Abusing & Securing XPC in macOS apps

www.securing.biz
Wojciech Reguła
Abusing & Securing XPC
in macOS apps
XPC

www.securing.bizwww.securing.biz
WHOAMI
-Senior IT Security Consultant @ SecuRing
-Focused on iOS apps security
-Blogger https://wojciechregula.blog/
-iOS Security Suite creator
@_r3ggi wojciech.regula@securing.pl

XPC VULNERABILITIES ARE EVERYWHERE

AGENDA
1. Introduction to XPC
2. Building secure Helper
3. Exploiting previous step
4. Hardening
5. IF bypass_available() { GOTO 2. }
6. Summary

(NS)XPC
- Fundamental IPC mechanism in Apple environment
- Built on top of Mach messages
- Dictionary based communication
- Possible multiple clients and one server
- You can send and serialize ObjC/Swift objects

Server

Client

INTER-PROCESS COMMUNICATION
Application Privileged XPC server

uid=501 (user) uid=0 (root)

LOCATIONS OF THE XPC SERVERS
- /Library/PrivilegedHelperTools
- /Library/LaunchDaemons
- /Library/LaunchAgents

TIME FOR EXPLOITATION

BUG #1 – NO CLIENT VALIDATION

Malicious Application
uid= 501 (user)
Privileged XPC server
uid = 0 (root)
😈
Perform privileged action for me
OK, I don’t even verify you

BUG #1 – NO CLIENT VALIDATION
Bug found by Adam Chester (@_xpn_)
Methods exposed:
- remove
- move
- createDirectory
- addToPath
- kextInstall
Keybase.io

BUG #1 – FIX

BUG #2 – POOR SIGNATURE CHECK

BUG #2 – POOR SIGNATURE CHECK
- Checking only bundle ID
- Verifying only static code
- Using kSecCSBasicValidateOnly flag
- Too loose SecRequirement string
- and more…

Exposed methods:
- uninstallDaemon
- terminateDaemonWithOptions
- deleteQuarantineItemsWithInfo
- quarantineItemsWithInfo
- cancelScan
- startScanWithPaths
- getDaemonInfoWithOptions

BUG #2 – FIX

BUG #3 – USING PID TO GET CODE OBJECT
Kudos for Samuel Groß (@5aelo) and Ian
Beer (@I41nbeer) 👏

pid: 1337
😈 Perform privileged action

pid: 1337
😈
1. Get process identifier of the client
2. Create code object basing on that PID
3. Perform signature check
4. isValid() -> false
5. Invalidating the XPC connection
INVALIDATED

pid: 1337
😈
😈
fork()
fork()
fork()
fork()
pid: 1338
pid: 1339
pid: 1340
pid: 1341
😈
😈
😈

pid: 1337
😈
😈
fork()
fork()
fork()
fork()
pid: 1338
pid: 1339
pid: 1340
pid: 1341
Perform
privileged action
😈
😈
😈
Perform privileged action

1. Get process identifier of the client
2. Create code object based on that PID 😇
4. isValid() -> true
5. Establish valid connection
connection1 connection2 connection3 connection4
XPC connections queue

Change process’ image to
the legit executable using
posix_spawn()
😈
😇

pid: 1337
😈
😈
fork()
fork()
fork()
fork()
pid: 1338
pid: 1339
pid: 1340
pid: 1341
😈
😈
😈
😇
INVALIDATED
INVALIDATED
INVALIDATED

Exposed methods:
- removeWithFile
- copyWithSource
Avast Cleanup

Exposed methods:
- startDatabaseUpdate
- restoreApplicationLauncherWithCompletion
- uninstallProduct
- installProductUpdate
- startProductUpdateWith
- buildPurchaseSiteURLWithCompletion
- triggerLicenseRelatedChecks
- buildRenewalLinkWith
- cancelTrialWith
- startTrialWith
- applyLicenseWith
- controlProtectionWithRawFeatures
- confirmScanJobWith
- resumeScanJob
- pauseScanJob
- stopScanJob
- startScanJob
- disposeOperationBy
- pingWithTag
Malwarebytes

BUG #3 – FIX

BUG #4 – NO CODE INJECTION PREVENTION

1. Get audit token of the client
2. Create code object based on that token
4. isValid() -> false
5. Invalidating the XPC connection

- Apple’s signature checking API doesn’t detect:
• code injected with DYLD_INSERT_LIBRARIES
• or via task_for_pid() neither…

LuLu
Exposed methods:
- loadKext
- getPreferences
- updatePreferences
- getRules
- addRule
- updateRule
- deleteRule
- importRules
- alertReply

BYPASSING APPS WITH HARDENED RUNTIME
- SecRequirement(Certificate[teamID]) -> inject to another app from the
same company
- SecRequirement(Certificate[teamID] + bundleID) -> inject to older
version of the app without hardened runtime 😉
- Also, look for following problematic entitlements:
- com.apple.security.get-task-allow
- com.apple.security.disable-library-validation

DEMO 🎦
HTTPS://VIMEO.COM/397568495

BUG #4 – FIX
…

SUMMARY

SECURING XPC SERVICES - GUIDELINE
1. [Client] Turn on hardened runtime and notarize your clients
2. [Server] Verify if the clients have been properly signed using
restrictive SecRequirement string
3. [Server] Create Sec(Static)Code objects from audit tokens
4. [Server] Check if the clients have the hardened runtime capability
turned on
5. [Server] Make sure if the clients are not signed with entitlements
that may allow bypassing the hardened runtime

OPEN SOURCING SECURE PRIVILEGED HELPER EXAMPLE
https://github.com/securing

OPEN SOURCING THE SECURE HELPER

REFERENCES
- https://hackerone.com/reports/397478
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1223
- https://saelo.github.io/presentations/warcon18_dont_trust_the_pid.pdf
- https://blog.obdev.at/what-we-have-learned-from-a-vulnerability/
- https://developer.apple.com/documentation/xcode/notarizing_macos_soft
ware_before_distribution
- https://github.com/erikberglund/SwiftPrivilegedHelper
- https://developer.apple.com/videos/play/wwdc2019/701/

www.securing.biz
SecuRing
Kalwaryjska 65/6
30-504 Kraków, Poland
info@securing.pl
tel. +48 124252575
http://www.securing.biz/
Contact
Wojciech Reguła
wojciech.regula@securing.pl
@_r3ggi
wojciech-regula

Abusing & Securing XPC in macOS apps

More Related Content

What's hot

What's hot (20)

Similar to Abusing & Securing XPC in macOS apps

Similar to Abusing & Securing XPC in macOS apps (20)

More from SecuRing

More from SecuRing (20)

Recently uploaded

Recently uploaded (20)

Abusing & Securing XPC in macOS apps