Conference:  Defcon 31

Authors: Jonathan Bar Or Security Researcher at Microsoft, Anurag Bohra Security Researcher at Microsoft, Michael Pearse Security Researcher at Microsoft

2023-08-01

System Integrity Protection (SIP) is a macOS technology that limits the capabilities of the root user, most notably - it maintains the integrity of the operating system by preventing loading of untrusted kernel extensions and protecting sensitive filesystem locations. In this talk we will uncover a method to bypass SIP and create undeletable malware that can later load arbitrary kernel extensions. We will explain our methodology, detail our exploitation strategy and the reverse engineering involved. Lastly, we will explain how to look for similar SIP bypasses and outline a generic detection strategy for Blue Teams.

Conference:  Defcon 31

Authors: Wojciech Reguła Principal Security Consultant @ SecuRing

2023-08-01

MacOS is known for an additional layer of privacy controls called TCC - Transparency, Consent, and Control (TCC) that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent. Despite many vulnerabilities in that mechanism found in the past, using 0-days during red teaming engagements is impractical. Apple fixes TCC vulnerabilities but red teams still have to get access to files saved on the victim’s desktop or be able take a screenshot. What if I tell you that there are many open doors to resolve all the TCC problems that are already installed on your target machines?! Electron apps are everywhere. And you probably heard the joke that: ‘S’ in Electron stands for security. In this talk I will share a new tool that, by abusing Electron default configuration, allows executing code in the context of those Electron apps and thus inherit their TCC permissions. The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. The part of the audience interested in macOS red teaming will also get to know my new, free and open source tool. Blue teams on the stage will also see some ideas regarding detections.

Conference:  Defcon 31

Authors: Patrick Wardle Objective-See Foundation

2023-08-01

To retain a foothold on an infected system, most Mac malware will persist; installing itself in a manner that ensures it will be automatically (re)launched each time the infected system is rebooted. In macOS Ventura, Apple's rearchitected core persistence mechanisms and added a new security mechanism that alerts the user any time an item is persisted. As the former is both undocumented and implemented in a proprietary manner this poses a problem for existing security and forensics tools (that aim to heuristically detect malware via unauthorized persistence events). On the other hand, the latter is problematic to malware authors, who obviously want their malicious creations to persist without an alert being shown to the user. In this talk, we'll indiscriminately provide solutions for all! First, we'll dive into the internals of macOS's Background Task Management (BTM) which, as we'll see, contains a central (albeit proprietary) repository of persistent items. Armed with this information, we'll release open-source code capable of programmatically enumerating all persistent items from BTM, ensuring security and forensics tools regain compatibility. We'll also highlight design weaknesses that malicious code could trivially employ to sidestep the new security features of BTM, such that persistence may still be silently achieved.

Conference:  Black Hat Asia 2023

Authors: Koh Nakagawa

2023-05-12

In recent years, Arm processors have become popular on laptops, not limited to embedded devices. For example, Apple announced the Mac transition from Intel to Arm-based Apple Silicon in 2020, which made a big splash. Apple Silicon Mac has Rosetta 2, which enables the execution of Intel-based apps by translating x64 code into Arm64 code. Several researchers have conducted research on Rosetta 2 from a performance perspective. However, to our best knowledge, there is no research on Rosetta 2 from a security perspective.In this talk, we present a new code injection vulnerability in Rosetta 2. Rosetta 2 stores binary translation results as Ahead-Of-Time (AOT) files, which are cached and reused for the next application launch. Since these files are SIP-protected, we cannot modify these files even as root users. However, we developed a new exploit that bypasses this SIP protection and injects arbitrary code into AOT files with user privileges. This code injection can be used to bypass macOS security and privacy mechanisms. Moreover, this technique enables us to make a stealthy backdoor by hiding a malicious payload in a SIP-protected location. Apple has fixed this vulnerability, but only partially. Therefore, an attacker can still exploit this vulnerability even for the latest macOS.Our journey does not end with this finding. Interestingly, we also discovered a similar issue in Arm-based Windows x86/x64 emulation and developed a similar code injection. Therefore, we believe this vulnerability is prevalent among these compatibility technologies and will affect similar technologies introduced in the future.This talk will show the vulnerabilities specific to these compatibility technologies in Arm-based OSs for the first time. New code injection techniques with PoC code benefit red teams. In addition, new exploit techniques and reverse engineering results will help future vulnerability research.