Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mind the Gate: Exploring Bypass Techniques for ...

In0de
May 17, 2024
25

Mind the Gate: Exploring Bypass Techniques for macOS's Gatekeeper

Title: Mind the Gate: Exploring Bypass Techniques for macOS's Built-in Antivirus Mechanism, Gatekeeper
https://cybersec.ithome.com.tw/2024/en/session-page/2747

In0de

May 17, 2024
Tweet

Transcript

  1. Jr-Wei Huang • Software developer @ TeamT5 • 3 years

    product develop experience • 5 years security research experience • Focus on • Threat hunting • System security ( Windows, MacOS )
  2. Environment Constraints MacOS Defense Modules Transparency, Consent, and Control Gatekeeper/

    XProtect System Integrity Protection (SIP) Sandbox Code Signing & Entitlements Signed System Volume Secure Boot
  3. MacOS Defense Modules • Limit the ability of attackers to

    execute malicious code. Execution Environment Constraints Transparency, Consent, and Control Gatekeeper/ XProtect System Integrity Protection (SIP) Sandbox Code Signing & Entitlements Signed System Volume Secure Boot
  4. MacOS Defense Modules • Prevent attackers from gaining higher privileges

    Privilege Escalation Environment Constraints Transparency, Consent, and Control Gatekeeper/ XProtect System Integrity Protection (SIP) Sandbox Code Signing & Entitlements Signed System Volume Secure Boot
  5. Malware Defense Strategy on macOS - Gatekeeper • Preventing programs

    that do not comply with system policies from launching • Preventing known malicious software from running Environment Constraints Transparency, Consent, and Control Gatekeeper/ XProtect System Integrity Protection (SIP) Sandbox Code Signing & Entitlements Signed System Volume Secure Boot
  6. After Gatekeeper Bypassed • What attackers can do • Steal

    browser passwords • Steal keychain passwords • Steal documents in (Application support) • Install arbitrary profile config • Hijacking search engine results • Injecting advertisements
  7. Gatekeeper Workflow • Gatekeeper Policies • Mac App Store: follow

    strict app security model • Trusted (Paid) developers: signature has been manually approved • Any source: allow any binary to run in your system
  8. Gatekeeper Workflow • When a user clicks to open a

    program downloaded from the internet • Gatekeeper will receive a check after the program starts • If the application does not comply with system policies, it will be blocked. Application (Download from Chrome) Gatekeeper
  9. Gatekeeper Workflow Application (Download from Chrome) Finder.app (LaunchServices) Xpcproxy syspolicyd

    (service) User Mode Kernel Mode __posix_spawn MACF procNotifyExecComplete AppleSystemPolicy.KEXT Generate exec mac_proc_notify_exec_complete Hook
  10. Gatekeeper Workflow Application (Download from Chrome) Checking for known developer

    signatures com.apple.security.AppleSystemPolicy.mig (ExecManager) Checking for notarization syspolicyd (service) procNotifyExecComplete AppleSystemPolicy.KEXT Send the scan result Checking for XProtect rules
  11. Gatekeeper Workflow - XProtect • XProtect provides detection signatures for

    Gatekeeper checks • Currently XProtect updates are released at least once a month https://www.sentinelone.com/labs/massive-new-adload- campaign-goes-entirely-undetected-by-apples-xprotect/
  12. Gatekeeper Workflow - XProtect • XProtect Remediator • Performs periodic

    background scans to look for known malicious software, and tries to remove any that it detects. • XProtect BehaviorService • Provides behavioral rules and lists of exceptions for Bastion to monitor potentially malicious behavior.
  13. Why does Gatekeeper Know It’s from Internet • When any

    file is downloaded by an “quarantine aware” application • The system automatically tags the downloaded file with the quarantine attribute • Gatekeeper only checks programs with the quarantine attribute. Application (With com.apple.quarantine) I need to check this application
  14. File Extended Attribute • To store additional information related to

    files. • These attributes can include various data, such as • The original download source of the file • Security information • com.apple.quarantine is stored using File Extended Attributes
  15. Case study: Cuckoo Spyware 2024 • Gatekeeper forces all applications

    to be signed and notarized (preventing unsigned applications from running) https://blog.kandji.io/malware-cuckoo-infostealer-spyware
  16. Gatekeeper Attack Surface • Using valid developer signing (ex: Zuru)

