/Recent content on Wojciech RegułaHugo -- gohugo.ioen© Wojciech RegułaSun, 20 Oct 2024 10:37:00 +0000/about-me/Sun, 18 Mar 2018 00:56:44 +0000/about-me/Welcome to my #appsec blog! Here you can read about macOS application security and general IT sec topics. All of the research presented here is done in my free time. All opinions presented on this blog are my own 🤐 I’m a Principal Security Consultant working at SecuRing. I created the iOS Security Suite - an opensource anti-tampering framework. I also play some bug bounty programs, reached MVP on Bugcrowd and found bugs among others in Apple, Facebook, Malwarebytes, Slack, Atlassian./post/tcc-bypasses-via-launch-services/Sun, 20 Oct 2024 10:37:00 +0000/post/tcc-bypasses-via-launch-services/Overview of my favorite TCC bypass ever This vulnerability was disclosed at Black Hat Europe 2022 in the talk Knockout Win Against TCC - 20+ NEW Ways to Bypass Your MacOS Privacy Mechanisms. The technique used an old Launch Services function LSSetDefaultRoleHandlerForContentType that allowed (without any restrictions) to register arbitrary applications for handling specified UTI handlers. After the UTI handling app registration, the exploit simply opens juicy files (like AddressBook or iMessages database) and TCC happily grants access to them./post/multiple-tcc-bypasses-via-sqlite-env-vars/Mon, 24 Jun 2024 10:37:00 +0000/post/multiple-tcc-bypasses-via-sqlite-env-vars/Overview These vulnerabilities were disclosed at Black Hat Europe 2022 in the talk Knockout Win Against TCC - 20+ NEW Ways to Bypass Your MacOS Privacy Mechanisms. The technique relied on an SQLite environment variable respected by libsqlite3.dylib which made apps using the standard SQLite system API log all the SQL queries. As such queries may contain sensitive user data normally protected by the TCC - I started researching all the problematic occurrences./post/electroniz3r/Tue, 23 Jan 2024 10:37:00 +0000/post/electroniz3r/Publications This research has been presented at: DEF CON 31 - ELECTRONizing macOS privacy Objective By the Sea - ELECTRONizing macOS Privacy - a New Weapon in Your Red Teaming Armory The backstory In 2019 I wrote a blog post about injecting code to Electron apps to impersonate their TCC permissions. The trick was really simple because at that time the only thing an attacker had to do was to modify one of the Electron app’s HTML files or the whole ASAR./post/macos-atlassian-companion-rce/Sun, 09 Jul 2023 10:37:00 +0000/post/macos-atlassian-companion-rce/Overview I identified a vulnerability that allowed executing code on victims’ machines after they click the Edit button on a Confluence page when Atlassian Companion is installed on macOS. The Atlassian Companion app enables users to edit Confluence files in their preferred desktop application, then save the file back to Confluence automatically. Source: https://confluence.atlassian.com/doc/administering-the-atlassian-companion-app-958456281.html Exploitation conditions Victim must have Atlassian Companion installed. Victim clicks on the Edit button in Confluence, so the malicious file is opened in the Atlassian Companion App on macOS (standard app behavior)./post/bypass-tcc-via-icloud/Sat, 04 Mar 2023 10:37:00 +0000/post/bypass-tcc-via-icloud/Overview These vulnerabilities were first disclosed at TyphoonCon in Seoul during my talk What happens on your Mac, stays on Apple’s iCloud?! Bypassing Mac privacy mechanisms. I found 2 code injection opportunities in iMovie and GarageBand which allowed me impersonating their com.apple.private.icloud-account.access entitlements. Then, I was able to talk to iCloud XPC helper which gave me the user’s iCloud tokens. With these tokens, I was able to get all the data that is synchronized with iCloud and is normally protected via TCC (Contacts, Reminders, Calendars, Location, etc)./post/macos-sandbox-escape-via-terminal/Fri, 18 Nov 2022 10:37:00 +0000/post/macos-sandbox-escape-via-terminal/Introduction In 2020 I observed a strange behavior a sandboxed macOS app may launch any application that won’t inherit the main app’s sandbox profile. It was even funnier as the sandboxed app can spawn those new apps with environment variables. I of course reported it to Apple, but I was told that it’s expected behavior. From that time there were at least 2 publicly-disclosed vulnerabilities that exploited the above-mentioned behavior:/post/macos-red-teaming-apple-signed-java/Mon, 11 Jul 2022 10:37:00 +0000/post/macos-red-teaming-apple-signed-java/macOS Red Teaming Tricks series The idea of #macOSRedTeamingTricks series is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements The trick There were a lot of different code execution & persistence methods on macOS, also those that include delivering your own interpreters/environments like Java. Recently, I found out that Apple’s Transporter app contains a working Java environment. So if you need Java binary signed directly with the Apple Dev-ID certificate go and grab it!