{"@attributes":{"version":"2.0"},"channel":{"title":"theevilbit blog","link":"https:\/\/theevilbit.github.io\/","description":"Recent content on theevilbit blog","generator":"Hugo","language":"en","lastBuildDate":"Thu, 21 May 2026 00:00:00 +0000","item":[{"title":"Talks and Workshops","link":"https:\/\/theevilbit.github.io\/talks\/","pubDate":"Thu, 21 May 2026 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/talks\/","description":"<h2 id=\"2026\">\n  2026\n  <a class=\"heading-link\" href=\"#2026\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p><strong>macOS Exploit Mixtape \u2013 Hack Like it&rsquo;s the 80s \/CA: Gergely Kalman\/<\/strong> <em>(Zer0Con)<\/em><\/p>\n<h2 id=\"2025\">\n  2025\n  <a class=\"heading-link\" href=\"#2025\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p><strong>Finding Vulnerabilities in Apple Packages at Scale<\/strong> <em>(SecurityFest, MacDevOpsYVR)<\/em><\/p>\n<p><a href=\"https:\/\/theevilbit.github.io\/talks_workshops\/2025\/SecurityFest2025-Fitzl-ApplePackages.pdf\" >Presentation<\/a><\/p>\n<p><a href=\"https:\/\/www.youtube.com\/watch?v=V9usMRDezsM&amp;ab_channel=SecurityFest\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Video - SecurityFest 2025<\/a><\/p>\n<p><a href=\"https:\/\/www.youtube.com\/watch?v=NbFZJs62bd8\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Video - MacDevOpsYVR 2025<\/a><\/p>\n<p><strong>The Evolution of macOS Security from the Desert to the Lake<\/strong> <em>(MacSysAdmin, IT Defense 2026, University of Utah MacAdmins meeting)<\/em><\/p>"},{"title":"macOS LPE via the .localized directory","link":"https:\/\/theevilbit.github.io\/posts\/localized\/","pubDate":"Fri, 05 Dec 2025 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/localized\/","description":"<p>This blog is about a vulnerability on macOS which impacts <em>every<\/em> third party installer if they try to run a privileged command from within the application bundle.<\/p>\n<p>This vulnerability has a very long history, and Apple never managed to properly fix it, and I never got a CVE only a note in the \u201cAdditional Recognition\u201d section.<\/p>\n<h2 id=\"a-little-history\">\n  A Little History\n  <a class=\"heading-link\" href=\"#a-little-history\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>There is a very long history of this specific bug that I kept reporting to Apple since 2018 (7 years!!). This bug can be exploited when we install third party software on the system. Actually this was my very first vulnerability I submitted to Apple, and my very first macOS talk back in 2019, called <a href=\"https:\/\/theevilbit.github.io\/posts\/getting_root_with_benign_appstore_apps\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">macOS - Getting root with benign AppStore apps<\/a>.<\/p>"},{"title":"The diskarbitrationd and storagekitd Audit Story Part 2","link":"https:\/\/theevilbit.github.io\/posts\/macos-audit-story-part2\/","pubDate":"Thu, 12 Dec 2024 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/macos-audit-story-part2\/","description":"<h2 id=\"intro\">\n  Intro\n  <a class=\"heading-link\" href=\"#intro\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>Kandji&rsquo;s Threat Research team recently performed an audit on the macOS diskarbitrationd and storagekitd system daemons, uncovering several vulnerabilities. Our team reported all of them to Apple through their responsible disclosure program, and as these are fixed now, we are releasing the details in this blog series - this is part two.<\/p>\n<p>In part one we covered a vulnerability which impacted the diskarbitrationd system daemon and allowed attacks to either escape the sandbox or escalate our privileges through user file systems.<\/p>"},{"title":"The diskarbitrationd and storagekitd Audit Story Part 1","link":"https:\/\/theevilbit.github.io\/posts\/macos-audit-story-part1\/","pubDate":"Fri, 08 Nov 2024 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/macos-audit-story-part1\/","description":"<h2 id=\"intro\">\n  Intro\n  <a class=\"heading-link\" href=\"#intro\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>The Kandji team is always looking out for how to help keep your devices secure. In line with that, our Threat Research team performed an audit on the macOS diskarbitrationd and storagekitd system daemons, uncovering several vulnerabilities such as sandbox escapes, local privilege escalations, and TCC bypasses. Our team reported all of them to Apple through their responsible disclosure program, and as these are fixed now, we are releasing the details.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 35 - Persist through the NVRAM - The 'apple-trusted-trampoline'","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0035\/","pubDate":"Tue, 15 Oct 2024 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0035\/","description":"<blockquote>\n<p>This is part 35 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>TL;DR - This is a practically completely useless persistence, as this can be only set and enabled when SIP is actually disabled. On the other hand I still find it a pretty amazing way to persist, as we can do that by putting a binary into NVRAM and get that executed. Here follows the details of the discovery.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 34 - launchd boot tasks","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0034\/","pubDate":"Thu, 10 Oct 2024 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0034\/","description":"<blockquote>\n<p>This is part 34 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>The all mighty <code>launchd<\/code>, contains an embedded plist file in its <code>__TEXT __config<\/code> section, which contains various settings, BootStrap file locations (like <code>LaunchDaemons<\/code> and <code>LaunchAgents<\/code>) and it has also a <code>Boot<\/code> key, which defines various services, which will be run upon boot. They are called boot tasks. Although this is documented in Jonathan Levin&rsquo;s *OS Internals Vol I. book, I think this is a not well known, and in fact I also totally forgot about it until <a href=\"https:\/\/x.com\/byaaaaahhh\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Matt<\/a> brought them to my attention recently.<\/p>"},{"title":"Dock Tile Plugins Could Be Used to Escalate Privileges","link":"https:\/\/theevilbit.github.io\/posts\/dock-tile-plugins-persistence\/","pubDate":"Fri, 19 Jul 2024 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/dock-tile-plugins-persistence\/","description":"<h2 id=\"intro\">\n  Intro\n  <a class=\"heading-link\" href=\"#intro\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>I recently came across a persistence feature in macOS that&rsquo;s tied to Dock tile plugins.<\/p>\n<p>Dock tiles are the small icons that appear on your Dock when an application runs. Plugins for these Dock tiles have been available since macOS Snow Leopard (10.6). In its developer documentation, Apple says about them:<\/p>\n<blockquote>\n<p>A set of methods implemented by plug-ins&hellip;allow an app\u2019s Dock tile to be customized while the app is not running.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 33 - Widgets","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0033\/","pubDate":"Wed, 12 Jun 2024 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0033\/","description":"<blockquote>\n<p>This is part 33 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>Widgets are application extensions you can place on your desktop to display some key information from your main app. Although Apple says developers shouldn&rsquo;t implement any functionality there and just use them as a display, they are still apps that run on their own and we can run code inside them. We will explore how we can create them, use them as persistence and also investigate what widgets will automatically run on our system.<\/p>"},{"title":"CVE-2023-40424 - How Malware Can Bypass Transparency Consent and Control","link":"https:\/\/theevilbit.github.io\/posts\/cve-2023-40424\/","pubDate":"Fri, 24 May 2024 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/cve-2023-40424\/","description":"<h2 id=\"intro\">\n  Intro\n  <a class=\"heading-link\" href=\"#intro\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>CVE-2023-40424 is a vulnerability that allows a root-level user to create a new user with a custom Transparency Consent and Control (TCC) database in macOS, which can then be used to access other users\u2019 private data.<\/p>\n<p>First discovered back in 2022, the vulnerability was fixed by Apple in 2023 in macOS Sonoma\u2019s initial release. But it was not fixed in earlier versions of macOS\u2014one more reason users and admins should update their Mac computers to Sonoma.<\/p>"},{"title":"How Apple Mitigates Vulnerabilities in Installer Scripts","link":"https:\/\/theevilbit.github.io\/posts\/apple-mitigates-vulnerabilities-installer-scripts\/","pubDate":"Fri, 15 Mar 2024 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/apple-mitigates-vulnerabilities-installer-scripts\/","description":"<h2 id=\"intro\">\n  Intro\n  <a class=\"heading-link\" href=\"#intro\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>Vulnerabilities are hot topics inside the world of security research and\u2014because of their potentially dramatic impacts\u2014outside as well. Unfortunately, the strategies and tactics that companies like Apple take to prevent specific vulnerabilities\u2014or even entire families of exploits\u2014typically attract less attention. But the fact is that engineering high-impact mitigations is typically more challenging than finding a single vulnerability.<\/p>\n<p>In this post, we\u2019ll look at Apple&rsquo;s recent efforts to mitigate an entire class of installer-script vulnerabilities. We will cover:<\/p>"},{"title":"Launch and Environment Constraints Deep Dive","link":"https:\/\/theevilbit.github.io\/posts\/launch_constraints_deep_dive\/","pubDate":"Mon, 09 Oct 2023 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/launch_constraints_deep_dive\/","description":"<blockquote>\n<p>UPDATE 2023.10.10.: After chatting with Thijs Alkemade, <a href=\"https:\/\/mastodon.social\/@xnyhps@infosec.exchange\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">@xnyhps<\/a>, updated the XPC part of the post as I originally misunderstood Apple&rsquo;s intent.<\/p>\n<\/blockquote>\n<p>Apple introduced Launch Constraints in macOS Ventura (13) as a response to some common attack scenarios. LC was probably the most impactful mitigation against various type of vulnerabilities. Before we dwell into LC let&rsquo;s review a couple of old vulnerabilities, which would have been not exploitable if LC was present.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 32 - Dock Tile Plugins","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0032\/","pubDate":"Fri, 29 Sep 2023 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0032\/","description":"<blockquote>\n<p>This is part 32 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>When you write a series about something, there are some episodes which are less interesting, many boring stuff, but sometimes there are some true gems. While doing some research yesterday, I run into the Dock Tile Plugin feature in macOS, which turned out to be truly amazing from persistence point of view.