logo
allArticlesConferencesPresentations

Skeletons in the App Sandbox: 5+ Ways to Escape

Conference:  BlackHat USA 2021

2021-11-10

Summary

The presentation discusses a bug in LaunchServices that allowed an attacker to escape the App Sandbox and bypass privacy protections. The talk covers five different exploits and three different patches, as well as remaining attack surfaces and defense tools.
  • The App Sandbox is a security measure designed to contain damage from malicious apps or compromised apps from the Mac App Store.
  • LaunchServices allows apps to launch other apps or open files, and is explicitly allowed in the Seatbelt profile.
  • The bug in LaunchServices allowed an attacker to escape the App Sandbox and bypass privacy protections.
  • The presentation covers five different exploits and three different patches.
  • Remaining attack surfaces include application-specific environment variables.
  • Defense tools include a PR to the Objective-C tool process monitor and the TrueTree tool for detecting parent-child relationships in launched apps.
The presentation gives an example of how an attacker could escape the macro sandbox and inject into an Electron app to abuse its TCC privileges and entitlements. The presentation also notes that some apps are already protecting themselves by disabling the 'run as node' fuse, but many are not.

Abstract

The safety and trust promised by the App Store is in large part due to mandatory sandboxing requirements. The required App Sandbox lets users install apps with abandon and without worry, keeping malicious ones contained. This talk will deep dive into a string of logic vulnerabilities in LaunchServices (CVE-2021-30677, CVE-2021-30783, and more) that allowed an attacker to escape the App Sandbox and bypass privacy protections despite the many new security mechanisms introduced in Big Sur and Catalina.You'll learn how one deceptively simple issue can be exploited in multiple different ways and surely have a laugh at the same time. We'll release a tool to help reverse the latest versions of macOS and extend an already great tool to help find and detect vulnerabilities like this one. Finally, we'll lay the groundwork for bugs to come and highlight a forgotten attack surface.
Materials:
Tags:

Post a comment

Related work

Man-In-The-Disk

Conference:  Defcon 26
Authors:
2018-08-01

Shield with Hole: New Security Mitigation Helps Us Escape Chrome Sandbox to Exfiltrate User Privacy

Conference:  BlackHat EU 2020
Authors:
2020-12-09

Apple's Predicament: NSPredicate Exploitation on macOS and iOS

Conference:  Defcon 31
Authors: Austin Emmitt Senior Security Researcher at Trellix Advanced Research Center
2023-08-01

Re-route Your Intent for Privilege Escalation: A Universal Way to Exploit Android PendingIntents in High-profile and System Apps

Conference:  BlackHat USA 2021
Authors:
2021-11-10

Process Injection: Breaking All macOS Security Layers With a Single Vulnerability

Conference:  Black Hat USA 2022
Authors:
2022-08-11

AIModel-Mutator: Finding Vulnerabilities in TensorFlow

Conference:  BlackHat USA 2021
Authors:
2021-11-10