    • Bypassing the signing mechanism • Bypassing Quarantine Attribute • Download flow • Archive extract flow • Application Download Flow Application Archive extract Flow
  17. Concept Application Without com.apple.quarantine Set quarantine attribute • Attackers manipulate

    application files so that the system does not add the quarantine attribute to the files. • This allows malicious application to bypass Gatekeeper's inspection.
  18. Manipulate Old Permission Model #1 • CVE-2022-42821 (Found by Microsoft)

    • Access Control Lists (ACLs) • Preventing regular web browsers from adding the quarantine attribute • Inconsistencies caused by old and new defense mechanisms https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/
  19. • MacOS ACLs • Allows for finer-grained permission settings for

    files and folders. • Enables more precise control over data access rights • Store in file attribute Manipulate Old Permission Model #1 $ ls -le ./somefile -rw-r--r-- 1 will staff 0 4 28 20:49 ./somefile $ chmod +a "admin deny write" somefile $ ls -le -rw-r--r--+ 1 will staff 0 4 28 20:49 somefile 0: group:admin deny write
  20. • MacOS ACLs • Add 'everyone deny writeextattr' ACL rule

    to the application directory • But normally archive don’t compress the file attributes Manipulate Old Permission Model #1
  21. • AppleDouble • A format that separates a file's external

    attributes from the file itself • Used to store file metadata on non-HFS formats such as FAT32 or NTFS." • Typically, the file containing the resource fork is prefixed with "._" followed by the original file name https://en.wikipedia.org/wiki/ AppleSingle_and_AppleDouble_formats Manipulate Old Permission Model #1
  22. • AppleDouble • Ditto: Preserve extended attributes (requires --rsrc). As

    of Mac OS X 10.5, -- extattr is the default. Manipulate Old Permission Model #1 $ ls -le ./ACL.app/Contents/MacOS/ACL -rwxr-xr-x+ 1 will staff 31 4 28 15:32 ./ACL.app/Contents/MacOS/ACL 0: group:everyone deny write,writeattr,writeextattr $ ls -le ./ACL.app/Contents/MacOS/no_ACL -rwxr-xr-x 1 root staff 31 5 7 00:28 ./ACL.app/Contents/MacOS/no_ACL $ ditto -c -k ./ACL.app ACL.app.zip
  23. • The system cannot add the quarantine attribute to files

    • As a result, attackers successfully bypass this defense mechanism Application ACLs (Deny write attribute) Set quarantine attribute Manipulate Old Permission Model #1
  24. Trick System by AppleDouble #2 • CVE-2023-27951 (Found by Red

    Canary) • System thinks • The file starting with ._ is extended attribute file • Doesn’t need the quarantine attribute :)) /* "._" Attribute files cannot have attributes */ if (vp->v_type == VREG && strlen(basename) > 2 && basename[0] == '.' && basename[1] == '_') { error = EPERM; goto out; } darwin-xnu/bsd/vfs/vfs_xattr.c
  25. echo "[+] creating disk image with app" hdiutil create -srcfolder

    app.app app.dmg echo "[+] creating directory and files" mkdir mkdir -p s/app cp app.dmg s/app/._app.dmg ln -s ._app.dmg s/app/app.dmg echo "[+] compressing files" aa archive -d s/ -o app.aar • Attackers can create an application with a name starting with '._' to make the system recognize it as an extended attribute file Trick System by AppleDouble #2
  26. Concept • Developers can distribute applications through compressed files •

    In general, macOS's decompression program will also add the quarantine attribute to the decompressed files. Application Without com.apple.quarantine Set quarantine attribute With com.apple.quarantine Uncompress flow
  27. Different Compress Type #3 • CVE-2022-22616 (Found by Jamf Threat