/post/macos-red-teaming-initial-access-via-applescript-url/Fri, 18 Mar 2022 10:37:00 +0000/post/macos-red-teaming-initial-access-via-applescript-url/macOS Red Teaming Tricks series The idea of #macOSRedTeamingTricks series is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements. The trick This post is about a funny trick that may help you in achieving initial access on a macOS machine. It requires performing advanced phishing but the code execution with built-in TCC bypass is extremely powerful. Let’s go to the point. The Script Editor (/System/Applications/Utilities/Script Editor./post/macos-red-teaming-bypass-tcc-with-old-apps/Thu, 10 Mar 2022 10:37:00 +0000/post/macos-red-teaming-bypass-tcc-with-old-apps/macOS Red Teaming Tricks series The idea of #macOSRedTeamingTricks series is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements. The trick This post shows how to bypass the macOS privacy framework (TCC) using old app versions. During red teaming engagements sometimes you need access to the Camera/Microphone or files stored on the user’s Desktop. It turns out that on macOS you cannot do this without special permissions that are handled by the TCC framework./post/macos-red-teaming-get-ad-credentials-from-nomad/Thu, 03 Mar 2022 10:37:00 +0000/post/macos-red-teaming-get-ad-credentials-from-nomad/macOS Red Teaming Tricks series This is the first post of the new #macOSRedTeamingTricks series. The idea is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements. The trick This post shows how to get AD data, including a user’s login and password from a macOS machine with configured NoMAD. NoMAD helps Mac users bound with AD domains, and from my experience, it is widely used software, particularly in legacy Windows environments./post/bypass-tcc-via-privileged-helpers-aka-cve-2020-10008/Tue, 07 Dec 2021 10:37:00 +0000/post/bypass-tcc-via-privileged-helpers-aka-cve-2020-10008/Introduction This vulnerability has been disclosed on @Hack in Saudi Arabia in 20+ Ways To Bypass Your Macos Privacy Mechanisms presentation. In the end, it allowed impersonating TCC entitlements of any application installed on the device. Overview Applications may install privileged helpers in the /Library/PrivilegedHelpers directory. When such a helper tries to access the protected resource (e.g. Address Book), TCC tries to determine which app is responsible for the helper. If the main app is determined, TCC checks whether the app has proper permissions and grants the helper access to the protected resources./post/change-home-directory-and-bypass-tcc-aka-cve-2020-27937/Thu, 09 Sep 2021 10:37:00 +0000/post/change-home-directory-and-bypass-tcc-aka-cve-2020-27937/Introduction This is the second TCC vulnerability that has been disclosed on my & Csaba’s talk “20+ ways to bypass your macOS privacy mechanisms” during Black Hat USA. This time by changing the NFSHomeDirectory variable I was able to bypass user TCC restrictions. Do you remember the CVE-2020–9934: Bypassing the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data article describing a vulnerability found by Matt Shockley?/post/play-the-music-and-bypass-tcc-aka-cve-2020-29621/Thu, 02 Sep 2021 10:37:00 +0000/post/play-the-music-and-bypass-tcc-aka-cve-2020-29621/Introduction This vulnerability has been disclosed during my & Csaba’s talk “20+ ways to bypass macOS your privacy mechanisms” during Black Hat USA. It was a part of my COVID-19 lockdown research. 😉 In the end this vulnerability led to full TCC bypass as I was able to fully control the TCC database. How I found this vulnerability After the XPC research, I had an idea to verify if it will be possible to use the same tricks but on the macOS processes./post/m1-macs-gatekeeper-bypass-aka-cve-2021-30658/Fri, 18 Jun 2021 10:37:00 +0000/post/m1-macs-gatekeeper-bypass-aka-cve-2021-30658/Summary This blog post describes a GateKeeper bypass that worked on M1 Macs. With a few clicks in a web browser, the attacker could have executed malicious code on the victims’ machines. Introduction When the first M1 Macs appeared in the Apple Store, I immediately bought one. I was really excited to verify the attack vectors I thought about. I noticed that M1 Macs could install iOS apps compiled for ARM64, so maybe there will be inconsistencies?