Posts List

Change home directory and bypass TCC aka CVE-2020-27937

Introduction This is the second TCC vulnerability that has been disclosed y & Csaba’s talk “20+ ways to bypass your macOS privacy mechanisms” during Black Hat USA. This time by changing the NFSHomeDirectory variable I was able to bypass user TCC restrictions. Do you remember the CVE-2020–9934: Bypassing the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data article describing a vulnerability found by Matt Shockley?

Play the music and bypass TCC aka CVE-2020-29621

Introduction This vulnerability has been disclosed during my & Csaba’s talk “20+ ways to bypass macOS your privacy mechanisms” during Black Hat USA. It was a part of my COVID-19 lockdown research. 😉 In the end this vulnerability led to full TCC bypass as I was able to fully control the TCC database. How I found this vulnerability After the XPC research, I had an idea to verify if it will be possible to use the same tricks but on the macOS processes.

M1 Macs GateKeeper bypass aka CVE-2021-30658

Summary This blog post describes a GateKeeper bypass that worked on M1 Macs. With a few clicks in a web browser, the attacker could have executed malicious code on the victims' machines. Introduction When the first M1 Macs appeared in the Apple Store, I immediately bought one. I was really excited to verify the attack vectors I thought about. I noticed that M1 Macs could install iOS apps compiled for ARM64, so maybe there will be inconsistencies?

Press 5 keys and become r00t aka CVE-2021-30655

Introduction I personally love vulnerabilities with stories. This one is of that kind… About one year ago, I submitted a vulnerability to Apple that they were unable to reproduce. We exchanged some emails with the clarifications, but the security team still couldn’t have validated the original vulnerability. Then they asked me to run sysdiagnose in order to collect logs that could have helped them. The problem Like a real security researcher I checked how the /usr/bin/sysdiagnose acutally works.

How to rob a (Fire)fox

Summary This story is about an issue I reported in July of 2019 via Bugzilla. The ticket is public from the 16th of January 2020, so I don’t disclose any new vulnerability. However, I think such posts are necessary to show the community how applications installed on Macs may harm their privacy. This post will show you how an attacker that achieves code execution on your machine may use Firefox to abuse your Privacy preferences (TCC) and thus access your microphone/camera/location and record your screen.

When vulnerable library is actually your physical book

Recently I read a really good book about macOS #appsec - Professional Cocoa Application Security. It’s from 2010 but still worth reading as the main concepts didn’t change so much. In this blog post, I’d like to share an interesting story that led to the discovery of CVE-2021-3162 - a local privilege escalation vulnerability in Docker on macOS. In Chapter 10 - “Deploying Software Securely”, I stumbled across configuring XPC services installers.

Network Extension Framework aka Swiss cheese

The new macOS Big Sur changed a lot of things and introduced new mechanisms. One of the biggest changes was deprecating kernel extensions that, among others, allowed a comprehensive way to filter network traffic. Basing on Network Kernel Extensions, firewall developers were able to code their products. On Big Sur, firewalls should be made using the Network Extension Framework. Unfortunately, as it turned out, Apple created an allowlist of their apps that legitimately bypass any filter you set using your firewall.

Stealing macOS apps' Keychain entries

Storing secrets on the macOS is a big challenge and can be done in multiple insecure ways. I tested many mac apps during bug bounty assessments and observed that developers tend to place secrets in preferences or even hidden flat files. The problem with that approach is that any non-sandboxed application running with typical permissions can access the confidential data. For example, Signal on macOS stores a key that encrypts all your messages database in ~/Library/Application Support/Signal/config.

Learn XPC exploitation - Part 3: Code injections

XPC Exploitation series Learn XPC exploitation - Part 1: Broken cryptography Learn XPC exploitation - Part 2: Say no to the PID! Learn XPC exploitation - Part 3: Code injections Intro The last technique I showed in my presentation during Objective by the Sea v3 conference was abusing privileged XPC services using different code injections. In many apps I exploited, I observed that developers are aware that privileged XPC services have to verify incoming connections.

Stealing your SMS messages with iOS 0day

This is a special post because I fully based on another researcher, s1guza’s 0day. All of this story began from the following tweet: Siguza told us that his 0day was patched in the iOS 13.5 beta3. So this is actually a sandbox escape 0day for the newest, non-beta iOS version (13.4.1). In this post, I’ll show you how I reproduced that bug and wrote a malicious application that uses that 0day to steal the iMessage history!