The new macOS Big Sur changed a lot of things and introduced new mechanisms. One of the biggest changes was deprecating kernel extensions that, among others, allowed a comprehensive way to filter network traffic. Basing on Network Kernel Extensions, firewall developers were able to code their products. On Big Sur, firewalls should be made using the Network Extension Framework. Unfortunately, as it turned out, Apple created an allowlist of their apps that legitimately bypass any filter you set using your firewall.
Storing secrets on the macOS is a big challenge and can be done in multiple insecure ways. I tested many mac apps during bug bounty assessments and observed that developers tend to place secrets in preferences or even hidden flat files. The problem with that approach is that any non-sandboxed application running with typical permissions can access the confidential data.
For example, Signal on macOS stores a key that encrypts all your messages database in ~/Library/Application Support/Signal/config.
This is a special post because I fully based on another researcher, s1guza’s 0day. All of this story began from the following tweet:
Siguza told us that his 0day was patched in the iOS 13.5 beta3. So this is actually a sandbox escape 0day for the newest, non-beta iOS version (13.4.1). In this post, I’ll show you how I reproduced that bug and wrote a malicious application that uses that 0day to steal the iMessage history!
After reading Adam Chester’s neat article about bypassing macOS privacy controls, I decided to share my recently discovered trick.
To bypass the Transparency, Consent, and Control service (TCC), we need an Electron application that already has some privacy permissions. As it turns out, you probably have at least one such app installed - look, for example, on your desktop messengers.
Especially for this post, I created a simple Electron app that has access to the camera.
TLDR Sandbox implemented in macOS does not cover pasteboard. That blog post shows that you can create fully sandboxed malware (that may pass Apple’s review, bypassed many times in the past) stealing & modifying pasteboard values.
What sandbox is? App Sandbox is an access control technology provided in macOS, enforced at the kernel level. It is designed to contain damage to the system and the user’s data if an app becomes compromised.
If you are a security-aware person, you probably use one of the secure messengers. 😏 And maybe to improve your comfort, you installed its desktop version on your mac? Sometimes we leave our computer unattended when we go to make a coffee, or we need to talk with somebody in the other room. Since we are security-aware, we always lock our screens (you do that, right?).
But what if all messages sent to you will be visible on your locked mac?
Quicklook is a super cool mechanism allowing you to quickly check file contents without opening it in a specialized application. When you press the space bar on, for instance, *xlsx file, you can see the following preview without having MS Excel installed. While reading *OS Internals Volume I (that I highly recommend btw) I stopped on the Quicklook chapter. I found out that Quicklook registers com.apple.quicklook.ThumbnailsAgent XPC service that is responsible for ==creating thumbnails== database and storing it in /var/folders/…/C/com.