/post/press-5-keys-and-become-root-aka-cve-2021-30655/Mon, 10 May 2021 13:37:00 +0000/post/press-5-keys-and-become-root-aka-cve-2021-30655/Introduction I personally love vulnerabilities with stories. This one is of that kind… About one year ago, I submitted a vulnerability to Apple that they were unable to reproduce. We exchanged some emails with the clarifications, but the security team still couldn’t have validated the original vulnerability. Then they asked me to run sysdiagnose in order to collect logs that could have helped them. The problem Like a real security researcher I checked how the /usr/bin/sysdiagnose acutally works./post/how-to-rob-a-firefox/Tue, 09 Mar 2021 13:37:00 +0000/post/how-to-rob-a-firefox/Summary This story is about an issue I reported in July of 2019 via Bugzilla. The ticket is public from the 16th of January 2020, so I don’t disclose any new vulnerability. However, I think such posts are necessary to show the community how applications installed on Macs may harm their privacy. This post will show you how an attacker that achieves code execution on your machine may use Firefox to abuse your Privacy preferences (TCC) and thus access your microphone/camera/location and record your screen./post/when-vulnerable-library-is-actually-your-physical-book/Thu, 21 Jan 2021 13:37:00 +0000/post/when-vulnerable-library-is-actually-your-physical-book/Recently I read a really good book about macOS #appsec - Professional Cocoa Application Security. It’s from 2010 but still worth reading as the main concepts didn’t change so much. In this blog post, I’d like to share an interesting story that led to the discovery of CVE-2021-3162 - a local privilege escalation vulnerability in Docker on macOS. In Chapter 10 - “Deploying Software Securely”, I stumbled across configuring XPC services installers./post/network-extension-framework-aka-swiss-cheese/Wed, 18 Nov 2020 13:37:00 +0000/post/network-extension-framework-aka-swiss-cheese/The new macOS Big Sur changed a lot of things and introduced new mechanisms. One of the biggest changes was deprecating kernel extensions that, among others, allowed a comprehensive way to filter network traffic. Basing on Network Kernel Extensions, firewall developers were able to code their products. On Big Sur, firewalls should be made using the Network Extension Framework. Unfortunately, as it turned out, Apple created an allowlist of their apps that legitimately bypass any filter you set using your firewall./post/stealing-macos-apps-keychain-entries/Fri, 30 Oct 2020 13:37:00 +0000/post/stealing-macos-apps-keychain-entries/Storing secrets on the macOS is a big challenge and can be done in multiple insecure ways. I tested many mac apps during bug bounty assessments and observed that developers tend to place secrets in preferences or even hidden flat files. The problem with that approach is that any non-sandboxed application running with typical permissions can access the confidential data. For example, Signal on macOS stores a key that encrypts all your messages database in ~/Library/Application Support/Signal/config./post/learn-xpc-exploitation-part-3-code-injections/Mon, 29 Jun 2020 13:37:00 +0000/post/learn-xpc-exploitation-part-3-code-injections/XPC Exploitation series Learn XPC exploitation - Part 1: Broken cryptography Learn XPC exploitation - Part 2: Say no to the PID! Learn XPC exploitation - Part 3: Code injections Intro The last technique I showed in my presentation during Objective by the Sea v3 conference was abusing privileged XPC services using different code injections. In many apps I exploited, I observed that developers are aware that privileged XPC services have to verify incoming connections./post/stealing-your-sms-messages-with-ios-0day/Thu, 30 Apr 2020 00:00:00 +0000/post/stealing-your-sms-messages-with-ios-0day/This is a special post because I fully based on another researcher, s1guza’s 0day. All of this story began from the following tweet: Siguza told us that his 0day was patched in the iOS 13.5 beta3. So this is actually a sandbox escape 0day for the newest, non-beta iOS version (13.4.1). In this post, I’ll show you how I reproduced that bug and wrote a malicious application that uses that 0day to steal the iMessage history!