<\/p>"},{"title":"macOS Service Management - The SMAppService API - Quick Notes","link":"https:\/\/theevilbit.github.io\/posts\/smappservice\/","pubDate":"Thu, 28 Sep 2023 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/smappservice\/","description":"<p>This is just a super quick post and some notes, about my experiences with SMAppService.<\/p>\n<p>Apple introduced the SMAppService API in macOS Ventura (13) to replace the older SMJobBless and SMLoginItemSetEnabled APIs. SMAppService should be used now to register any new Login Item, Launch Agent or Daemon.<\/p>\n<p>The API is super easy to use, even I could learn it from the developer docs, which is a big thing, and it means that it is indeed really easy as I suck as a developer.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 31 - BSM audit framework","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0031\/","pubDate":"Fri, 26 May 2023 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0031\/","description":"<blockquote>\n<p>This is part 31 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>macOS implements the OpenBSM audit framework created by McAfee, which allows someone to audit system events, like login, file access, etc\u2026 This has been part of the system for very long time. Auditing has several components, the main one being the kernel, which handles all the events. The main user mode process is <code>auditd<\/code>, which is mainly responsible for logging. It\u2019s a huge framework, detailed very well by Jonathan Levin in his <code>*OS Internal Part 3<\/code> book. I suggest reading that part, but you can also find some information here:<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 30 - The man config file - man.conf","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0030\/","pubDate":"Wed, 10 May 2023 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0030\/","description":"<blockquote>\n<p>This is part 30 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>I was watching an old BSidesLuxemburg 2019 talk by Aaron Jewitt, called &ldquo;Threat Hunting On Linux And Mac With Auditbeat System Module&rdquo;, it&rsquo;s up on <a href=\"https:\/\/www.youtube.com\/watch?v=teq6r7XbBug\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">YouTube<\/a>. Aaron mentioned in one of the slides that you can persist using <code>man.conf<\/code> files. It looked really odd, I tried to quickly Google it, but haven\u2019t found anything about it. So I took a look at the configuration file, and indeed, it turns out you can persist via man\u2019s configuration file, <code>man.conf<\/code>, which can be found at <code>\/private\/etc\/man.conf<\/code>.<\/p>"},{"title":"CVE-2022-22655 - TCC - Location Services Bypass","link":"https:\/\/theevilbit.github.io\/posts\/cve-2022-22655\/","pubDate":"Mon, 13 Feb 2023 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/cve-2022-22655\/","description":"<p>This is a quick blogpost about a vulnerability I covered in our <a href=\"https:\/\/www.blackhat.com\/eu-22\/briefings\/schedule\/index.html#knockout-win-against-tcc----new-ways-to-bypass-your-macos-privacy-mechanisms-29272\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Black Hat Europe 2022 talk<\/a> with <a href=\"https:\/\/twitter.com\/_r3ggi\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Wojciech Regula<\/a>.<\/p>\n<p>In contrary to what people would expect, clients which can access location services are not maintained in one of the TCC databased, but in a separate location, and it&rsquo;s maintained by locationd. This has been also recently covered by Howard Oakley, in his <a href=\"https:\/\/eclecticlight.co\/2023\/02\/10\/privacy-what-tcc-does-and-doesnt\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Privacy: what TCC does and doesn\u2019t<\/a> blogpost.<\/p>\n<p>TCC&rsquo;s location services allowed client list is located inside <code>\/var\/db\/locationd\/clients.plist<\/code>. This file is protected by the Sandbox\/TCC, thus we can&rsquo;t modify it, and add new client, even if we have root privileges.<\/p>"},{"title":"CVE-2022-32929 - Bypass iOS backup's TCC protection","link":"https:\/\/theevilbit.github.io\/posts\/cve-2022-32929\/","pubDate":"Mon, 14 Nov 2022 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/cve-2022-32929\/","description":"<h2 id=\"intro\">\n  Intro\n  <a class=\"heading-link\" href=\"#intro\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>Normally, when a users backup their iOS device, the backup is saved into <code>~\/Library\/Application Support\/MobileSync\/Backup<\/code> directory. The <code>MobileSync<\/code> directory is properly protected by TCC, as the backup can contain photos, contact information, everything from the iOS device, and it might be unencrypted, so this is a whole lot of private information. It&rsquo;s only accessible with Full Disk Access rights.<\/p>\n<p>The issue is that an attacker can invoke the <code>AppleMobileBackup<\/code> utility and make a backup to a custom location. Thus completely bypassing the protected backup location.<\/p>"},{"title":"Prologue - The Lord of The Rules","link":"https:\/\/theevilbit.github.io\/posts\/prologue\/","pubDate":"Mon, 24 Oct 2022 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/prologue\/","description":"<pre tabindex=\"0\"><code>The world is changed:\nI feel it in the Sandbox,\nI feel it in the entitlements,\nI smell it in the kernel...\n\nMuch that once was is lost,\nonly a few live now who remember it.\n\nLord of the Rules\n\nIt began with the forging of the\nGreat Privacy Rules.\n          \nThree were given to the root user,\nimmortal, wisest...fairest of all beings.\n\nSeven to the users, great people\nand clients of the Apple spaceship.\n\nAnd Nine...nine rules were gifted\nto Apple processes which,\nabove all else, desire power.\n\nFor within these rules was bound\nthe strength and will to govern\nprivacy.\n\nBut they were all of them deceived.\n\n...for another rule was made.\n\nIn the land of Cupertino, in the fires of\nIntel CPUs, the Dark Lord Privacy forged\nin secret a Master Rule to control all\nothers.\n\n...and into this Rule he poured his\nwill to dominate all processes.\n\nOne Rule to rule them all...\n\nOne by one the Free lands of macOS\nfell to the power of the rule.\n\nBut there were some...who resisted.\n\nA last alliance of\nlegacy software,\ndisabled library validation\nand bounty hunters\nmarched against the armies of TCC.\n\nOn the slopes of El Capitan they fought\nfor the freedom of macOS.\n<\/code><\/pre>"},{"title":"CVE-2017-2533 - The details behind","link":"https:\/\/theevilbit.github.io\/posts\/cve-2017-2533\/","pubDate":"Mon, 29 Aug 2022 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/cve-2017-2533\/","description":"<h2 id=\"intro\">\n  Intro\n  <a class=\"heading-link\" href=\"#intro\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p><a href=\"https:\/\/support.apple.com\/en-us\/HT207797\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">CVE-2017-2533<\/a>  was part of a chain of vulnerabilities, used at pwn2own 2017 found by the phoenhex team. They wrote a blogpost about it <a href=\"https:\/\/phoenhex.re\/2017-06-09\/pwn2own-diskarbitrationd-privesc\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">here<\/a>. This vulnerability led me to find CVE-2022-32780, which I detailed at <a href=\"https:\/\/www.blackhat.com\/asia-22\/briefings\/schedule\/index.html#macos-vulnerabilities-hiding-in-plain-sight-26073\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Black Hat Asia 2022<\/a>. Although the nature of CVE-2017-2533 was discussed by the authors, but the actual code part was never truly revealed, and I always wondered about the full details. Now I took the time to dig up the details, including how it was fixed, and why the fix solves the problem.<\/p>"},{"title":"AMFI Launch Constraints - First Quick Look","link":"https:\/\/theevilbit.github.io\/posts\/amfi_launch_constraints\/","pubDate":"Tue, 14 Jun 2022 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/amfi_launch_constraints\/","description":"<p>Dropping some initial quick notes for a new security feature I ran into on macOS Ventura. It&rsquo;s called &ldquo;Launch Constraints&rdquo; and lives inside AMFI.<\/p>\n<p>Do the following experiment: Copy <code>Terminal.app<\/code> to your HOME folder and try to run it on Monterey and Ventura. On the former it will work without any issues, on the other it will fail, and we will get the following error:<\/p>\n<pre tabindex=\"0\"><code>2022-06-14 05:59:55.254678+0200 0x5481     Default     0x0                  0      0\nkernel: (AppleMobileFileIntegrity) AMFI: Launch Constraint Violation (enforcing), error\ninfo: c[1]p[1]m[1]e[2], (Constraint not matched) launching proc[vc: 1 pid: 1112]:\n\/Users\/ace\/Terminal.app\/Contents\/MacOS\/Terminal, launch type 0, failure proc [vc: 1 pid:\n1112]: \/Users\/ace\/Terminal.app\/Contents\/MacOS\/Terminal\n<\/code><\/pre><p>This is interesting. If we copy it to other locations, it will fail as well. The reason looks to be something called &ldquo;Launch Constraint&rdquo;. So it seems that it will disallow the execution of system apps outside their location. This is pretty nice, as this has been abused plenty of times in the past, as moving them out of their place usually allowed someone inject code into them. Remember these TCC bypasses?<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 29 - amstoold","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0029\/","pubDate":"Tue, 08 Mar 2022 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0029\/","description":"<blockquote>\n<p>This is part 29 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>When doing some research on macOS I came across the following LaunchAgent: <code>\/System\/Library\/LaunchAgents\/com.apple.amstoold.plist<\/code>. Its content is the following.<\/p>\n<div class=\"highlight\"><pre tabindex=\"0\" style=\"background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"><code class=\"language-xml\" data-lang=\"xml\"><span style=\"display:flex;\"><span><span style=\"color:#099\">&lt;?xml version=&#34;1.0&#34; encoding=&#34;UTF-8&#34;?