Posts List

Network Extension Framework aka swiss cheese

The new macOS Big Sur changed a lot of things and introduced new mechanisms. One of the biggest changes was deprecating kernel extensions that, among others, allowed a comprehensive way to filter network traffic. Basing on Network Kernel Extensions, firewall developers were able to code their products. On Big Sur, firewalls should be made using the Network Extension Framework. Unfortunately, as it turned out, Apple created an allowlist of their apps that legitimately bypass any filter you set using your firewall.

Stealing macOS apps' Keychain entries

Storing secrets on the macOS is a big challenge and can be done in multiple insecure ways. I tested many mac apps during bug bounty assessments and observed that developers tend to place secrets in preferences or even hidden flat files. The problem with that approach is that any non-sandboxed application running with typical permissions can access the confidential data. For example, Signal on macOS stores a key that encrypts all your messages database in ~/Library/Application Support/Signal/config.

Learn XPC exploitation - Part 3: Code injections

XPC Exploitation series Learn XPC exploitation - Part 1: Broken cryptography Learn XPC exploitation - Part 2: Say no to the PID! Learn XPC exploitation - Part 3: Code injections Intro The last technique I showed in my presentation during Objective by the Sea v3 conference was abusing privileged XPC services using different code injections. In many apps I exploited, I observed that developers are aware that privileged XPC services have to verify incoming connections.

Learn XPC exploitation - Part 2: Say no to the PID!

XPC Exploitation series Learn XPC exploitation - Part 1: Broken cryptography Learn XPC exploitation - Part 2: Say no to the PID! Learn XPC exploitation - Part 3: Code injections Intro Hey! In my last post, I showed you how weak SecRequirement string might lead to incoming connections validation issues. This post will focus on another way to trick XPC servers into trusting our malicious process. 😈 We’re going to exploit a vulnerability that I found some time ago in Malwarebytes.

Learn XPC exploitation - Part 1: Broken cryptography

XPC Exploitation series Learn XPC exploitation - Part 1: Broken cryptography Learn XPC exploitation - Part 2: Say no to the PID! Learn XPC exploitation - Part 3: Code injections After my talk on Objective by the Sea v3 I received a lot of questions regarding XPC exploitation. I think summing it up in a blog post series is a good idea, so here you have the first one!

Abusing Electron apps to bypass macOS' security controls

After reading Adam Chester’s neat article about bypassing macOS privacy controls, I decided to share my recently discovered trick. To bypass the Transparency, Consent, and Control service (TCC), we need an Electron application that already has some privacy permissions. As it turns out, you probably have at least one such app installed - look, for example, on your desktop messengers. Especially for this post, I created a simple Electron app that has access to the camera.

Dangerous Get Task Allow Entitlement on iExplorer example

Hey Hackers! 👋🏻 In this blog post, I want to show you why signing applications with get-task-allow entitlement may be dangerous and can lead to local privilege escalation bugs. We are going to exploit a real application, iExplorer, iOS application pentesters widely use that. Make a notice that iExplorer is only an example - a lot of apps have that excessive entitlement set. Entitlements? Since Mac OS X 10.11 El Capitan, Apple decided to add a new feature called System Integrity Protection (aka Rootless).

Stealing Bear Notes With Url Schemes

Readers who know me probably also know that I like test soft that I use. So it was this time. I wanted to collect all my chaotically stored notes in Apple Notes, docx files, txts, etc. I considered many different noting apps, but finally I chose Bear.app. Bear offers cool hashtags systems, markdown notation, and syntax highlighting that totally bought me. 😉 Bear is also in the top 10 App Store productivity apps!

Dissecting Logitech Options on macOS

Some time ago, I bought Logitech MX Master wireless mouse to be used with my macs. And here, the story begins… Since this mouse has extra buttons I wanted to assign them my custom actions. As I read in Logitech docs I had to download driver called “Logitech Options”. So I did! Kudos section First of all, I wanted to thank @Disconnect3d for helping me with the reversing part. The second Kudos belongs to @Taviso who discovered similar issue on Windows simultaneously and reported it to the Logitech team.

Sandboxed malware may control your pasteboard

TLDR Sandbox implemented in macOS does not cover pasteboard. That blog post shows that you can create fully sandboxed malware (that may pass Apple’s review, bypassed many times in the past) stealing & modifying pasteboard values. What sandbox is? App Sandbox is an access control technology provided in macOS, enforced at the kernel level. It is designed to contain damage to the system and the user’s data if an app becomes compromised.