.txt", O_RDONLY)
Alice
KernelKernel: • Manages all resources• Performs access control• Runs fully privileged
Compare request bits (r--) with access bits for that user (---)
EACCESS!
"Classic" OS Design
![Page 6: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/6.jpg)
!6
Userspace ResourcesWanted: resource management in userspace
• Cloud documents, contacts, UI events, clipboard, preferences, keychain, ... are all userspace "resources"
Benefits of managing things in userspace:
• Userspace code probably easier to write than kernel code
• Access to memory safe languages (e.g. Swift on macOS)
• Small, restricted services that can be sandboxed to only have access to the resources they need
• Synchronized access easy: (single-threaded) daemon handling requests
![Page 7: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/7.jpg)
Preferences
• Preferences = persistent, per application key:value pairs
• "Resource" managed in userspace, by cfprefsd
• Programatic access: CF Preferences
• CLI access: defaults
> defaults write net.saelo.hax foo bar > defaults read net.saelo.hax { foo = bar; } > plutil -p ~/Library/\ Preferences/net.saelo.hax.plist { "foo" => "bar" }
![Page 8: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/8.jpg)
Preferences
Client
Goal: write/update a preference
![Page 9: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/9.jpg)
Preferences
cfprefsdClient
Goal: write/update a preferencecfprefsd: • Manages one resource• Performs access control
• E.g. denies access to sandboxed clients• Runs as user, can be sandboxed
![Page 10: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/10.jpg)
Preferences
cfprefsdClient
pref_write("net.saelo.hax", "foo", "bar")
"Ok"
cfprefsd: • Manages one resource• Performs access control
• E.g. denies access to sandboxed clients• Runs as user, can be sandboxed
![Page 11: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/11.jpg)
Preferences
cfprefsdClient
pref_write("net.saelo.hax", "foo", "bar")
"Ok"
mach messagescfprefsd: • Manages one resource• Performs access control
• E.g. denies access to sandboxed clients• Runs as user, can be sandboxed
![Page 12: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/12.jpg)
Mach Messaging• Fundamental IPC mechanism in
Darwin: mach messages
• Based on mach ports: unidirectional, mailbox-style IPC
• Sender needs a send right to a mach port for which the service process owns the receive right
• Send-once right to another mach port can be attached to a message to receive a reply
cfprefsd
Client
mach port in kernel
(unique) receive right: can receive messages
sent to the port send right: can send messages
to the port
Communication possible
![Page 13: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/13.jpg)
XPC• IPC protocol built on top of
mach messages
• Supports sending key:value dictionaries
• XPC connection consists of two mach ports: one for sending, one for receiving
• Reply ports (send-once right attached to message) still used when reply expected (e.g. RPC)
cfprefsd ClientCommunication possible
Receive right Receive right
Send rights
![Page 14: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/14.jpg)
Service Management
cfprefsdClient
Question: how can client "find" cfprefsd?
mach port required here?!
![Page 15: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/15.jpg)
Service Management
launchd
cfprefsdClient
launchd: • Init process (pid 1)• Manages IPC services
• Every service registers with launchd• Highly privileged
![Page 16: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/16.jpg)
Service Management
bootstrap_look_up("cfprefsd")launchd
cfprefsdClient
![Page 17: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/17.jpg)
Service Management
bootstrap_look_up("cfprefsd")launchd
cfprefsdClient
mach port 0x4237
![Page 18: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/18.jpg)
Service Management
launchd
cfprefsdClient
pref_write("net.saelo.hax", "foo", "bar")
![Page 19: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/19.jpg)
Service Management
launchd
cfprefsdClient
"Ok"
pref_write("net.saelo.hax", "foo", "bar")
![Page 20: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/20.jpg)
Task Special Ports • Problem: how can a process
communicate with launchd in the first place?