&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span><span style=\"color:#099\">&lt;!DOCTYPE plist PUBLIC &#34;-\/\/Apple\/\/DTD PLIST 1.0\/\/EN&#34; &#34;http:\/\/www.apple.com\/DTDs\/PropertyList-1.0.dtd&#34;&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span><span style=\"color:#309;font-weight:bold\">&lt;plist<\/span> <span style=\"color:#309\">version=<\/span><span style=\"color:#c30\">&#34;1.0&#34;<\/span><span style=\"color:#309;font-weight:bold\">&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span><span style=\"color:#309;font-weight:bold\">&lt;dict&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>EnablePressuredExit<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;true\/&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>EnableTransactions<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;true\/&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>Label<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;string&gt;<\/span>com.apple.amstoold<span style=\"color:#309;font-weight:bold\">&lt;\/string&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>LaunchEvents<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;dict&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>com.apple.distnoted.matching<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t<span style=\"color:#309;font-weight:bold\">&lt;dict&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>com.apple.nfcd.ams.accessory<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t\t<span style=\"color:#309;font-weight:bold\">&lt;dict&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t\t\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>Name<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t\t\t<span style=\"color:#309;font-weight:bold\">&lt;string&gt;<\/span>com.apple.nfcd.ams.accessory<span style=\"color:#309;font-weight:bold\">&lt;\/string&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t\t<span style=\"color:#309;font-weight:bold\">&lt;\/dict&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t<span style=\"color:#309;font-weight:bold\">&lt;\/dict&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>com.apple.notifyd.matching<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t<span style=\"color:#309;font-weight:bold\">&lt;dict&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>com.apple.ams.privateListeningChanged<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t\t<span style=\"color:#309;font-weight:bold\">&lt;dict&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t\t\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>Notification<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t\t\t<span style=\"color:#309;font-weight:bold\">&lt;string&gt;<\/span>com.apple.ams.privateListeningChanged<span style=\"color:#309;font-weight:bold\">&lt;\/string&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t\t<span style=\"color:#309;font-weight:bold\">&lt;\/dict&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t<span style=\"color:#309;font-weight:bold\">&lt;\/dict&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;\/dict&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>MachServices<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;dict&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>com.apple.xpc.amstoold<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t<span style=\"color:#309;font-weight:bold\">&lt;true\/&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;\/dict&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>ProcessType<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;string&gt;<\/span>Background<span style=\"color:#309;font-weight:bold\">&lt;\/string&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>ProgramArguments<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;array&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t\t<span style=\"color:#309;font-weight:bold\">&lt;string&gt;<\/span>\/usr\/local\/bin\/amstoold<span style=\"color:#309;font-weight:bold\">&lt;\/string&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;\/array&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;key&gt;<\/span>RunAtLoad<span style=\"color:#309;font-weight:bold\">&lt;\/key&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span>\t<span style=\"color:#309;font-weight:bold\">&lt;true\/&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span><span style=\"color:#309;font-weight:bold\">&lt;\/dict&gt;<\/span>\n<\/span><\/span><span style=\"display:flex;\"><span><span style=\"color:#309;font-weight:bold\">&lt;\/plist&gt;<\/span>\n<\/span><\/span><\/code><\/pre><\/div><p>If we examine it closely we can notice that the related binary is <code>\/usr\/local\/bin\/amstoold<\/code>. This is very interesting as this file doesn&rsquo;t exists on default macOS installations. This means that if we create it, it will be started as the user upon login. As the launchd file is SIP protected, we can&rsquo;t even remove it, and even if we would, it likely would come back at the next OS update.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 28 - Authorization Plugins","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0028\/","pubDate":"Wed, 09 Feb 2022 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0028\/","description":"<blockquote>\n<p>This is part 28 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>This persistence mechanism was described in very detail by <a href=\"https:\/\/twitter.com\/xorrior\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Chris Ross<\/a> in his <a href=\"https:\/\/posts.specterops.io\/persistent-credential-theft-with-authorization-plugins-d17b34719d65\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">blogpost: Persistent Credential Theft with Authorization Plugins<\/a>. He also developed sample code, which can be found on his <a href=\"https:\/\/github.com\/xorrior\/macOSTools\/tree\/master\/auth_plugins\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>. Thus this blog will only focus on the high level summary, and some changes that happened since he wrote that post.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 27 - Dock shortcuts","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0027\/","pubDate":"Tue, 08 Feb 2022 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0027\/","description":"<blockquote>\n<p>This is part 27 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>This persistence is another gem I found in <a href=\"https:\/\/twitter.com\/_D00mfist\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Leo Pitt<\/a>&rsquo;s <a href=\"https:\/\/www.youtube.com\/watch?v=OFQYTJiAmxs\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Modern macOS Persistence<\/a> talk.<\/p>\n<p>macOS Dock stores shortcuts for applications, that we would like to access through the, well&hellip; Dock. It stores all settings in <code>~\/Library\/Preferences\/com.apple.dock.plist<\/code>. Although we can edit this PLIST directly, we can also use the <code>defaults<\/code> utility to change it. For example adding a new entry:<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 26 - Finder Sync Plugins","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0026\/","pubDate":"Sat, 05 Feb 2022 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0026\/","description":"<blockquote>\n<p>This is part 26 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>This method was documented very detailed by Patrick Wardle in his <a href=\"https:\/\/objective-see.com\/blog\/blog_0x11.html\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">blogpost<\/a> back in 2016. It was also covered by <a href=\"https:\/\/twitter.com\/_D00mfist\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Leo Pitt<\/a> in his <a href=\"https:\/\/www.youtube.com\/watch?v=OFQYTJiAmxs\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Modern macOS Persistence<\/a> talk, and he also made a POC, which can be found at his <a href=\"https:\/\/github.com\/D00MFist\/InSync\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>. With there is really nothing to add here, so this post will be only a high level summary, for everything else refer to the above resources.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 25 - Apache2 modules","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0025\/","pubDate":"Wed, 15 Dec 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0025\/","description":"<blockquote>\n<p>This is part 25 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>Possibly a less known feature that macOS has a built-in Apache2 web server, which can be enabled anytime. Just as other Apache2 servers, it also supports the load of custom modules, and this is what we will explore here briefly for persistence. For a detailed web server setup, I recommend the following articles:\n<a href=\"https:\/\/discussions.apple.com\/docs\/DOC-3083\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Setting up a local web server on a Mac - Apple Community<\/a>\n<a href=\"https:\/\/discussions.apple.com\/docs\/DOC-250004361\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Setting up a local web server on macOS 12\u2026 - Apple Community<\/a><\/p>"},{"title":"Beyond the good ol' LaunchAgents - 24 - Folder Actions","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0024\/","pubDate":"Thu, 02 Dec 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0024\/","description":"<blockquote>\n<p>This is part 24 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>Folder action persistence has been documented by <a href=\"https:\/\/twitter.com\/its_a_feature_\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Cody Thomas<\/a> back in 2019 <a href=\"https:\/\/posts.specterops.io\/folder-actions-for-persistence-on-macos-8923f222343d\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">in his blog<\/a>. I think he did an awesome job, and everything he wrote still applies today. I wanted to take it a bit further and see if I can persist without any user prompts, and it turned out it is possible. I will also talk about its TCC implications.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 23 - emond, The Event Monitor Daemon","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0023\/","pubDate":"Sat, 27 Nov 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0023\/","description":"<blockquote>\n<p>This is part 23 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>This post will be about <code>emond<\/code>, Apple&rsquo;s Event Monitor daemon.<\/p>\n<p>I think almost everything has been already told about this method and <code>emond<\/code> in general by James Reynolds <a href=\"http:\/\/magnusviri.com\/what-is-emond.html\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">here<\/a> and <a href=\"https:\/\/twitter.com\/xorrior\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">xorrior<\/a> <a href=\"https:\/\/www.xorrior.com\/emond-persistence\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">here<\/a> so really not much left for me. There is no point for me replicating their awesome posts, so please just read them. That&rsquo;s it! Thank you for reading! \u00af\\<em>(\u30c4)<\/em>\/\u00af\n.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 22 - LoginHook and LogoutHook","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0022\/","pubDate":"Wed, 24 Nov 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0022\/","description":"<blockquote>\n<p>This is part 22 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>This method is considered deprecated by Apple, yet it still works.<\/p>\n<p>LoginHooks and LogoutHooks have been widely documented by many people, so this post is mostly for completeness. The official, Apple documentation can be found here: <a href=\"https:\/\/developer.apple.com\/library\/archive\/documentation\/MacOSX\/Conceptual\/BPSystemStartup\/Chapters\/CustomLogin.html#\/\/apple_ref\/doc\/uid\/10000172i-SW10-SW1\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Customizing Login and Logout<\/a><\/p>\n<p>LoginHooks and LogoutHooks are executed, well&hellip; at logins and logouts just as the name suggest, and they are run as root. They are set in the preferences of the  <code>com.apple.loginwindow<\/code> process, and so it&rsquo;s stored in the file <code>\/var\/root\/Library\/Preferences\/com.apple.loginwindow.plist<\/code>.