Gaining Root Privileges on MacOS with App Store Apps

Csaba Fitzl - macOS: Gaining root with Harmless AppStore Apps - SecurityFest 2019

Estimated read time: 1:20

    Summary

    This informative presentation by Csaba Fitzl at Security Fest 2019 delves into the intricate process of exploiting security vulnerabilities in macOS applications, specifically focusing on privilege escalation via innocuous-looking App Store applications. Fitzl, a seasoned red teamer, outlines the cooperative dynamics between red and blue teams in security research. He shares insights from his journey of exploring dylib hijacking vulnerabilities, which led him to discover multiple privilege escalation methods. Throughout the talk, he demonstrates the process of creating a seemingly legitimate app to exploit these vulnerabilities, revealing the ease with which files can be manipulated and placed within application packages to gain unauthorized access. Despite the eventual fixes applied by Apple to address these escalations, Fitzl emphasizes the importance of continuous security evaluation and the complexities involved in ensuring robust security measures. This presentation is a reminder of the persistent nature of security vulnerabilities and the need for vigilant system integrity checks.

      Highlights

      • Csaba Fitzl demonstrates how red and blue teams can mutually enhance security practices 🤝.
      • Unraveling the intricacies of privilege escalation on macOS using benign App Store applications 😮.
      • Diving into dynamic library (dylib) hijacking vulnerabilities allows stealthy command execution 💻.
      • Fitzl shares his experience creating a POC app that exploits system vulnerabilities for root access 📲.
      • Security patches from Apple highlight the ongoing battle against sophisticated exploitation techniques 🛡️.

      Key Takeaways

      • Red and Blue teams should collaborate, not compete, to improve security together 🤝.
      • Privilege escalation on macOS can be sneakily achieved through App Store apps 👀.
      • Dylib hijacking allows malicious code execution by exploiting application packages 📦.
      • Despite user-friendly apps, underlying vulnerabilities can pose significant security threats ⚠️.
      • Apples' fixes reiterate the need for ongoing security vigilance and updates 🔄.

      Overview

      Csaba Fitzl brings attention to the symbiotic relationship between red and blue teams in enhancing security. During his presentation, he emphasizes the importance of collaborative efforts over competition, as both teams aim for strengthened defenses against potential threats. His experience in exploring macOS vulnerabilities becomes central to the narrative, showcasing his analytical approach to uncovering system weak points.

        Using a dynamic library (dylib) hijacking method, Fitzl highlights how seemingly non-threatening App Store apps can be leveraged to gain root access on macOS. Through the clever manipulation of application packages, such vulnerabilities are exploited without raising immediate suspicion. His proof-of-concept application serves as a demonstration of the ease with which these exploits can be performed.

          Despite Apple's efforts to remediate these vulnerabilities through patches, Fitzl underscores that these fixes are part of a larger, ongoing cycle of threat mitigation. His insights remind us of the ever-evolving landscape of cybersecurity threats and the necessity for persistent vigilance and updates to safeguarding measures to protect sensitive systems.