• Solution: one of the task special ports, the bootstrap port, is connected to launchd
=> Messages sent to the bootstrap port will arrive in launchd
typedef int task_special_port_t;
#define TASK_KERNEL_PORT 1 #define TASK_HOST_PORT 2 #define TASK_NAME_PORT 3 #define TASK_BOOTSTRAP_PORT 4 #define TASK_SEATBELT_PORT 7 #define TASK_ACCESS_PORT 9 #define TASK_DEBUG_CONTROL_PORT 10 #define TASK_RESOURCE_NOTIFY_PORT 11
![Page 21: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/21.jpg)
task_set_special_port• task_set_special_port API
allows overwriting special ports, including the bootstrap port
• Overwritten bootstrap port not restored during fork() or execve()
• 🤔
• Spawn privileged child process (e.g. a setuid binary) and intercept IPC?
=> CVE-2018-4237
/* * Set one of the special ports * associated with the target task. */ routine task_set_special_port( task : task_t; which_port : int; special_port : mach_port_t );
![Page 22: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/22.jpg)
task_set_special_port• task_set_special_port API
allows overwriting special ports, including the bootstrap port
• Overwritten bootstrap port not restored during fork() or execve()
• 🤔
• Spawn privileged child process (e.g. a setuid binary) and intercept IPC?
=> CVE-2018-4237
/* * Set one of the special ports * associated with the target task. */ routine task_set_special_port( task : task_t; which_port : int; special_port : mach_port_t );
* Fun sidenote: exploit basically described in https://robert.sesek.com/2014/1/changes_to_xnu_mach_ipc.html
![Page 23: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/23.jpg)
CVE-2018-4237• Security bug: child process can be more privileged than parent
• Due to setuid bit being set (child runs as root)
• Or due to entitlements
• Primitive: can intercept messages sent to launchd (bootstrap port)
• Idea: intercept endpoint lookups and reply with controlled mach port
=> IPC man-in-the-middle
daemon
victim (child, uid 0)hax
(uid 501)
Intended communication
Actual communication
![Page 24: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/24.jpg)
Normal Sudo
launchd
opendirectoryd
sudo
> sudo whoami Password: root
What happens here?
(Manages user credentials)
![Page 25: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/25.jpg)
Normal Sudo
launchd
opendirectoryd
sudo
bootstrap_look_up("opendirectoryd");
(Manages user credentials)
mach port 0x2076
![Page 26: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/26.jpg)
Normal Sudo
launchd
opendirectoryd
sudo(Manages user credentials)
"Is 'hunter2' the correct password for user 501?"
"Yes!"
![Page 27: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/27.jpg)
Exploit 1 - Idea
• MitM XPC connection between sudo (child process) and opendirectoryd
• Send arbitrary password to sudo over stdin
=> sudo will send password to opendirectoryd for verification
• Intercept reply from opendirectoryd to indicate that password is valid
![Page 28: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/28.jpg)
Exploit 1 - Idea
hax
sudo
bootstrap_look_up("opendirectoryd");
mach port 0x2076
Port to which attacker process has a receive right
launchd
![Page 29: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/29.jpg)
Exploit 1 - Idea
hax
sudo
"Yes!"
launchd
"Is 'foobar' the correct password for user 501?"
![Page 30: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/30.jpg)
Callstackbootstrap_look_up
bootstrap_look_up3
xpc_bootstrap_routine
xpc_interface_routine
![Page 31: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/31.jpg)
Callstackbootstrap_look_up
bootstrap_look_up3
xpc_bootstrap_routine
xpc_interface_routine
int xpc_interface_routine(int subsystem, int routine, xpc_dictionary_t msg, xpc_dictionary_t* out) { ...; xpc_dictionary_set_uint64(msg, "subsystem", subsystem); xpc_dictionary_set_uint64(msg, "routine", routine); r = xpc_pipe_routine(msg, &response); if (!r) { xpc_dictionary_get_audit_token(response, &token); if (token.pid != 1 || token.euid) { return 118; } ...; }
![Page 32: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/32.jpg)
Callstackbootstrap_look_up
bootstrap_look_up3
xpc_bootstrap_routine
xpc_interface_routine
int xpc_interface_routine(int subsystem, int routine, xpc_dictionary_t msg, xpc_dictionary_t* out) { ...; xpc_dictionary_set_uint64(msg, "subsystem", subsystem); xpc_dictionary_set_uint64(msg, "routine", routine); r = xpc_pipe_routine(msg, &response); if (!r) { xpc_dictionary_get_audit_token(response, &token); if (token.pid != 1 || token.euid) { return 118; } ...; } 😞
![Page 33: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/33.jpg)
ProblemProblem: victim (libxpc) verifies that reply came from launchd (pid == 1, uid == 0)
Solution:
