Office Drama on macOS

The presentation discusses the process of detecting and exploiting vulnerabilities in Mac OS endpoint security using a sandbox escape and login item persistence.

• The speaker leverages Apple's new endpoint security framework to detect attacks on Mac OS endpoints.
• The speaker created a proof of concept based on existing research on macro-based attacks.
• The speaker discovered a sandbox escape by analyzing Microsoft's patch for a similar vulnerability.
• The speaker used a login item to persist a backdoor outside the context of the sandbox.
• The speaker encountered challenges with file quarantines and notarization requirements, but found a potential solution through the creation of a launch agent.

The speaker demonstrates how a malicious document can be downloaded and opened without any macro alerts, but notes that the sandbox in recent versions of Microsoft Office prevents persistence of the backdoor. The speaker then explains how they discovered a sandbox escape by analyzing Microsoft's patch for a similar vulnerability, and used a login item to persist a backdoor outside the context of the sandbox. However, the speaker encountered challenges with file quarantines and notarization requirements, which prevented the backdoor from being executed. The speaker then discusses the potential solution of creating a launch agent to bypass these requirements.

On the Windows platform, macro-based Office attacks are well understood (and frankly are rather old news). However on macOS, though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community. In this talk, we will begin by analyzing recent documents that contain macro-based attacks targeting Apple's desktop OS, highlighting the macOS-specific exploit code and payloads. Though sophisticated APT groups are behind several of these attacks, (luckily) these malicious documents and their payloads are constrained by recent application and OS-level security mechanisms. However, things could be far worse! To illustrate this claim, we'll detail the creation of a powerful exploit chain, that begins with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple's stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no other user interaction was required in order to persistently infect even a fully-patched macOS Catalina system! To end the talk, we'll discuss various prevention and detection mechanisms that could thwart each stage of the exploit chain, as well as that aim to generically provide protection against future attacks!