<\/p>"},{"title":"CVE-2021-30808 - CVE-2021-1784 strikes back - TCC bypass via mounting","link":"https:\/\/theevilbit.github.io\/posts\/cve-2021-30808\/","pubDate":"Fri, 29 Oct 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/cve-2021-30808\/","description":"<h2 id=\"intro\">\n  Intro\n  <a class=\"heading-link\" href=\"#intro\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>CVE-2021-1784 was a vulnerability that allowed an attacker to bypass TCC by mounting over the  <code>~\/Library\/Application Support\/com.apple.TCC<\/code> directory and providing a new TCC database. We covered this with <a href=\"https:\/\/twitter.com\/_r3ggi\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Wojciech Regula<\/a> in or <a href=\"https:\/\/www.slideshare.net\/CsabaFitzl\/20-ways-to-bypass-your-mac-os-privacy-mechanisms\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">20+ ways to bypass your mac os privacy mechanisms<\/a> BlackHat USA talk. This was properly fixed in Big Sur.<\/p>\n<h2 id=\"the-vulnerability\">\n  The Vulnerability\n  <a class=\"heading-link\" href=\"#the-vulnerability\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>I don&rsquo;t know why but I started to experiment with it again in the very first version of Monterey beta, and found that although the exploit doesn&rsquo;t work, we can mount over the <code>~\/Library<\/code> directory. Interestingly this wasn&rsquo;t possible in Big Sur, thus this bug is a regression.<\/p>"},{"title":"About","link":"https:\/\/theevilbit.github.io\/about\/","pubDate":"Fri, 22 Oct 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/about\/","description":"<p>My name is Csaba Fitzl or also known as &ldquo;theevilbit&rdquo;, which comes from <a href=\"https:\/\/www.ietf.org\/rfc\/rfc3514.txt\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">RFC 3514<\/a>. I graduated in 2006 as a computer engineer. I have worked for 6 years as a network engineer, troubleshooting and designing big networks. After that, I have worked for 8 years as a blue and red teamer focusing on network forensics, malware analysis, adversary simulation, and defense bypasses. Then I was working for OffSec and developed the <a href=\"https:\/\/www.offsec.com\/courses\/exp-312\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">EXP-312: Advanced macOS Control Bypasses<\/a> course. Currently I&rsquo;m working for <a href=\"https:\/\/www.kandji.io\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Kandji<\/a> as a Principal macOS Security Researcher.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 21 - Re-opened Applications","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0021\/","pubDate":"Tue, 12 Oct 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0021\/","description":"<blockquote>\n<p>This is part 21 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>This method was also documented by Patrick Wardle, in his original <a href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference\/vb2014\/VB2014-Wardle.pdf\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Methods of Malware Persistence<\/a> white paper and also at <a href=\"https:\/\/attack.mitre.org\/techniques\/T1547\/007\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">MITRE ATT&amp;CK\u00ae<\/a>.<\/p>\n<p>When we restart macOS, we are presented with the following window:<\/p>\n<p><img src=\"https:\/\/theevilbit.github.io\/images\/beyond\/beyond_0021_0.png\" alt=\"Re-open Applications Prompt\"><\/p>\n<p>I guess, most users keep it selected, and then macOS will reopen all apps.<\/p>"},{"title":"Getting started in macOS security","link":"https:\/\/theevilbit.github.io\/posts\/getting_started_in_macos_security\/","pubDate":"Mon, 27 Sep 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/getting_started_in_macos_security\/","description":"<p>Many people used to ask me where to start learning about macOS security or exploitation, what are the trainings or books out there that can help with this topic. Nowadays there are a few trainings, which can get you started. Other great resources for macOS security are blog posts and conference talks.<\/p>\n<p>I thought I will try to collect some resources that can help people to get started in this field.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 20 - Terminal Preferences","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0020\/","pubDate":"Wed, 22 Sep 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0020\/","description":"<blockquote>\n<p>This is part 20 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>This is another application specific persistence method, related to the Terminal application.<\/p>\n<p>In the Terminal Preferences, under the Profiles tab, we can set a command that will be executed upon Terminal&rsquo;s startup. This is shown in the screen below.<\/p>\n<p><img src=\"https:\/\/theevilbit.github.io\/images\/beyond\/beyond_0020_0.png\" alt=\"Terminal Profile Settings\"><\/p>"},{"title":"Beyond the good ol' LaunchAgents - 19 - Periodic Scripts","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0019\/","pubDate":"Fri, 06 Aug 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0019\/","description":"<blockquote>\n<p>This is part 19 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>This post has been long due, as it&rsquo;s one of my favorite persistence tricks. Up until Big Sur 11.5 you could also exploit it for privilege escalation if Homebrew was installed on the system.<\/p>\n<p>Periodic scripts have a FreeBSD origin. These scripts are doing some maintenance tasks on the system, and scheduled to be run on a daily, weekly and monthly basis.<\/p>"},{"title":"GateKeeper - Not a Bypass (Again)","link":"https:\/\/theevilbit.github.io\/posts\/gatekeeper_not_a_bypass\/","pubDate":"Tue, 29 Jun 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/gatekeeper_not_a_bypass\/","description":"<p>This post is about two techniques that can be useful for someone to evade GateKeeper in a red team engagement or pentest. According to Apple these are not considered bypasses, and everything works as expected.<\/p>\n<h2 id=\"mmap\">\n  mmap\n  <a class=\"heading-link\" href=\"#mmap\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>Part of GateKeeper is implemented on macOS in the <code>Quarantine.kext<\/code>  kernel extension. It uses the MAC policy framework to insert hooks on the system on various points. These functions are named as hook*. Let&rsquo;s take a look on what is implemented.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 18 - X11 and XQuartz","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0018\/","pubDate":"Mon, 28 Jun 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0018\/","description":"<blockquote>\n<p>This is part 18 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>I learned about <a href=\"https:\/\/www.xquartz.org\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">XQuartz<\/a> while reading Armin Briegel&rsquo;s <a href=\"https:\/\/books.apple.com\/hu\/book\/macos-terminal-and-shell\/id1550617226\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">\u200emacOS Terminal and shell<\/a> book. It&rsquo;s one of the alternative third party terminals we can install on macOS. As most terminals, this one also offers unique options to persist on the system.<\/p>\n<p>X11 used to be part of OS X, till 10.7, and it was open source, which we can find <a href=\"https:\/\/opensource.apple.com\/source\/X11server\/X11server-106.7\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>"},{"title":"macOS Monterey Shortcuts - First look","link":"https:\/\/theevilbit.github.io\/posts\/monterey_shortcuts\/","pubDate":"Thu, 10 Jun 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/monterey_shortcuts\/","description":"<p>Apple announced macOS Monterey (macOS 12) this week at WWDC, and one of its new features that caught my eye is <strong>Shortcuts<\/strong>. It&rsquo;s already available on iOS, but it made its way to macOS. My security focused brain immediately thought about how cool this feature could be for red teamers or pentesters to persist on macOS :) So I decided to take a quick look on the new functionality, focusing on how it works. All of the below information is based on macOS Monterey Developer Beta 1.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 17 - Color Pickers","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0017\/","pubDate":"Mon, 31 May 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0017\/","description":"<blockquote>\n<p>This is part 17 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>Color pickers??? It&rsquo;s this menu, where we can select a color:<\/p>\n<p><img src=\"https:\/\/theevilbit.github.io\/images\/beyond\/beyond_0017_0.png\" alt=\"\"><\/p>\n<p>To my surprise we can install our own color pickers on the system, and add custom ones. There are quite a few of these, some are even open source, like this: <a href=\"https:\/\/github.com\/viktorstrate\/color-picker-plus\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">GitHub - viktorstrate\/color-picker-plus: An Improved Color Picker for macOS<\/a>. Github is full of color picker codes, mostly written in Swift. We don&rsquo;t really need those, unless we want to be stealthy and hide our code inside a legitimate picker.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 16 - Screen Saver","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0016\/","pubDate":"Sun, 30 May 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0016\/","description":"<blockquote>\n<p>This is part 16 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>Screen savers have been detailed recently by <a href=\"https:\/\/twitter.com\/_D00mfist\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Leo Pitt<\/a>on his <a href=\"https:\/\/posts.specterops.io\/saving-your-access-d562bf5bf90b\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">blog post: &ldquo;Saving Your Access&rdquo;<\/a>. Considering that he already wrote most of the interesting stuff, I will try to show some new information, but there will be some overlap.<\/p>\n<p>Screen savers are macOS bundles with the bundle extension of <code>.saver<\/code>. Their <code>Info.plist<\/code> file doesn&rsquo;t contain anything screen saver specific, so we can really use any bundle with the right extension.<\/p>"},{"title":"NOCVE - TeamViewer Local Privilege Escalation Vulnerability","link":"https:\/\/theevilbit.github.io\/posts\/teamviewer_lpe\/","pubDate":"Wed, 26 May 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/teamviewer_lpe\/","description":"<h2 id=\"intro\">\n  Intro\n  <a class=\"heading-link\" href=\"#intro\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>This is a rather old vulnerability I found in TeamViewer back in 2020, and reported it through VCP\/iDefense. TeamViewer fixed the vulnerability last November, but somehow I missed it, and became aware of it only recently. Their advisory can be found here:\n<a href=\"https:\/\/community.teamviewer.com\/English\/discussion\/107710\/november-updates-security-patches\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">November updates - Security patches \u2014 TeamViewer Support<\/a><\/p>\n<p>The TeamViewer macOS client used a PrivilegedHelperTool named <code>com.teamviewer.Helper<\/code> to perform specific tasks that require <code>root<\/code>\npermissions. Back in 2020 it used a deprecate model to perform IPC communication, called Distributed Objects. It was wide open, and any client could invoke the remote object&rsquo;s functions, and some of those lead to direct privilege escalation.