1. Register endpoint, e.g. "net.saelo.hax", with launchd via bootstrap_register
2. Intercept lookup requests from victim to launchd and
1. Change endpoint name to "net.saelo.hax"
2. Leave original reply port intact!
3. Forward to launchd
=> launchd will reply directly to victim process with controlled IPC port!
XPC Packet
• Sender Port • Reply Port (!) • Message ID • Serialized Message
![Page 34: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/34.jpg)
Passwordless Sudo
launchd
hax
![Page 35: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/35.jpg)
Passwordless Sudo
launchd
hax
bootstrap_register("saelo.hax");
![Page 36: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/36.jpg)
Passwordless Sudo
launchd
hax
sudo1. mach_port_allocate(&p) 2. task_set_special_port(TASK_BOOTSTRAP_PORT, p) 3. fork() 4. execve("/usr/bin/sudo")
![Page 37: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/37.jpg)
Passwordless Sudo
launchd
hax
sudo
"Password: "
"lol_idk :D"
![Page 38: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/38.jpg)
Passwordless Sudo
launchd
hax
sudo
bootstrap_look_up("opendirectoryd");
![Page 39: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/39.jpg)
Passwordless Sudo
launchd
hax
sudo
bootstrap_look_up("opendirectoryd");
Forward message to launchd with modified endpoint name but original reply port!
bootstrap_look_up("saelo.hax");
![Page 40: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/40.jpg)
Passwordless Sudo
launchd
hax
sudo
bootstrap_look_up("opendirectoryd");
bootstrap_look_up("saelo.hax");
Port 0x1234
![Page 41: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/41.jpg)
Passwordless Sudo
launchd
hax
sudo
bootstrap_look_up("opendirectoryd");
bootstrap_look_up("saelo.hax");
Port 0x1234
reply.uid == 0 ✔
reply.pid == 1 ✔
![Page 42: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/42.jpg)
Passwordless Sudo
launchd
hax
sudo
"Is 'lol_idk :D' the correct password for user 501?"
![Page 43: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/43.jpg)
Passwordless Sudo
launchd
hax
sudo
"Is 'lol_idk :D' the correct password for user 501?"
"Yes!" 😎
![Page 44: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/44.jpg)
Status• Have root privileges now \o/
• Goal: get into kernel
• On macOS: root -> kernel is a privilege boundary since introduction of SIP
• Loading kernel modules requires com.apple.rootless.kext-management entitlement
• Possessed e.g. by /usr/bin/kextutil*
* See http://newosxbook.com/ent.jl?ent=com.apple.rootless.kext-management&osVer=MacOS13
Safari WebContent
User Payload
Root Payload
Exploit 1
Exploit 2
Kernel Payload
Sandboxed
We are now here
![Page 45: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/45.jpg)
kextutil
• Tool used to load kernel extensions ("kext") into the kernel
• Kext will only be loaded if:
• kextutil is running as root ✔
• The kext has a valid signature
• The signature chain is rooted in an apple certificate
• The kext has been approved by the user (https://developer.apple.com/library/archive/technotes/tn2459/_index.html)
![Page 46: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/46.jpg)
Signature Verificationkextutil verification steps:
1. Extract the certificate from the provided kext bundle
2. Verify that the kext is signed with the attached certificate
3. Ask trustd to retrieve and validate the certificate chain from the supplied certificate
4. Verify that the certificate chain returned from trustd is anchored in an apple certificate
![Page 47: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/47.jpg)
Signature Verificationkextutil verification steps:
1. Extract the certificate from the provided kext bundle
2. Verify that the kext is signed with the attached certificate
3. Ask trustd to retrieve and validate the certificate chain from the supplied certificate
4. Verify that the certificate chain returned from trustd is anchored in an apple certificate