    Labs & Mickey) • Safari does not add the quarantine attribute to files when handling GZ decompression https://jhftss.github.io/CVE-2022-22616-Gatekeeper-Bypass/ com.apple.Safari.SandboxBroker Application Set quarantine attribute With com.apple.quarantine Without com.apple.quarantine
  28. #!/bin/bash mkdir -p poc.app/Contents/MacOS echo "#!/bin/bash" > poc.app/Contents/MacOS/poc echo "open

    -a Calculator" >> poc.app/Contents/MacOS/poc chmod +x poc.app/Contents/MacOS/poc zip -r poc.app.zip poc.app gzip -c poc.app.zip > poc.app.zip.gz https://jhftss.github.io/CVE-2022-22616-Gatekeeper-Bypass/ • We can construct an application and compress it into gzip format to trigger vulnerabilities Different Compress Type #3
  29. Attack Native Archive Utility #4 • CVE-2022-32910 (Found by Jamf

    Threat Lab) • When extracting an archive containing two or more files or folders in its root directory. • Archive Utility will create a new folder based on the specified archive name. Archive Utility.app Application Set quarantine attribute With com.apple.quarantine Without com.apple.quarantine
  30. Concept • Applications decide whether to add the quarantine attribute

    to downloaded files. No com.apple.quarantine Application Not set quarantine attribute
  31. • Sandboxed applications will enforce file quarantine (e.g., Chrome, Firefox)

    • Non-sandboxed applications need to set LSFileQuarantineEnabled in the info.plist during development Non-quarantine Aware Software
  32. Find Non-quarantine Aware Software • An open-source project that collects

    popular applications • https://github.com/jaywcjlove/awesome-mac • The most common applications users download are typically • Web Browser • Email Client • Message Client
  33. Case Study: Spark mail application • Main process doesn’t have

    Sandbox • Doesn’t set LSFileQuarantineEnabled • Electron-based application • LSFileQuarantineEnabled breaks the auto update feature of Electron
  34. Phishing • Many attack samples signed with an ad-hoc signature

    cannot pass Gatekeeper • But Mac users are not familiar with Gatekeeper :))
  35. Supply Chain! - 3CX supply chain attack • Compromise both

    3CX’s Windows and macOS build environments • Deploy signed malware https://speakerdeck.com/patrickwardle/mac-ing-sense-of-the-3cx-supply-chain-attack-analysis-of-the-macos-payloads?slide=58
  36. Supply Chain! - 3CX supply chain attack • Even if

    an application is signed and notarized by Apple, its authenticity cannot be guaranteed. • In many cases, Apple may inadvertently notarize malicious software Libffmpeg.dylib Signed & Notarized Compromised build environments
  37. Exploitation for Client Execution - iMessage • OperationTriangulation • Execution:

    attachment • The target iOS device receives a message via the iMessage service, with an attachment containing an exploit. • Without any user interaction, the message triggers a vulnerability that leads to code execution.
  38. • BLASTPASS • Execution: Webp image • Exploit vulnerable decoder

    to get code execution in message receiver’s iPhone • Pegasus mercenary spyware Exploitation for Client Execution - iMessage https://github.com/mistymntncop/CVE-2023-4863
  39. Detection • Trace ESF (Endpoint Security Framework) events • Attribute

    edit: use xattr to remove quarantine attribute • File create: applications create files without quarantine attribute • Scan files with ._ prefix and file content are not extend attribute format "event": "ES_EVENT_TYPE_NOTIFY_DELETEEXTATTR", "xattr": { "proc_path": "/usr/bin/xattr", "destination": "/Users/will/Downloads/poc.app", "attribute_name": "com.apple.quarantine", "pid": 908 }, "timestamp": "2024-05-15 03:51:49"
  40. Suggestion 1. Avoid using overly permissive Gatekeeper policies 2. Remove

    unnecessary developer tool permissions 3. Verify the signature of downloaded files again before execution 4. Be aware of non-quarantine aware application 5. Don’t trust ad-hoc signature!!