            Chapters

            • 00:00 - 00:30: Introduction The chapter 'Introduction' begins with the speaker, Chava, introducing themselves. It's their second time speaking at the event, and they express pleasure in returning. Chava shares that they will discuss Mac OS vulnerabilities, focusing partly on local privilege escalation. They briefly touch on their current role as a red teamer.
            • 00:30 - 01:00: Background and Objectives In this chapter titled 'Background and Objectives,' the speaker shares insights from their five years of experience on a blue team, contrasting this with the red team's work. While finding the red team more enjoyable, they emphasize the mutual benefits for both teams. Although these teams often appear adversarial, the speaker argues that successful red teams help blue teams excel, emphasizing a shared objective: enhancing company security. Collaboration, rather than rivalry, should define their relationship, with the goal of mutual improvement and strengthening company defenses.
            • 01:00 - 01:30: Team Dynamics The chapter discusses the importance of team dynamics and how teams should not view each other as enemies. Instead, they should work collaboratively, like a 'purple team.' The chapter also briefly mentions the maintenance of a Python toolkit for kernel exploitation.
            • 01:30 - 02:00: Personal Background This chapter focuses on the personal background of the narrator, mentioning their family and leisure activities. The narrator has two children with whom they enjoy sightseeing in Göteborg. They also engage in hiking and yoga during their free time. Additionally, the narrator briefly touches upon their professional interests, particularly in cybersecurity, mentioning a presentation on a privilege escalation vulnerability in Mac OS, while emphasizing the narrative aspect of their work.
            • 02:00 - 02:30: Presentation Overview The chapter titled 'Presentation Overview' describes the research journey of the presenter. Instead of initially focusing on Mac OS bunker or a privilege escalation issue, the researcher began with an entirely different topic in the US. During this process, the researcher got distracted and ventured deep into an unintended path, highlighting a common experience in research where the original topic of interest evolves as new discoveries are made.
            • 02:30 - 03:00: Dylib Hijacking Overview The chapter introduces the topic of Dylib Hijacking on Mac OS. It starts with a brief overview of what Dylib Hijacking is and its relevance on the Mac OS platform. The speaker seems to be setting the stage for a more in-depth discussion on the subject matter, potentially including its mechanisms and implications.
            • 03:00 - 04:00: Finding Vulnerabilities The chapter titled 'Finding Vulnerabilities' covers several topics related to vulnerabilities and security within MacOS. It starts with discussing app development for the App Store. The chapter then shifts to exploring privilege escalation on High Sierra, which is a security exploit that allows a user to gain elevated access to resources. Additionally, the chapter delves into modifying installers on Mac OS to facilitate certain unofficial processes, including the redistribution of paid apps. Finally, it revisits the topic of privilege escalation, but in a more nuanced manner, as the author originally aimed to discover certain vulnerabilities.
            • 04:00 - 05:30: Exploitation Techniques In the chapter titled 'Exploitation Techniques', the discussion begins with the topic of hijacking vulnerabilities within applications. The speaker recounts starting their research after being intrigued by this type of vulnerability, though initially not finding much information. The speaker introduces Patrick Vidal, an expert who conducted comprehensive research on 'dylib hijacking' specifically in Mac OS several years prior. Vidal's work is highlighted through a presentation that is regarded as informative and engaging.
            • 05:30 - 06:30: Bypassing Root Permissions The chapter titled 'Bypassing Root Permissions' briefly discusses a researcher's participation in security conferences like Def Con or Black Hat. The focus appears to be on Mac OS users and involves a basic introduction to dynamic libraries, referred to as 'die liebe'. These libraries play a critical role in understanding the security mechanisms and potential exploits in bypassing root permissions. The chapter aims to provide a foundational understanding of this technical area for individuals possibly new to the subject.
            • 06:30 - 08:30: Use of Symlinks for Exploitation The chapter 'Use of Symlinks for Exploitation' discusses the different methods of dynamic library loading and their implications for exploitation on Mac OS. It highlights two types of dynamic library checking on Mac OS: the weak loading of dynamic libraries, where the loader or a specific function verifies the presence of a dynamic library file on the system before proceeding. If the library is not present, certain behaviors or fallbacks are triggered. The segment emphasizes the importance of understanding these mechanisms for potential exploitation strategies.
            • 08:30 - 11:00: Creating an App for the App Store The chapter discusses the concept of creating an app for the App Store, focusing on security vulnerabilities. It explains that an application can still function without certain files. In scenarios where an app attempts to load non-existent files, malicious files can be introduced and executed, paving the way for command execution. The chapter stresses the ease of manipulating such vulnerabilities, setting the stage for more secure app development practices.
            • 11:00 - 15:30: Privilege Escalation Demonstration The chapter 'Privilege Escalation Demonstration' explains a method of privilege escalation similar to DLL hijacking used in Windows, but applied to MacOS. It involves exploiting the search path mechanism of the MacOS loader when searching for the required dynamic libraries. If a library isn't found in the primary path, the loader continues to search through subsequent paths, which can be manipulated for privilege escalation.
            • 15:30 - 18:30: Fix Verification In the chapter titled 'Fix Verification', the process of verifying fixes in software is discussed. The method involves checking if a patch or fix has successfully loaded and executed. This is achieved by conducting a search; if there is no immediate hit or recognition by the system, a die lip (likely a placeholder or identifier) can be used to force the system to recognize and load the adjustment. This verification process ensures command execution can be re-tested effectively, emphasizing the ease of managing such verifications once understood.
            • 18:30 - 19:30: Conclusion and Final Thoughts The chapter provides guidance on identifying and handling vulnerable applications. It introduces Patrick's DHS tool, which simplifies the process by providing results on application vulnerabilities. Additionally, it offers a command for use in the terminal to assist further in application analysis and troubleshooting. The chapter emphasizes the simplicity and accessibility of these tools and commands for effective application security management.
            • 19:30 - 22:30: Q&A Session The chapter 'Q&A Session' appears to revolve around a technical discussion related to computer programming. The focus is on the process of executing an application and handling its output, specifically when it fails. There's a mention of printing results, passing paths, and troubleshooting by identifying the directory (or 'die lip') where issues might be originating. Additionally, an example involving C code is introduced, possibly to illustrate a point or demonstrate an application of the theory discussed. The details are somewhat abstract without additional context, but the emphasis is on problem-solving within a code execution environment.