MitM this communication
Use a self-signed certificate here
Return a completely different (!) certificate chain here from an
official apple kext
![Page 48: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/48.jpg)
Tricking kextutil
launchd
hax
kextutil
... same setup as before
![Page 49: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/49.jpg)
Tricking kextutil
launchd
hax
kextutil
bootstrap_look_up("trustd");
bootstrap_look_up("saelo.hax2");
Port 0x1234
![Page 50: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/50.jpg)
Tricking kextutil
launchd
hax
kextutil
"Please retrieve and verify the certificate chain for this certificate here"
![Page 51: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/51.jpg)
Tricking kextutil
launchd
hax
kextutil
"Please retrieve and verify the certificate chain for this certificate"
"Here you go" 😎
Certificate Chain
Apple Root CA
Apple Code Signing Certification Authority
Software Signing
A Self-Signed Certificate
![Page 52: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/52.jpg)
kextutil• Tool used to load kernel extensions ("kext") into the kernel
• Kext will only be loaded if:
• kextutil is running as root ✔
• The kext has a valid signature ✔
• The signature chain is rooted in an apple certificate ✔
• The kext has been approved by the user (https://developer.apple.com/library/archive/technotes/tn2459/_index.html)
![Page 53: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/53.jpg)
User-Approved Kext Loading
"macOS High Sierra 10.13 introduces a new feature that requires user approval before loading newly-installed third-party kernel extensions (KEXTs). When a request is made to load a KEXT that the user has not yet approved, the load request is denied."
syspolicyd
kextutil
"Has this kext been approved for loading by the user yet?"
![Page 54: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/54.jpg)
User-Approved Kext Loading• Either spoof reply from syspolicyd
• Or prevent mach lookup of syspolicyd, in which case kextutil will also load the kext
• For backward compatibility maybe?
syspolicyd
kextutil
"Has this kext been approved for loading by the user yet?"
![Page 55: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/55.jpg)
Tricking kextutil
launchd
hax
kextutil
bootstrap_look_up("syspolicyd");
bootstrap_look_up("nonexistant");
error 3
![Page 57: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/57.jpg)
libspc• Hacky reimplementation of XPC protocol
• Quite flexible, supports most relevant features
• Used to e.g. implement XPC intercepting and bridging for the exploitswhile (1) { spc_message_t* msg = spc_recv(bridge->receive_port);
msg->local_port.name = MACH_PORT_NULL; msg->remote_port.name = bridge->send_port; // Hack: replace "error: 5000" with "error: 0" to indicate success spc_dictionary_item_t* item = spc_dictionary_lookup(msg->content, "error"); if (item) item->value.value.u64 = 0;
spc_send(msg); spc_message_destroy(msg); }
![Page 58: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/58.jpg)
Summary
• OS's have gotten more complex
• Fun logic bugs out there
• Powerful exploitation possible with IPC bugs
• Full Pwn2Own exploit chain @ https://github.com/saelo/pwn2own2018
![Page 59: poc 18 macos ipc mitm - GitHub Pages · !6 Userspace Resources Wanted: resource management in userspace • Cloud documents, contacts, UI events, clipboard, preferences, keychain,](https://reader034.fdocuments.in/reader034/viewer/2022051107/603e7ad5cb590529982476bf/html5/thumbnails/59.jpg)
References
• libxpc.dylib and https://opensource.apple.com/source/xnu/
• https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelProgramming/Mach/Mach.html
• https://thecyberwire.com/events/docs/IanBeer_JSS_Slides.pdf
• https://github.com/bazad/blanket
• https://robert.sesek.com/2014/1/changes_to_xnu_mach_ipc.html