/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/Thu, 23 Apr 2020 13:37:00 +0000/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/XPC Exploitation series Learn XPC exploitation - Part 1: Broken cryptography Learn XPC exploitation - Part 2: Say no to the PID! Learn XPC exploitation - Part 3: Code injections Intro Hey! In my last post, I showed you how weak SecRequirement string might lead to incoming connections validation issues. This post will focus on another way to trick XPC servers into trusting our malicious process. 😈 We’re going to exploit a vulnerability that I found some time ago in Malwarebytes./post/learn-xpc-exploitation-part-1-broken-cryptography/Sat, 28 Mar 2020 13:37:00 +0000/post/learn-xpc-exploitation-part-1-broken-cryptography/XPC Exploitation series Learn XPC exploitation - Part 1: Broken cryptography Learn XPC exploitation - Part 2: Say no to the PID! Learn XPC exploitation - Part 3: Code injections After my talk on Objective by the Sea v3 I received a lot of questions regarding XPC exploitation. I think summing it up in a blog post series is a good idea, so here you have the first one! A post covering how to secure XPC services is planned in the nearest future./post/abusing-electron-apps-to-bypass-macos-security-controls/Wed, 18 Dec 2019 13:37:00 +0000/post/abusing-electron-apps-to-bypass-macos-security-controls/After reading Adam Chester’s neat article about bypassing macOS privacy controls, I decided to share my recently discovered trick. To bypass the Transparency, Consent, and Control service (TCC), we need an Electron application that already has some privacy permissions. As it turns out, you probably have at least one such app installed - look, for example, on your desktop messengers. Especially for this post, I created a simple Electron app that has access to the camera./post/dangerous-get-task-allow-entitlement/Thu, 08 Aug 2019 20:13:01 +0200/post/dangerous-get-task-allow-entitlement/Hey Hackers! 👋🏻 In this blog post, I want to show you why signing applications with get-task-allow entitlement may be dangerous and can lead to local privilege escalation bugs. We are going to exploit a real application, iExplorer, iOS application pentesters widely use that. Make a notice that iExplorer is only an example - a lot of apps have that excessive entitlement set. Entitlements? Since Mac OS X 10.11 El Capitan, Apple decided to add a new feature called System Integrity Protection (aka Rootless)./post/stealing-bear-notes-with-url-schemes/Sat, 02 Mar 2019 11:12:10 +0100/post/stealing-bear-notes-with-url-schemes/Readers who know me probably also know that I like test soft that I use. So it was this time. I wanted to collect all my chaotically stored notes in Apple Notes, docx files, txts, etc. I considered many different noting apps, but finally I chose Bear.app. Bear offers cool hashtags systems, markdown notation, and syntax highlighting that totally bought me. 😉 Bear is also in the top 10 App Store productivity apps!/post/dissecting-logitech-options-on-macos/Thu, 31 Jan 2019 21:21:12 +0000/post/dissecting-logitech-options-on-macos/Some time ago, I bought Logitech MX Master wireless mouse to be used with my macs. And here, the story begins… Since this mouse has extra buttons I wanted to assign them my custom actions. As I read in Logitech docs I had to download driver called “Logitech Options”. So I did! Kudos section First of all, I wanted to thank @Disconnect3d for helping me with the reversing part. The second Kudos belongs to @Taviso who discovered similar issue on Windows simultaneously and reported it to the Logitech team./post/sandboxed-malware-can-control-your-pasteboard/Tue, 18 Dec 2018 09:23:56 +0000/post/sandboxed-malware-can-control-your-pasteboard/TLDR Sandbox implemented in macOS does not cover pasteboard. That blog post shows that you can create fully sandboxed malware (that may pass Apple’s review, bypassed many times in the past) stealing & modifying pasteboard values. What sandbox is? App Sandbox is an access control technology provided in macOS, enforced at the kernel level. It is designed to contain damage to the system and the user’s data if an app becomes compromised./newsletter/Sat, 08 Dec 2018 21:24:29 +0000/newsletter//post/your-signal-messages-can-leak-via-locked-screen-on-macos/Mon, 12 Nov 2018 23:58:36 +0000/post/your-signal-messages-can-leak-via-locked-screen-on-macos/If you are a security-aware person, you probably use one of the secure messengers. 