            Csaba Fitzl - macOS: Gaining root with Harmless AppStore Apps - SecurityFest 2019 Transcription

            • 00:00 - 00:30 my name is Chava it's my second time talking here and I am really pleased to to come back and I will talk about some Mac OS box today partially also about local privilege escalation on Mac OS but that that's just part of the entire story so who worse about myself right now I'm working as a red teamer i was in
            • 00:30 - 01:00 a blue team for five years before and i think red team is much more fun just as Hugo said but I think a successful red team we make the blue team also more successful so the two teams really shouldn't look on each other as enemies they are there for the same purpose to improve the security at a company and and they should actually improve each
            • 01:00 - 01:30 other and that's that's very important I hear sometimes I hear stories that the two teams leucon each other as as enemies but that shouldn't be the case it should be really like a purple team so I also maintain a Python toolkit for using kernel exploitation I have wife
            • 01:30 - 02:00 two kids they are with me in göteborg they are doing the sightseeing and and fun I like to do hiking and yoga in my free time beyond doing security stop so I mentioned that the privilege escalation vulnerability in Mac OS is just part of the entire presentation what I try to do here is making a story
            • 02:00 - 02:30 or showing a story because originally when I started my research I didn't look for Mac OS bunker or a privilege escalation issue I started somewhere completely US and I started to go down the rabbit hole and went down and down and I got completely distracted from from my original research and and I think this is how many times research is is
            • 02:30 - 03:00 actually happening can I start this timer somehow yeah so what I will talk about first I will cover talk a few words about die liebe dilip hijacking on on Mac OS what spots dead and then how we can sub where the installation process on my course how we can develop
            • 03:00 - 03:30 an app for the App Store and then I will talk about the privilege escalation on High Sierra then us about how we can modify installers on Mac OS how we can redistribute paid apps and at the end also about an other kind of the same privilege escalation but a more half so originally we I wanted to find dilip
            • 03:30 - 04:00 hijacking vulnerability in a given application so that's why I started the the entire research I didn't found but it involved other things but what is dilip hijacking there is a guide called Patrick Vidal who did this entire research on on dilip hijacking on Mac OS a couple of years ago you can watch his presentation which is pretty cool on
            • 04:00 - 04:30 YouTube he did attend Def Con or black hat I think so this is just a very very short and brief summary of his research just so you understand what this stuff is how many people use Mac OS here as there oh that that's a lot so if for those who don't know a die liebe is is a dynamic library and it's like
            • 04:30 - 05:00 dll on Windows just this one is on Mac OS so there are two types of deliver checking on Mac OS the first type is weak loading of die ellipse basically there is a loader or the LC load weak die lip function whenever it tries to load a die lip from the file system it will check if it's there now if it's not
            • 05:00 - 05:30 there then it essentially carry two you still load the applications or your application will still work without this die liebe in that case what you can do is if the application is trying to load something which is not there you can just place your malicious pile it there and get it loaded and get command execution on the system so that's pretty easy the second type is the rampart
            • 05:30 - 06:00 dependent die lips this is in its logic it's very similar to how DLL hijacking is usually done on Windows so basically the loader on Mac OS will will have a search path and it will search the required die liebe through those paths and if it doesn't find it on the first path it will go to the second third and so on
            • 06:00 - 06:30 and once it's fine the die liebe it will load it now if we use the first one that it finds so it what you can do is when it goes through the search and there is a hit there is no hit for the first search then you can place your die lip there and then it will be loaded and you can get command execution again that's also pretty easy so how do you find
            • 06:30 - 07:00 applications that are vulnerable you take Patrick's DHS tool run it and get the result so it will give you or the application which are vulnerable it couldn't be easier there is another thing you can do if you go to the terminal you can type in this dyd print air pods to one and whenever you try to load or
            • 07:00 - 07:30 start an application it will print to you that air pass/fail to expanding and it will give you the entire past where it try to find the die lip and basically you can use that part and place your father how we exploit this one orbit is you make a code C code this is a dumb example there is a constructor that it
            • 07:30 - 08:00 will be called whenever your executable is is being run you compile it you have to fix or talib the die leaf has to fulfill some requirements like the version have to be the one that the application is looking for and it also has to export the same function as the original one and and that's it now oops