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 15 - xsanctl","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0015\/","pubDate":"Wed, 12 May 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0015\/","description":"<blockquote>\n<p>This is part 15 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>I run into this not so exciting persistent method when I was investigating <code>xsanctl<\/code> for&hellip; other&hellip; reasons&hellip; <code>xsanctl<\/code> is a &ldquo;Xsan file system control utility&rdquo;, which allows us to mount and manage Xsans.<\/p>\n<p>The <code>xsanctl<\/code> binary can be found at <code>\/System\/Library\/Filesystems\/acfs.fs\/Contents\/bin\/xsanctl<\/code>, however when we simply run the command it is run from <code>\/usr\/sbin\/xsanctl<\/code>. If we check, this is a symbolic link.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 14 - atrun","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0014\/","pubDate":"Tue, 27 Apr 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0014\/","description":"<blockquote>\n<p>This is part 14 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>The <code>at<\/code> command set is a heritage *nix job scheduler on macOS. Although it&rsquo;s slowly being deprecated, it&rsquo;s still available on Big Sur, although disabled by default.<\/p>\n<h2 id=\"enabling-atrun\">\n  Enabling atrun\n  <a class=\"heading-link\" href=\"#enabling-atrun\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>As described by <code>atrun<\/code>&rsquo;s man page, the scheduler can be enabled using the following command:<\/p>"},{"title":"Experiences with Apple Security Bounty","link":"https:\/\/theevilbit.github.io\/posts\/experiences_with_asb\/","pubDate":"Fri, 23 Apr 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/experiences_with_asb\/","description":"<p>Since Apple started their <a href=\"https:\/\/developer.apple.com\/security-bounty\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Apple Security Bounty<\/a> program I have submitted around 50 cases to their product security team. I thought I will share my experiences working with Apple in the past 2 years. This will be useful to anyone thinking about participating in the program, and will help setting up expectations.<\/p>\n<p>Beyond Apple I do bug bounties also in other programs, like HackerOne, BugCrowd, VCP, ZDI or sometimes just working directly with vendors, so I have a good pool of other cases I can  compare to.<\/p>"},{"title":"CVE-2020-9900 & CVE-2021-1786 - Abusing macOS Crash Reporter","link":"https:\/\/theevilbit.github.io\/posts\/macos_crashreporter\/","pubDate":"Tue, 20 Apr 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/macos_crashreporter\/","description":"<p>I plan to discuss two symlink attacks in this blog post. The first, more severe one, CVE-2020-9900 was reported by Zhongcheng Li (<a href=\"https:\/\/twitter.com\/0x434B01\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">CK01<\/a>) of Zero-dayits Team of Legendsec at Qi&rsquo;anxin Group, and fixed in <a href=\"https:\/\/support.apple.com\/en-us\/HT211289\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Catalina 10.15.6<\/a>. Apple&rsquo;s advisory said that with a symlink attack it was possible to elevate privileges. I never saw a public document about this bug, so I only assume that I will describe the actual issue here.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 13 - Audio Plugins","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0013\/","pubDate":"Mon, 19 Apr 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0013\/","description":"<blockquote>\n<p>This is part 13 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>This is another one of my favorites for some reason. macOS being a popular audio editing device, supports external audio drivers and plugins. <a href=\"https:\/\/twitter.com\/xorrior\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">@xorrior<\/a> wrote a very extensive blog post about these at his website, here: <a href=\"https:\/\/posts.specterops.io\/audio-unit-plug-ins-896d3434a882\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Audio Unit Plug-ins. Legitimate Un-signed Code Execution | by Christopher Ross | Posts By SpecterOps Team Members<\/a><\/p>"},{"title":"Beyond the good ol' LaunchAgents - 12 - QuickLook Plugins","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0012\/","pubDate":"Mon, 05 Apr 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0012\/","description":"<blockquote>\n<p>This is part 12 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<h2 id=\"tldr\">\n  TL;DR\n  <a class=\"heading-link\" href=\"#tldr\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>This technique is very similarly to Spotlight Importers, but heavily sandboxed. It\u2019s even more limited as the user need to specifically want to preview the file.<\/p>\n<h2 id=\"intro\">\n  Intro\n  <a class=\"heading-link\" href=\"#intro\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>This will be a short post and it goes hand in hand with my <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_0011\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">previous one<\/a> that detailed the use of Spotlight Importers for persistence. Jonathan\u2019s book also details QuickLook plugins and <a href=\"https:\/\/twitter.com\/osxreverser\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">fG! (@osxreverser) on Twitter<\/a> also said that he used to play with this, so I decided to take a look as well.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 11 - Spotlight Importers","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0011\/","pubDate":"Sat, 03 Apr 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0011\/","description":"<blockquote>\n<p>This is part 11 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<h2 id=\"tldr\">\n  TL;DR\n  <a class=\"heading-link\" href=\"#tldr\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>It works, but very limited due to heavy sandboxing, you can only read and copy files to your sandbox folder or consume some CPU power. If you have a way to escape sandbox then go for it, or could be used as part of a multi-part malware.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 10 - Application script files","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0010\/","pubDate":"Fri, 02 Apr 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0010\/","description":"<blockquote>\n<p>This is part 10 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>I started to explore to possibility of persisting on macOS through script files contained in an application. The basic idea is that if we find a script file, which is being executed by a given application, we can edit that script file, put our code inside, and wait for an execution. Such technique is highly dependent on the applications the user has installed, so I looked through first how rare \/ frequent is having such scripts inside applications. I started with the below searches:<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 9 - Preference Pane","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0009\/","pubDate":"Thu, 25 Mar 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0009\/","description":"<blockquote>\n<p>This is part 9 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>Preference panes on macOS are plugins to the <code>System Preferences.app<\/code>. These panes can extend the functionality of the app, and typically allow you to modify configuration settings for your app. These admins are loaded when the user selects them, so they are not perfect from persistence point of view, as it requires user interaction, but can still be a thing.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 8 - Hammerspoon","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0008\/","pubDate":"Tue, 23 Mar 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0008\/","description":"<blockquote>\n<p>This is part 8 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>This idea came from my colleague <a href=\"https:\/\/twitter.com\/dejandayoff\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">@dejandayoff<\/a>. It&rsquo;s another application specific persistence option, related to <a href=\"https:\/\/www.hammerspoon.org\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Hammerspoon<\/a>. The app is an automation tool, that allows macOS scripting through LUA scripting language. We can even embed full AppleScript code as well as run shell scripts.<\/p>\n<p>The app looks for a single file, <code>~\/.hammerspoon\/init.lua<\/code>, and when started the script will be executed. They have plenty of examples on their <a href=\"https:\/\/www.hammerspoon.org\/go\/#imessagesms\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Getting Started<\/a> page, and an extensive API <a href=\"https:\/\/www.hammerspoon.org\/docs\/index.html\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">documentation<\/a>.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 7 - xbar plugins","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0007\/","pubDate":"Mon, 22 Mar 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0007\/","description":"<blockquote>\n<p>This is part 7 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>This technique came from <a href=\"https:\/\/twitter.com\/bradleyjkemp\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">@bradleyjkemp<\/a> in one of his Twitter <a href=\"https:\/\/twitter.com\/bradleyjkemp\/status\/13743463128759787550\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">posts<\/a>.<\/p>\n<p><a href=\"https:\/\/github.com\/matryer\/xbar\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">xbar<\/a> is an application that can put the output of a script into the menubar. The scripts should be placed in <code>~\/Library\/Application\\ Support\/xbar\/plugins\/<\/code>. Standard shell scripts are supported, and so I tried the one listed on their GitHub page as an example.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 6 - SSHRC","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0006\/","pubDate":"Sun, 21 Mar 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0006\/","description":"<blockquote>\n<p>This is part 6 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>I learned about this trick from <a href=\"https:\/\/twitter.com\/0xdade\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">@0xdade<\/a> when he <a href=\"https:\/\/twitter.com\/0xdade\/status\/1373145566943711235\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">posted<\/a> it on Twitter.<\/p>\n<p>If we create a file in the user&rsquo;s HOME directory at <code>~\/.ssh\/rc<\/code> it will be executed prior to the user&rsquo;s login shell becomes available. The man page of <code>sshd<\/code> describes this in more detail.