😏 And maybe to improve your comfort, you installed its desktop version on your mac? Sometimes we leave our computer unattended when we go to make a coffee, or we need to talk with somebody in the other room. Since we are security-aware, we always lock our screens (you do that, right?). But what if all messages sent to you will be visible on your locked mac?/post/clone-you-finger-bypassing-touchid/Tue, 21 Aug 2018 21:42:37 +0000/post/clone-you-finger-bypassing-touchid/In this short blog post, I will present to you why the alphanumeric password is much more secure than using biometrics. At my home, as a total n00b, I was able to clone my finger that bypassed TouchID. To be honest in my case, effectiveness was about 10%-15% - but like I wrote before, it was my first time, and I didn’t have any professional tools. Before I start, I want to credit Łukasz Bobrek & Paweł Kuryłowicz from SecuRing that showed me their research./post/my-thoughts-after-appsec-eu/Mon, 09 Jul 2018 17:23:42 +0000/post/my-thoughts-after-appsec-eu/Hi dear readers! This year I attended my first OWASP AppSec EU both as an attendee and speaker. I really enjoyed the conference, the community-driven presentations, and 3 tracks (DevOps, Developer, CISO, Hacker). Because of my interests, I decided to follow the Hacker track. Man in contacts The first presentation that I attended on AppSec was Man in contacts by Jeremy Matos and Laureline David. The main idea was to create a malicious app that has access to your contacts (you actually give the permissions), and then all your contacts are drained to the malicious C&C./post/your-encrypted-photos-in-macos-cache/Sat, 02 Jun 2018 13:24:51 +0000/post/your-encrypted-photos-in-macos-cache/Quicklook is a super cool mechanism allowing you to quickly check file contents without opening it in a specialized application. When you press the space bar on, for instance, *xlsx file, you can see the following preview without having MS Excel installed. While reading *OS Internals Volume I (that I highly recommend btw) I stopped on the Quicklook chapter. I found out that Quicklook registers com.apple.quicklook.ThumbnailsAgent XPC service that is responsible for ==creating thumbnails== database and storing it in /var/folders/…/C/com./post/authenticated-rce-in-dasan-routers/Thu, 26 Apr 2018 22:38:16 +0000/post/authenticated-rce-in-dasan-routers/Before I start describing details, you have to know that this post is published on Responsible Disclosure terms. I sent a full report with all the findings to DASAN on 24th October 2017. We have been talking about these vulnerabilities for a long time, and one day they just stopped contacting me anymore (even when I warned them that I want to disclose this). Today is 26th April 2018, so it’s over half year after DASAN has been informed./post/playing-with-hacker-conf/Mon, 09 Apr 2018 10:02:41 +0000/post/playing-with-hacker-conf/Not so long time ago, I submitted my presentation proposal on CONFidence’s Call For Papers. CONFidence is one of the best European IT Sec conferences that I love to attend due to very good presentations quality and hackish^H^H atmosphere ;-) This year I decided to actively attend as a speaker with my presentation about pentesting iOS apps using jailed iDevice. I sent my proposal, and when I received the approval, I visited the conference’s website in order to check if I’m included in the speakers list for sure (in SecuRing it’s common to prank your colleagues like for instance sending emails from the fake server, haha)./post/cordova-keychain-leak/Thu, 29 Mar 2018 16:48:12 +0000/post/cordova-keychain-leak/During my work, I was auditing a Cordova App and then I saw a plain text password right in the logs. I talked to the developer and it proved that Cordova doesn’t support Keychain by itself. One of the most popular Keychain plugins (also used by this developer) is https://github.com/ionic-team/cordova-plugin-ios-keychain. Turned out there was a forgotten NSLog call that logged all keychain entries: I have reported it and the bug is now fixed (CVE-2018-1000123)./post/freeplane-xxe/Mon, 19 Mar 2018 23:00:10 +0000/post/freeplane-xxe/What FreePlane is? FreePlane is an open-source application intended for creating mind maps. Vulnerability descripton: FreePlane is a Java-based app that loads its mind maps that are stored as simple XML files. The parser allowed to expand external entities that caused this vulnerability. Results: When the victim opens a maliciously crafted mind map, any accessible by Java file can be sent to the attacker. Proof of concept: Malicious mindmap: <map version="freeplane 1.