            • 08:00 - 08:30 to fix the die lip there is a tool created by again Patrick with this research it's a Python script you give it your die liebe you give it the original one which is working and it will fix the version for you it will update its export table and your die liebe actually will refer back to the original one and because whenever the
            • 08:30 - 09:00 application is loading your die liebe you still want the application to function so it will refer back to the original idea for the actual function implementation so your application will still work and nothing will be broken again this entire finding the exploits or the vulnerable application and actually exploiting it it's very very easy there are many cases so there are a
            • 09:00 - 09:30 bunch of these in Microsoft Office the problem is that if you install Microsoft Office on a Mac OS you install it as root so as a as an user like an even if you are an admin you are not root so you cannot just place a file into the Microsoft Office folder you have to
            • 09:30 - 10:00 authenticate to elevate your privileges and so because you need root privileges to place a die liebe into Microsoft Office folder Microsoft said they don't really consider this as a security bug Avira had the same issue they said they will actually fix it and there are many other cases like xcode is full of these box but again the xcode is installed as root
            • 10:00 - 10:30 so you actually have to be root to exploit these vulnerabilities so and this is where i get distracted because what i run into is that i need root privileges to place malicious or my die lib into these applications folders so I
            • 10:30 - 11:00 cannot just do a hijacking and I started to wonder ok what I can do about it and anyway why applications are there as root and if you actually look on the Applications folder in Mac OS you will run into two cases in one case the application of the actual application folder will be owned by root and in some cases the application is all
            • 11:00 - 11:30 by the user itself I'm talking here about an admin user not like a regular user there are these cases and I started okay and I started look into this how do I gather in which cases it's owned by root in in which cases it's owned by the user if you install an application from the app store then the application is owned by root if you install a package most of the cases it will require
            • 11:30 - 12:00 elevation and again it will be owned by root there is a third case when you download an application and you just drag and drop the application to the Applications folder in that case it will be owned by you and that's the only case when you actually own the application and you are free to write into the twits folder and I started to think okay can i
            • 12:00 - 12:30 bypass this restriction and the answer is yes of course otherwise I wouldn't be here or it would be a very short talk before I go into details a couple of tools that can be used for monitoring on Mac OS one is fire monitor app if you are familiar with this internals proc one for Windows this is pretty much almost the same or very similar for Mac OS it via monitor events like process
            • 12:30 - 13:00 events by system events Network events for you oops then you have the objective-c Patrick model the same guy who talked about dial-up hijacking is the guy developing all these objective-c tools he has a problem for library and also an example executable which can be used for process monitoring on Mac OS
            • 13:00 - 13:30 his example executable will log you plenty of data like if you start a process it will give you the process ID with the user running it what are the arguments what's the signature of the older file and so on who is the parent and punch of information and it's pretty good if you want to do filesystem
            • 13:30 - 14:00 monitoring then you can use the FS usage tool now this will give you a whole lot of information I have no idea about 99.9% of the data it prints out this is super detailed I think you need to do very very good filtering if you actually want to get any useful data out of it it can easily generate you hundreds of
            • 14:00 - 14:30 megabytes of data in seconds sorry so the first case how we can bypass root permissions in case of the App Store applications so how we can drop a file to the Applications folder which is owned by root so you record the folder
            • 14:30 - 15:00 structure so for those who don't know an application on on mac OS dot app extension is basically a collection of files it's a folder structure basically you record the folders actually you use Explorer where do you want to drop your file basically you delete the application so on Mac OS if you go to the launch pad you can delete the App
            • 15:00 - 15:30 Store applications as a normal user you don't have to authenticate you can just delete the application then you recreate the folders now you as an admin user have write access to the application folder so let's say I have this parser that app I can recreate the folder any folders and I can drop there any file I want now
            • 15:30 - 16:00 you reinstall the application and there you go your application will be installed on top of the folders you created and when you install an application from the App Store again you don't have to authenticate to be root you can just say ok install this application or something like that when
            • 16:00 - 16:30 you buy the application for the first time you have to enter your Apple ID password unless you saved it as a cash password for free apps but this this is also not for elevating your privileges because you are not entering your local user password you are entering your Apple ID password so this is pretty easy and you can basically and if I to the to