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 5 - Pluggable Authentication Modules (PAM)","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0005\/","pubDate":"Sat, 20 Mar 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0005\/","description":"<blockquote>\n<p>This is part 5 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/Pluggable_authentication_module\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">PAM<\/a> originated from Red Hat Linux, but made its way to most *nix based system, including macOS. It&rsquo;s a modular system, that allows third party additions to various authentication related operations. I highly recommend checking out the <a href=\"https:\/\/docs.freebsd.org\/en\/articles\/pam\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">FreeBSD documentation<\/a> to get a full picture.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 4 - cron jobs","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0004\/","pubDate":"Thu, 18 Mar 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0004\/","description":"<blockquote>\n<p>This is part 4 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/Cron\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">cron<\/a> is probably one of the most well known persistence mechanisms for macOS and basically any *nix operating system. It was originally developed for Unix back in 1975, and made its way to most platforms, which has Unix origins, like Linux, FreeBSD and thus macOS.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 3 - Login Items","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0003\/","pubDate":"Wed, 17 Mar 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0003\/","description":"<blockquote>\n<p>This is part 3 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>To clear up some expectations. The below tweet is not about this method, that is deferred for now. :)<\/p>\n<p><img src=\"https:\/\/theevilbit.github.io\/images\/beyond\/beyond_0003_0.png\" alt=\"Twitter\"><\/p>\n<p>Login items are probably one of the most well documented methods to persist on macOS. It&rsquo;s widely used by various application to launch themselves upon user login. These applications show up in the menubar most of the time.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 2 - iTerm2 startup","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0002\/","pubDate":"Tue, 16 Mar 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0002\/","description":"<blockquote>\n<p>This is part 2 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>If the first part was about <code>Terminal<\/code> and shell profiles, it&rsquo;s worth to mention <a href=\"https:\/\/iterm2.com\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">iTerm2<\/a>, which is a popular Terminal alternative on macOS. It&rsquo;s being used by many people, especially power users.<\/p>\n<p>When we start <code>iTerm2<\/code> it starts the same shell environment as <code>Terminal<\/code>,  and thus the same startup files apply here as well. However this application has an additional way to execute code.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - 1 - shell startup files","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_0001\/","pubDate":"Sun, 14 Mar 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_0001\/","description":"<blockquote>\n<p>This is part 1 in the series of &ldquo;Beyond the good ol&rsquo; LaunchAgents&rdquo;, where I try to collect various persistence techniques for macOS. For more background check the <a href=\"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">introduction<\/a>.<\/p>\n<\/blockquote>\n<p>Shell startup files are executed when our shell environment like <code>zsh<\/code> or <code>bash<\/code> is starting up. macOS defaults to <code>\/bin\/zsh<\/code>  these days, and whenever we open <code>Terminal<\/code> or SSH into the device, this is the shell environment we are placed into. <code>bash<\/code> and <code>sh<\/code> are still available, however they have to be specifically started.<\/p>"},{"title":"Beyond the good ol' LaunchAgents - Introduction","link":"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/","pubDate":"Sun, 14 Mar 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/beyond\/beyond_intro\/","description":"<p>I was always amazed by <a href=\"https:\/\/twitter.com\/Hexacorn\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">@Hexacorn<\/a>&rsquo;s <a href=\"https:\/\/www.hexacorn.com\/blog\/category\/autostart-persistence\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Beyond good ol&rsquo; Run key<\/a> blog post series, which collects various <a href=\"https:\/\/attack.mitre.org\/tactics\/TA0003\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">persistence<\/a> methods on Windows. It&rsquo;s an awesome series, which has 133 parts at the time of this writing. I find them pretty cool, and if you are doing either offensive or defensive work on Windows, this is  a must read and follow blog.<\/p>\n<p>In the past years as my interest in macOS grew, and now that I&rsquo;m mostly doing only macOS related research and studies I started to came across many - many tricks, which allows someone to do persistence on macOS beyond just the <code>LaunchDaemons<\/code> or <code>LaunchAgents<\/code> directories, which is used to store the <code>launchd<\/code> startup files. This location is probably as classic on macOS as the <code>Run<\/code> registry key on Windows. I did write about two different techniques in my regular posts (<a href=\"https:\/\/theevilbit.github.io\/posts\/macos_persistence_spotlight_importers\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">here<\/a> and <a href=\"https:\/\/theevilbit.github.io\/posts\/macos_persisting_through-application_script_files\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">here<\/a>), but it never became a full series. So I started to think about writing posts for each idea I came across, just like Adam does for Windows, but I would do for macOS. With almost the same name, just swapping <code>Run key<\/code> with <code>LaunchAgents<\/code> and name it <code>Beyond the good ol' LaunchAgents<\/code>.<\/p>"},{"title":"About com.apple.private.security.clear-library-validation","link":"https:\/\/theevilbit.github.io\/posts\/com.apple.private.security.clear-library-validation\/","pubDate":"Tue, 19 Jan 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/com.apple.private.security.clear-library-validation\/","description":"<h2 id=\"tldr\">\n  TL;DR\n  <a class=\"heading-link\" href=\"#tldr\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>On macOS 10.15.2 Apple introduced the <code>com.apple.private.security.clear-library-validation<\/code> entitlement, which is slowly replacing the previously used <code>com.apple.security.cs.disable-library-validation<\/code> entitlement on system binaries. Although their impact is the about the same, the way they work is different. While library validation is automatically disabled using <code>com.apple.security.cs.disable-library-validation<\/code>, with <code>com.apple.private.security.clear-library-validation<\/code>, the application has to disable it for itself through a <code>csops<\/code> system call.<\/p>\n<h2 id=\"intro\">\n  Intro\n  <a class=\"heading-link\" href=\"#intro\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>With the release of Big Sur, I noticed that many of the system binaries have a new entitlement, which I didn&rsquo;t see before, and that is <code>com.apple.private.security.clear-library-validation<\/code> (later it turned out that it was introduced earlier, but I didn&rsquo;t know about it that time). These applications possessed the <code>com.apple.security.cs.disable-library-validation<\/code> before, so it seemed that this is being replaced with a new one. The name suggest similarity, and testing it also confirmed, that these binaries can still load third party plugins signed by non Apple developers. This means that these entitlements have the same impact.<\/p>"},{"title":"Divide and Conquer - A technique to bypass NextGen AV","link":"https:\/\/theevilbit.github.io\/posts\/divide_and_conquer\/","pubDate":"Sun, 17 Jan 2021 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/divide_and_conquer\/","description":"<h2 id=\"tldr\">\n  TL;DR\n  <a class=\"heading-link\" href=\"#tldr\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>This blog post describes a generic technique I called internally on our red team assessment &ldquo;Divide and Conquer&rdquo;, which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.<\/p>\n<h2 id=\"intro\">\n  Intro\n  <a class=\"heading-link\" href=\"#intro\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>Back in 2019 I was part of a red team, where our daily activity was to bypass a specific NextGen AV. I had this idea I called &ldquo;divide and conquer&rdquo;. I was so excited about it, that I had to name it :) That time I didn&rsquo;t want to publicly write about it, and I also haven&rsquo;t found any sources on the Internet that describes this idea (which describes my poor searching skills). Time passed, and by the time I could have write about it, I forgot. Then a few days ago <a href=\"https:\/\/twitter.com\/Hexacorn\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Adam (@Hexacorn)<\/a> posts <a href=\"https:\/\/twitter.com\/Hexacorn\/status\/1350437846398722049\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">this<\/a>:<\/p>"},{"title":"CVE-2020-9771 - Reversing Engineering the Fix","link":"https:\/\/theevilbit.github.io\/posts\/reversing_cve_2020_9771\/","pubDate":"Sun, 13 Dec 2020 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/reversing_cve_2020_9771\/","description":"<p>When I originally found the <code>mount_apfs<\/code> bug back in December, 2019, I honestly had no idea what was the root cause of it, nor had a clue how to even start looking into it. The only thing I knew for sure that the answer is within kernel. My macOS knowledge was still quite fresh that time (and even today), and was busy with so many other stuff that I never had the time to start looking into it.<\/p>"},{"title":"NOCVE - Microsoft Teams for macOS Local Privilege Escalation","link":"https:\/\/theevilbit.github.io\/posts\/microsoft_teams_lpe\/","pubDate":"Tue, 17 Nov 2020 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/microsoft_teams_lpe\/","description":"<p>This blog post shares the details of a vulnerability Offensive Security discovered in the XPC service of Microsoft Teams. Although Microsoft secured these services reasonably well, we will see how small code mistakes can have serious impacts.<\/p>\n<p>We reported the issue to MSRC, but unfortunately Microsoft decided that  \u201cthe finding is valid but does not meet our bar for immediate servicing.\u201d While they have since hardened the XPC service, it remains exploitable.<\/p>"},{"title":"Let's talk macOS Authorization","link":"https:\/\/theevilbit.github.io\/posts\/macos_authorization\/","pubDate":"Thu, 22 Oct 2020 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/macos_authorization\/","description":"<p>This is a blog post I wanted to write for a while now, but somehow never got the time for it, and I also knew that it will require lots of time, so I kept delaying it. I finally kicked my ass, sat down, and wrote it.