logo
allArticlesConferencesPresentations

Unpacking Pkgs: A Look Inside Macos Installer Packages And Common Security Flaws

Conference:  Defcon 27

2019-08-01

Summary

The presentation discusses the process of unpacking Mac OS installer packages and identifying security flaws in them.
  • Mac OS installer packages are actually XAR archives that contain plaintext files compressed using gzip
  • The presentation walks through the process of extracting the contents of these installer packages and understanding their structure
  • The speaker highlights security issues that can arise and provides examples of serious security issues that have been exploited to elevate privileges and gain code/command execution
  • The presentation provides tools and techniques to evaluate what the installer packages are doing on a computer and a methodology for finding bugs in them
  • The speaker includes a subtle trick or two that can be used on red teams
The speaker, who has trust issues with computers, likes to understand what they are doing and does not trust the software that comes with them. They started by digging into Word documents and then moved on to unpacking Mac OS installer packages. The speaker had a hard time finding a place to debug their own package and had to do a lot of touch and output to temp directories after every single command to know where they were within their script.

Abstract

We are hackers, we won't do as you expect or play by your rules, and we certainly don't trust you. JAR files are really ZIPs...unzip them! So are Microsoft's DOCX, XLSX, PPTX, etc. Let's open them up! macOS applications (.app "files") are really directories you can browse?! Sweet, let's do that. Less well known but similarly prevalent are Flat Package Mac OS X Installer (.pkg) files. These are actually XAR archives that, among other things, contain many plaintext files (including shell, Perl, and Python scripts) as cpio files compressed using gzip. In this presentation I'll walk you through extracting the contents of these installer packages, understanding their structure, and seeing how they work while highlighting where security issues can come up. To drive the point home of what can go wrong, I'll include examples of serious security issues I've seen in the wild and show you how they can be exploited to elevate privileges and gain code/command execution. After this talk, .pkg files will no longer be opaque blobs to you. You'll walk away knowing tools and techniques to tear them open, understand how to evaluate what they're really doing on your computer, and a methodology for finding bugs in them. As a final bonus, I'll include a subtle trick or two that can be used on red teams.
Materials:
Tags:

Post a comment

Related work

Portable Data exFiltration: XSS for PDFs

Conference:  BlackHat EU 2020
Authors:
2020-12-10

Image Layout: Stop Putting Everything in Registries

Conference:  ContainerCon 2022
Authors: Brandon Mitchell
2022-06-21

Inclusive, Accessible Tech: Bias-Free Language In Code And Configurations

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Anne Gentle
2022-10-27

Resource Requests and Limits Under the Hood: The Journey of a Pod Spec

Conference:  KubeCon + CloudNativeCon Europe 2021
Authors: Kohei Ota, Kaslin Fields

Reconstruct the World from Vanished Shadow: Recovering Deleted VSS Snapshots

Conference:  BlackHat USA 2018
Authors:
2018-08-09

DevSecOps Playbook: A step-by-step guide to implementing a DevSecOps program

Conference:  Global AppSec San Francisco 2022
Authors: Paul McCarty
2022-11-17