            • 16:30 - 17:00 the application folder now this is fixed today so it no longer works I will talk about that later and it's it's a bit like if I want to compare it to the Windows word it's like the admin user having write access to the to the Program Files now on Windows
            • 17:00 - 17:30 the admin user has the right access the Program Files folder but only if it's running as high integrity mode and if you go from medium to high then you get this nice UAC prompt to authenticate to be admin which is usually just say yes you want to do it but Microsoft doesn't consider this is a security boundary now
            • 17:30 - 18:00 on Mac OS if you go from admin to root this that is the second security boundary so I started talking this okay nice I can drop a file to an application folder but can I do something else what about symlinks so what I discovered is that symlinks were followed the
            • 18:00 - 18:30 installer which is installing the app store files is running as root and it will follow symlinks and it will drop or install files where your sim link is point so basically you can drop any file that is in the application package almost anywhere on the file system I'm
            • 18:30 - 19:00 saying almost because first how you do it so again you see where do you want to drop it you delete the application you recreate the folders you create a symlink you reinstall the application now in this case this is the sim link the the Mac OS father is the one containing the
            • 19:00 - 19:30 main executable and it's pointing to the opt folder which means that anything in this folder will be put into this one then the application is installed that's kind of cool but what we cannot do so Oh Mac OS if the folder is protected by a
            • 19:30 - 20:00 sip you cannot write there even if you are running as root and you cannot overwrite various any fire you want like what I wanted to do is let's say I have a fight called a summer and I have another file called B in the actual application package and I
            • 20:00 - 20:30 want that B to replace a now I spent plenty of hours with experimenting with this and and I realize that I cannot do it and I run a very simple experiment the reason you cannot do it is because the app is moved into the application folder so when you first download the so
            • 20:30 - 21:00 when you install the application from the App Store it's downloaded to one location it's undergoing some checks and then it's being moved to the Applications folder so I did a simple experiment I created a file called a I put into some content then I created a symlink be pointing to a so you see I have a file a and I have be pointing to a now
            • 21:00 - 21:30 if I print out the contents of B that will give me the contents of the file a if I write in to B and then again print out the contents of B we will see that it's being written into a basically now what I want to do is have a terse file called C you can see it here you have a
            • 21:30 - 22:00 be pointing to a and C and I want to move C into B and my hope would be that the contents of C are being written into a but that's not the case so what's happening is basically C is over writing B and we no longer have
            • 22:00 - 22:30 a symlink pointing to a so I cannot take a file and put its contents into some other file I want to but still I can drop all the apps or files anywhere on the file system and I started talking can I get like root privileges with this method what way can I achieve root me
            • 22:30 - 23:00 dropping this files and I had a couple of ideas like let's say I have a file in the App Store in a given application which has the same name exact same name we of an executable which is order the running as root on my local system in that case I can just replace that fight because they call the same or Mac OS is
            • 23:00 - 23:30 originally based on FreeBSD so there is cron job cron tasks I can take a file that is named as root and it has a cron job inside it and place it in the US Le Brun tabs order maybe there are no such files in the App Store but you create your own app and then potentially you can push
            • 23:30 - 24:00 this to the App Store or you can do the same with dye lips basically so at this point I said okay I unlikely to find any file in the App Store that will satisfy my needs actually Xcode had a couple of has a couple of cron job files but they are
            • 24:00 - 24:30 not named as root so the crunch of I have to have the name of root in order to be executed as root and there are also no apps that I found that could replace another legitimate application so I was I'm lazy I will just send this to Apple that there is a theoretical previous collision on Mac OS and I hope they will fix it now they
            • 24:30 - 25:00 came back and they said our vetting process will find the malicious apps and I mean okay this is not what I meant the application is not malicious it's you use the application in a malicious way so we had some miscommunications there and I said okay I will try harder and I will create an app to show you
            • 25:00 - 25:30 that yes this can be done now I never coded in objective-c or Swift and this is this was the first this is why I wanted to avoid this so I started to plan an application and it had to be some useful application so I decided I will do an application which can edit or create cron job files I purchased the