<\/p>\n<p>The goal of the post is to cover many aspects of authorization, which I found interesting from security perspective. Honestly, partially for selfish reasons so I will have a goto summary when I need to lookup something later instead of browsing through 8-10 different articles. All of these information I try catch here in one post, are known, but spread all over the place in various blog posts and articles, and I never found a good, central location with all the details. Also some of the items are very confusing and it took me some time to clear things in my head as not everything is obvious or intuitive.<\/p>"},{"title":"CVE-2020-9771 - mount_apfs TCC bypass and privilege escalation","link":"https:\/\/theevilbit.github.io\/posts\/cve_2020_9771\/","pubDate":"Fri, 03 Jul 2020 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/cve_2020_9771\/","description":"<h2 id=\"tldr\">\n  TL;DR\n  <a class=\"heading-link\" href=\"#tldr\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>We could mount the entire file system through APFS snapshots as read-only, with the <code>noowners<\/code> flag, which enables us accessing (almost) every file in the file system, including data (documents, files, etc&hellip;) of every user on the system, including those protected by Apple&rsquo;s privacy framework (TCC). Even with the Guest account we could read files of admin accounts as Guest! \ud83d\ude31<\/p>\n<p>This could be achieved with a single command, for example:\n<code>mount_apfs -o noowners -s com.apple.TimeMachine.2019-11-17-141812.local \/System\/Volumes\/Data \/tmp\/snap<\/code><\/p>"},{"title":"CVE-2020-14977 - Secure coding XPC Services - Part 5 - PID reuse attacks","link":"https:\/\/theevilbit.github.io\/posts\/secure_coding_xpc_part5\/","pubDate":"Tue, 16 Jun 2020 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/secure_coding_xpc_part5\/","description":"<p>In the last post of the series we will see another typical issue, where XPC services using the connecting process&rsquo;s ID (PID) to verify the client instead of the audit token. We will use F-Secure SAFE again for our case study, the vulnerability was fixed in 17.8 and it was assigned CVE-2020-14977.<\/p>\n<h2 id=\"the-root-cause\">\n  The root cause\n  <a class=\"heading-link\" href=\"#the-root-cause\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>The XPC services of F-Secure SAFE use the process ID (PID) to verify the client&rsquo;s signature, as can be seen in the code below.<\/p>"},{"title":"CVE-2020-14978 - Secure coding XPC Services - Part 4 - Improved client authorization","link":"https:\/\/theevilbit.github.io\/posts\/secure_coding_xpc_part4\/","pubDate":"Fri, 12 Jun 2020 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/secure_coding_xpc_part4\/","description":"<h1 id=\"f-secure-safe-xpc-service-exploitation-cve-2020-14978\">\n  F-Secure SAFE XPC service exploitation (CVE-2020-14978)\n  <a class=\"heading-link\" href=\"#f-secure-safe-xpc-service-exploitation-cve-2020-14978\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h1>\n<h2 id=\"intro\">\n  Intro\n  <a class=\"heading-link\" href=\"#intro\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>In this post we will look into an other case study which will show us (again) why XPC client verification is crucial in XPC security, and how added authorization checks can slightly improve (but not fix) the problem. The F-Secure SAFE XPC services installed on macOS were not sufficiently hardened, and a malicious actor had the ability to interact with them. The vulnerability was fixed in version 17.8, it allowed an attacker to query specific settings, or if authorization used, it could prompt a user for password on behalf of F-Secure and ask for permissions to change settings.<\/p>"},{"title":"The AMFI MACF policy system call","link":"https:\/\/theevilbit.github.io\/posts\/amfi_syscall\/","pubDate":"Tue, 09 Jun 2020 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/amfi_syscall\/","description":"<p>On macOS, one popular technique to inject code into other applications is leveraging the <code>DYLD_INSERT_LIBRARIES<\/code> environment variable, which I wrote about in 2019 <a href=\"https:\/\/theevilbit.github.io\/posts\/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">DYLD_INSERT_LIBRARIES DYLIB injection in macOS \/ OSX<\/a>. This variable can store a colon-separated list of dynamic libraries to load before the ones specified in the target process.<\/p>\n<p>Several limitations apply to when this injection technique can be used and when it cannot, which I also discussed. I revisited this topic, not only because things might have changed since then but also to ensure that I didn\u2019t miss anything. It turned out to be a wise move and a useful exercise.<\/p>"},{"title":"CVE-2020-0984 - Secure coding XPC Services - Part 3 - Incorrect client verification","link":"https:\/\/theevilbit.github.io\/posts\/secure_coding_xpc_part3\/","pubDate":"Fri, 29 May 2020 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/secure_coding_xpc_part3\/","description":"<h1 id=\"microsoft-autoupdate-macos-privilege-escalation-vulnerability-cve-2020-0984\">\n  Microsoft AutoUpdate macOS privilege escalation vulnerability (CVE-2020-0984)\n  <a class=\"heading-link\" href=\"#microsoft-autoupdate-macos-privilege-escalation-vulnerability-cve-2020-0984\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h1>\n<h2 id=\"introduction\">\n  Introduction\n  <a class=\"heading-link\" href=\"#introduction\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>This is the third post in my series which is trying to help Apple developers to avoid typical insecure coding practices. This one will highlight why XPC client hardening and proper verification is extremely important when we use XPC messaging on macOS between clients that run as a normal user and services that run as root. If this validation is not right, it opens up the possibility for an attacker to run privileged commands or worse case, achieve full privilege escalation on the system.<\/p>"},{"title":"Kernel Debugging macOS with SIP","link":"https:\/\/theevilbit.github.io\/posts\/kernel_debugging_with_sip\/","pubDate":"Tue, 12 May 2020 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/kernel_debugging_with_sip\/","description":"<p>As security researchers, we often find ourselves needing to look deep into various kernels to fully understand our target and accomplish our goals. Doing so on the Windows platform is no mystery, as there have been countless well-written posts about kernel debugging setups. For macOS, however, the situation is slightly different.<\/p>\n<p>There are many great posts describing how to set up kernel debugging between two machines, but all of them suggest that SIP (System Integrity Protection) should be disabled for kernel debugging. This creates a problem if we want to investigate the inner workings of macOS\u2019s security mechanisms, since turning off SIP will also turn off most of the foundational security features of the operating system.<\/p>"},{"title":"Secure coding XPC Services - Part 2 - Checking CS (CodeSigning) flags of the client","link":"https:\/\/theevilbit.github.io\/posts\/secure_coding_xpc_part2\/","pubDate":"Sun, 22 Mar 2020 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/secure_coding_xpc_part2\/","description":"<p>I&rsquo;m still waiting for some bug fixes to release the previously planned posts, and in the meantime I continue to poke at other PrivilegedHelperTools. This post born because I actually failed to exploit an XPC service, and I learned something new in regards, of how to securely write such a service. One application that came to my sight is <a href=\"https:\/\/www.sparklabs.com\/viscosity\/download\/\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Viscosity<\/a>. This tool was already in Tyler Bohan&rsquo;s list, where his team looked on exploiting such services: <a href=\"https:\/\/github.com\/blankwall\/Offensive-Con\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">GitHub - blankwall\/Offensive-Con: Talk and materials for Offensive Con presentation - Privileged Helper Tools<\/a>. I still thought that I will give it a try, because many times, fixes are not properly done, and you can reexploit the bugs.<\/p>"},{"title":"TALK - Exploiting directory permissions on macOS","link":"https:\/\/theevilbit.github.io\/posts\/exploiting_directory_permissions_on_macos\/","pubDate":"Wed, 18 Mar 2020 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/exploiting_directory_permissions_on_macos\/","description":"<p>This research started around summer time in 2019, when everything settled down after my talk in 2019, where I detailed how did I gained root privileges via a benign App Store application, that I developed. That exploit used a symlink to achieve this, so I though I will make a more general approach and see if this type of vulnerability exists in other places as well on macOS systems. As it turns out it does exists, and not just on macOS directly but also on other apps, it appears to be a very fruitful of issue, without too much effort I found 5 exploitable bugs on macOS, 3 in Adobe installers. In the following post I will first go over the permission model of the macOS filesystem, with focus on the POSIX part, discuss some of the non trivial cases it can produce, and also give a brief overview how it is extended. I won&rsquo;t cover every single detail of the permission model, as it would be a topic in itself, but rather what I found interesting from the exploitation perspective.\nThen I will cover how to find these bugs, and finally I will go through in detail all of the bugs I found. Some of these are very interesting as we will see, as exploitation of them involves &ldquo;writing&rdquo; to files owned by root, while we are not root, which is not trivial, and can be very tricky.<\/p>"},{"title":"CVE-2019-20057 - Secure coding XPC services - Part 1 - Why EvenBetterAuthorization is not enough?","link":"https:\/\/theevilbit.github.io\/posts\/secure_coding_xpc_part1\/","pubDate":"Sun, 12 Jan 2020 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/secure_coding_xpc_part1\/","description":"<p>This is the first part of a blog post series I plan about PrivilegedHelperTools that exists on macOS systems. I recently took a look on a couple of these tools, and found that it&rsquo;s very easy to make the code insecure, as there are many small pieces to it, and if one is done wrong, the helper tool will be open to abuse by anyone having a foothold on the system. Depending on the application this might be limited to certain privileged actions (setting system configurations, mounting, etc&hellip;), and in some cases it&rsquo;s more broad, and thus a full privilege escalation can be performed. Ideally only the real client application should be able to talk to the helper tool, and all other connections should be refused.<\/p>"},{"title":"GateKeeper - Bypass or not bypass?","link":"https:\/\/theevilbit.github.io\/posts\/gatekeeper_bypass_or_not_bypass\/","pubDate":"Fri, 25 Oct 2019 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/gatekeeper_bypass_or_not_bypass\/","description":"<h2 id=\"tldr\">\n  TL;DR\n  <a class=\"heading-link\" href=\"#tldr\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>On macOS Mojave Gatekeeper only verifies executables, which are run with the <code>open<\/code> command or the user double clicks. It won\u2019t verify files, that are executed through other means like, directly executing a binary <code>.