After my talk on Objective by the Sea v3 I received a lot of questions regarding XPC exploitation. I think summing it up in a blog post series is a good idea, so here you have the first one! A post covering how to secure XPC services is planned in the nearest future. Quick introduction to XPC XPC is a fundamental inter-process communication mechanism on Apple devices. So, you can find it on macOS, iOS, tvOS, etc.
After reading Adam Chester’s neat article about bypassing macOS privacy controls, I decided to share my recently discovered trick. To bypass the Transparency, Consent, and Control service (TCC), we need an Electron application that already has some privacy permissions. As it turns out, you probably have at least one such app installed - look, for example, on your desktop messengers. Especially for this post, I created a simple Electron app that has access to the camera.
Hey Hackers! 👋🏻 In this blog post, I want to show you why signing applications with get-task-allow entitlement may be dangerous and can lead to local privilege escalation bugs. We are going to exploit a real application, iExplorer, iOS application pentesters widely use that. Make a notice that iExplorer is only an example - a lot of apps have that excessive entitlement set. Entitlements? Since Mac OS X 10.11 El Capitan, Apple decided to add a new feature called System Integrity Protection (aka Rootless).
Readers who know me probably also know that I like test soft that I use. So it was this time. I wanted to collect all my chaotically stored notes in Apple Notes, docx files, txts, etc. I considered many different noting apps, but finally I chose Bear.app. Bear offers cool hashtags systems, markdown notation, and syntax highlighting that totally bought me. 😉 Bear is also in the top 10 App Store productivity apps!
Some time ago, I bought Logitech MX Master wireless mouse to be used with my macs. And here, the story begins… Since this mouse has extra buttons I wanted to assign them my custom actions. As I read in Logitech docs I had to download driver called “Logitech Options”. So I did! Kudos section First of all, I wanted to thank @Disconnect3d for helping me with the reversing part. The second Kudos belongs to @Taviso who discovered similar issue on Windows simultaneously and reported it to the Logitech team.
TLDR Sandbox implemented in macOS does not cover pasteboard. That blog post shows that you can create fully sandboxed malware (that may pass Apple’s review, bypassed many times in the past) stealing & modifying pasteboard values. What sandbox is? App Sandbox is an access control technology provided in macOS, enforced at the kernel level. It is designed to contain damage to the system and the user’s data if an app becomes compromised.
If you are a security-aware person, you probably use one of the secure messengers. 😏 And maybe to improve your comfort, you installed its desktop version on your mac? Sometimes we leave our computer unattended when we go to make a coffee, or we need to talk with somebody in the other room. Since we are security-aware, we always lock our screens (you do that, right?). But what if all messages sent to you will be visible on your locked mac?
Quicklook is a super cool mechanism allowing you to quickly check file contents without opening it in a specialized application. When you press the space bar on, for instance, *xlsx file, you can see the following preview without having MS Excel installed. While reading *OS Internals Volume I (that I highly recommend btw) I stopped on the Quicklook chapter. I found out that Quicklook registers com.apple.quicklook.ThumbnailsAgent XPC service that is responsible for ==creating thumbnails== database and storing it in /var/folders/…/C/com.