            • 25:30 - 26:00 developer ID and when it came to the language of choice I decided to go with Swift because I hated the syntax of objective-c so I went on and learn Swift through a CBT it turned out that there is Swift one two three four and they are all different in the scene in their syntax a little bit but eventually I learned sift
            • 26:00 - 26:30 and and I created the application now how do you push an application to the store first you register a bundle ID this is like the calm that my company dot my name of the application or whatever you create an application populate all the details and you can upload via Xcode to the store it's pretty straightforward
            • 26:30 - 27:00 and then I say created my app and started the submission and then you have this time issue if you make a mistake in your app it will have a cost of 24 hours because that's the average time it takes for Apple to review your submission and
            • 27:00 - 27:30 and it can be super annoying when you know that you are very close to making a success will exploit it and you make a small mistake and then you need to wait one day and so this is what happened I made my first push waited 24 hours and they rejected it and they said there is no proper closing of the application so when I press the X button the
            • 27:30 - 28:00 application doesn't exist this is like a one-line fix for the application so I push it again fixed it push it again it got actually approved and then I realized that it doesn't work on Mojave and I was really sad I said no problem I have a High Sierra VM and I will try it there and then when I try to try to install it on High Sierra the application said the minimum requirement
            • 28:00 - 28:30 is Mojave and I mean oh no this is like a setting for the application to compile it for High Sierra Mojave Sierra whatever you want but again it's 24 hour waiting for publishing it again it got approved eventually Angus it worked on High Sierra this is the application so actually I created a useful application so you can like create cron job files
            • 28:30 - 29:00 recently I realized that people are using this application because it's still in the App Store I don't think anyone uses it as I use it but you can use it legitimately so what's how privilege escalation is working so this application has a couple of examples in it like an example for loot which we run
            • 29:00 - 29:30 this script every minute you recreate the folders you install the application you create a slip file and you get a terminal running as root but let's see how it works in a minute they actually fixed it so it stopped working and more details on the fix later so this was back last October and
            • 29:30 - 30:00 that time I told that the issue is fixed and I never really done a proper verification of the fix itself how they fixed it it turned out later on that they didn't fix it the way it should have been fixed so I have a video showing this I will do some forwards here so this is
            • 30:00 - 30:30 the application from the app store I go into the application folder we can see it's not there right now and I'm running as a normal user not as route I will create the application folder and all
            • 30:30 - 31:00 the required directories all the example files are on different files in the resources folder inside the application so what I do is I'm redirecting the resources folder into the cron job folder that folder is not listed up for
            • 31:00 - 31:30 the normal users so I have to do sudo to show that it's empty right now and then I go ahead install the application and then if we list again the contents of the cruncher folder we can see that it was populated and we have this root user there a
            • 31:30 - 32:00 couple of others but who cares this is what we care about and what's inside the root cruncher file is basically that script I showed you so it will try to execute this script every minute as it's in the Applications folder you as an admin user have write access to that
            • 32:00 - 32:30 folder so we can just create it and we will do a very simple shy script start terminal we give it executable rights otherwise it will not run we are still running as as normal user and it's seventeen on my VM in
            • 32:30 - 33:00 realities was pretty late and once it will switch to seventeen we will get another terminal starting up by the cron job order this is time I can drink yeah
            • 33:00 - 33:30 17 we have a new terminal which is running as root so basically without doing any anything I go through taxes with abusing the Installer
            • 33:30 - 34:00 the other case and you have a package file when you if you want to do the same trick you can do but you can also in fact in fact an installer so you can place your file in the Installer itself it's not really a bypass mmm and there
            • 34:00 - 34:30 are a couple of issues if you modify the package file it will break its signatures and then gatekeeper via block it and you need a way to infect the package file do a man-in-the-middle or in fact it and then send it to the user and it will actually also break the application signatures but gatekeeper we are not care about because it will only verify the the package so how can we in
            • 34:30 - 35:00 fact an installer we take the package file unpack it there is a payload inside the package with the compress that payload you embed your file Yury compress the application into the payload you clean up the junk you will repackage the file and then on your new package you you have the file again it's