\/myapp<\/code> regardless of the quarantine attribute. If you can place a plist file inside LaunchAgents\/LaunchDaemons, the command inside will also be executed. Prior to Catalina there is a way to trick users to drag &amp; drop files in the LaunchAgents folder.\nOn macOS Catalina lot has changed, the most notable one regarding gatekeeper is that it will verify files when executed via classic \u2018exec\u2019 methods.<\/p>"},{"title":"CVE-2020-14974 & CVE-2020-14975 - IOBit Unlocker 1.1.2 - Local Privilege Escalation","link":"https:\/\/theevilbit.github.io\/posts\/iobit_unlocker_lpe\/","pubDate":"Sat, 12 Oct 2019 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/iobit_unlocker_lpe\/","description":"<p>IOBit\u2019s Unlocker program is advertised to solve the following issues:<\/p>\n<blockquote>\n<p>IObit Unlocker performs well in solving \u201ccannot delete files\u201d, \u201caccess is denied\u201d, \u201cThe file is in use by another program or user\u201d, or \u201cThere has been a sharing violation\u201d problems. With IObit Unlocker, you can manage all your files the way you want.<\/p>\n<\/blockquote>\n<p>and even:<\/p>\n<blockquote>\n<p>With \u201cUnlock &amp; Delete\u201d, \u201cUnlock &amp; Rename\u201d, \u201cUnlock &amp; Move\u201d, and \u201cUnlock &amp; Copy\u201d, IObit Unlocker offers easier ways to unlock and manage the files and folders to keep them safe and available.<\/p>"},{"title":"NOCVE - Few click RCE via GitHub Desktop macOS client with Gatekeeper bypass and custom URL handlers","link":"https:\/\/theevilbit.github.io\/posts\/few_click_rce_via_github_desktop_macos_client_with_gatekeeper_bypass_and_custom_url_handlers\/","pubDate":"Sat, 05 Oct 2019 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/few_click_rce_via_github_desktop_macos_client_with_gatekeeper_bypass_and_custom_url_handlers\/","description":"<h2 id=\"tldr\">\n  TL;DR\n  <a class=\"heading-link\" href=\"#tldr\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>The GitHub Desktop app doesn\u2019t add the quarantine extended attribute to files downloaded from the web, and this along with macOS\u2019s URL handler auto-registration feature allows an attacker to execute arbitrary, even unsigned code on a macOS system. If we don\u2019t count the clicks required to open the GitHub App, and cloning an external repository, then this is a 2 click RCE.<\/p>"},{"title":"Shield - An app to protect against process injection on macOS","link":"https:\/\/theevilbit.github.io\/shield\/","pubDate":"Sun, 22 Sep 2019 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/shield\/","description":"<h1 id=\"shield---an-app-to-protect-against-process-injection-on-macos\">\n  Shield - An app to protect against process injection on macOS\n  <a class=\"heading-link\" href=\"#shield---an-app-to-protect-against-process-injection-on-macos\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h1>\n<p>In this post I would like to tell the story of the Shield.app development and also introduce its features. It&rsquo;s been a ride over the past year, and I wasn&rsquo;t sure always that it will happen.<\/p>\n<h2 id=\"motivation-for-limiting-process-injections\">\n  Motivation for limiting process injections\n  <a class=\"heading-link\" href=\"#motivation-for-limiting-process-injections\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>In the past 2 years I started to dig into macOS security research, and along the way it became pretty clear that beyond memory corruption issues the alpha and omega of macOS exploits is to run code in the context of other applications. The reason for this lies within the security model of macOS (and in fact *OS as well). Each application has a list of entitlements that grants the application various rights. If we take only 3rd party applications it&rsquo;s mostly around what it can do if it&rsquo;s sandboxed (e.g.: access the network) or if not sandboxed, which privacy (TCC) protected areas can it access, like camera, microphone, messages, etc&hellip; In case of TCC, if we don&rsquo;t hold these entitlements, we can&rsquo;t access those resources or location even if we run as root.<\/p>"},{"title":"UninstallString - a possible LPE via Social Engineering","link":"https:\/\/theevilbit.github.io\/posts\/uninstallstring_a_possible_lpe_via_social_engineering\/","pubDate":"Fri, 09 Aug 2019 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/uninstallstring_a_possible_lpe_via_social_engineering\/","description":"<p>Whenever you install an application on Windows, typically through MSI, there is a registry key created, with plenty of information for uninstallation, like the uninstaller location, install date, publisher, etc\u2026 you can find all of the options here:\n<a href=\"https:\/\/nsis.sourceforge.io\/Add_uninstall_information_to_Add\/Remove_Programs\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">Add uninstall information to Add\/Remove Programs - NSIS<\/a><\/p>\n<p>In case an application is installed for the current user and not for all user, the Installation\/Uninstallation details will go to the <code>Computer\\HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\<\/code> registry key instead of the <code>HKLM<\/code> hive. For example OneDrive has all the information under the following registry key: <code>Computer\\HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\OneDriveSetup.exe<\/code><\/p>"},{"title":"A simple protection against HMValidateHandle technique","link":"https:\/\/theevilbit.github.io\/posts\/a_simple_protection_against_hmvalidatehandle_technique\/","pubDate":"Wed, 31 Jul 2019 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/a_simple_protection_against_hmvalidatehandle_technique\/","description":"<p>In the recent days I was reading technical analysis of win32k exploits from recent years, and it caught my eyes, that the HMValidateHandle technique is very heavily used almost everywhere. Then I had an idea how to protect against this family of exploits, which I think is very simple. This post will be about that.<\/p>\n<h2 id=\"what-is-hmvalidatehandle\">\n  What is HMValidateHandle?\n  <a class=\"heading-link\" href=\"#what-is-hmvalidatehandle\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>HMValidateHandle is an internal, unexported function of <code>user32.dll<\/code>. It takes a handle and a handle type as arguments, and by looking up the handle table, if the handle is matching with the type it will copy the object to user memory. If the object contains a pointer to itself, like <code>tagWND<\/code> it can be used to leak memory addresses from the kernel. This has been a known technique for very long time, I think the first mention of this was in Tarjei Mandt\u2019s 2011 BlackHat US talk, you can find the PDF here: <a href=\"https:\/\/media.blackhat.com\/bh-us-11\/Mandt\/BH_US_11_Mandt_win32k_WP.pdf\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">https:\/\/media.blackhat.com\/bh-us-11\/Mandt\/BH_US_11_Mandt_win32k_WP.pdf<\/a>\nThere are awful lot of documentation about this, and it was widely abused in many-many Windows kernel exploits, as you could reliably leak kernel object addresses, especially useful for kernel pool spraying. Thus Microsoft decided to finally close this, and so this technique doesn\u2019t work beyond Windows 10 RS4.<\/p>"},{"title":"DYLD_INSERT_LIBRARIES DYLIB injection in macOS \/ OSX","link":"https:\/\/theevilbit.github.io\/posts\/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive\/","pubDate":"Tue, 09 Jul 2019 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive\/","description":"<p>After my recent blog post, my old mate <a href=\"https:\/\/twitter.com\/_Dark_Knight_\"  class=\"external-link\" target=\"_blank\" rel=\"noopener\">@_Dark_Knight_<\/a> reached out to me and he asked me a question:<\/p>\n<blockquote>\n<p>\u201cDo you typically callout user apps that allow dyld_insert_libraries?\u201d<\/p>\n<\/blockquote>\n<p>And a few similar ones, and I will be honest, I had no idea what is he talking about, if only I understood the question :D Despite the fact that my recent blog posts and talks are about macOS, I deal much more with Windows on a daily basis, probably like 95%, and macOS is still a whole new territory for me. So I decided to dig into the question and learn a bit more about this.<\/p>"},{"title":"TALK - macOS - Getting root with benign AppStore apps","link":"https:\/\/theevilbit.github.io\/posts\/getting_root_with_benign_appstore_apps\/","pubDate":"Sat, 01 Jun 2019 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/getting_root_with_benign_appstore_apps\/","description":"<p>This writeup is intended to be a bit of storytelling. I would like to show how I went down the rabbit hole in a quick \u2019research\u2019 I wanted to do, and eventually found a local privilege escalation vulnerability in macOS. I also want to show, tell about all the obstacles and failures I run into, stuff that people don\u2019t talk about usually, but I feel it\u2019s part of the process all of us go through, when we try to create something.<\/p>"},{"title":"CVE-2020-14976 - GNS3 ubridge SETUID bit - arbitrary file read","link":"https:\/\/theevilbit.github.io\/posts\/gns3_ubridge_setuid_bit_arbitrary_file_read\/","pubDate":"Tue, 28 May 2019 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/gns3_ubridge_setuid_bit_arbitrary_file_read\/","description":"<p>A couple of weeks ago, I had the idea of scanning my Mac for files that has the SUID bit set, I wanted to see if there is anything interesting showing up. You can do it this way:<\/p>\n<div class=\"highlight\"><pre tabindex=\"0\" style=\"background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"><code class=\"language-bash\" data-lang=\"bash\"><span style=\"display:flex;\"><span>\/usr\/bin\/sudo find \/ -perm -4000 -exec \/bin\/ls -ldb <span style=\"color:#555\">{}<\/span> <span style=\"color:#c30;font-weight:bold\">\\;<\/span> &gt; suidfilelist\n<\/span><\/span><\/code><\/pre><\/div><p>There was one item that caught my attention, and that was a file called <code>ubridge<\/code> inside GNS3. I used to be a network guy, and GNS3 is a great tool to emulate real network gear, practice configuration, etc.. I highly recommend for anyone who learns networking. This was the file:<\/p>"},{"title":"CVE-2019-5514 - VMware Fusion 11 - Guest VM RCE","link":"https:\/\/theevilbit.github.io\/posts\/vmware_fusion_11_guest_vm_rce_cve-2019-5514\/","pubDate":"Sun, 31 Mar 2019 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/vmware_fusion_11_guest_vm_rce_cve-2019-5514\/","description":"<h2 id=\"tldr\">\n  TL;DR\n  <a class=\"heading-link\" href=\"#tldr\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>You can run an arbitrary command on a VMware Fusion guest VM through a website without any priory knowledge. Basically VMware Fusion is starting up a websocket listening only on the localhost. You can fully control all the VMs (also create\/delete snapshots, whatever you want) through this websocket interface, including launching apps. You need to have VMware Tools installed on the guest for launching apps, but honestly who doesn\u2019t have it installed. So with creating a javascript on a website, you can interact with the undocumented API, and yes it\u2019s all unauthenticated.<\/p>"}]}}