            • 35:00 - 35:30 not that effective you can do it but for the distributing Bader's so what I also note is that if if there is a paid application in the App Store what I can do take it and run it somewhere else and that's it basically interestingly most
            • 35:30 - 36:00 of the times that there is no verification by the application if it was purchased by the user who is running it as I understand from ever you can do that but by default Apple itself doesn't do this verification so if you buy an application you can just make a package file and there is an app store extract utility you can download from github and it will do it for you
            • 36:00 - 36:30 you can give it to somewhere else and it will run probably in app purchases won't work but it's still weird to me at least to be honest now going back to the previous collation I said that it stopped working on Mahara and it turned out that it wasn't properly fixed because what happened I made this POC with the contact further
            • 36:30 - 37:00 and Mohave the Installer had no had no access to the cron top folder so I couldn't drop their files and I told that it was ultimately fixed but it turned out that it wasn't because okay you cannot revise the crontab folder but you can still drop files to many other sensitive locations like launch daemon
            • 37:00 - 37:30 which is another startup folder and if you drop a police file into the launch daemon folder it will be executed as root upon boot so I decided to do a second POC that's called startup very same approach it has example files and this time you target the launch
            • 37:30 - 38:00 daemon folder and I send the second report wrapper and eventually this has been fixed like two weeks ago so this is how it worked in MO hava what
            • 38:00 - 38:30 we will do is again create all the necessary files folders and then we will create a sim link pointing to the launch diamond folder and I will list the contents of that folder there are some
            • 38:30 - 39:00 other stuff already in it but there is nothing about the the other stuff I go download the application again no front for elevation I list the contents again and there are two new plist files that coming from this startup application and
            • 39:00 - 39:30 if we list the contents of this file we can see that upon boot time running load it will execute that script so I go to the application scripts and I have a bind
            • 39:30 - 40:00 pythons punch a Python script it will basically create a bind Chell when executed and I need to reboot the computer for this so let's reboot and now if I login
            • 40:00 - 40:30 and release the open network connections so we can see it's I'm running as the normal user again if I list the there is a listen important elite and I can just turn it to it that's a mine shop and yeah you got root
            • 40:30 - 41:00 again so what finally it was fixed so I it was fixed I hope I will not spoil our Game of Thrones for anyone here this is how the fix working you place your files as before you create the application folder you place your files there and
            • 41:00 - 41:30 then the Installer process comes and wipes it all but if you want to do it so check it more precisely what happens this is a screenshot for the fireEye's monitor tool and finally this is a proper way fixing the vulnerability what happens when you install an application so I tested with the crontab creator in
            • 41:30 - 42:00 this case my very first POC what it will do is you have this folder here that you created in the application folder and it will be moved to the install sandbox trash somewhere so basically it's all deleted
            • 42:00 - 42:30 and it's basically eliminating the other problem as well that when you cannot place a file in the application folder because it will be just white and with that because it's wiped your siblings are white everything is white so you can no longer do this trick with the privilege escalation weed abusing the same links closing totes
            • 42:30 - 43:00 if you so now this has been fixed but for the other case if you have an application in the App Store that you expect users paying for it it's best if you do some verification if the user who runs it purchased it I have no idea how to do it but that's maybe if you don't
            • 43:00 - 43:30 find your application to be ready tributed maybe it's it's worth doing thank you okay so you shabba-doo we have any questions from the audience I have one over here all right let me run over was it yeah thanks for the information
            • 43:30 - 44:00 did you try the same thing with Android app read Android yeah I know I tried the same with I phone the the thing with iPhone is that you are really running in a sandbox and you can do anything so you cannot just write the application folder on iPhone and I checked the very same trick on Ubuntu which also has an app store but it works completely
            • 44:00 - 44:30 differently and you cannot do the same speaking you know going to so did you try with the Microsoft app no okay anyone else see all right over here thank you for a great presentation I was speaking indeed the Apple reward you in any way for these findings like
            • 44:30 - 45:00 no nobody what they say like thank you or like send you a diploma for finding Suffolk or some cash no so Apple doesn't really have a bounty only for so they have a bounty only for iOS and its invitation based only otherwise they will thank you and that's it okay do we have any more questions shall catch my
            • 45:00 - 45:30 eye no all right if that's it Thank You Java great presentation [Applause]