Shulou(Shulou.com)06/02 Report--

This article will explain in detail how to analyze CVE-2018-8412 vulnerabilities through MS Office for Mac's Legacy Package. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Note: the patch has been released, please upgrade your MAU to 18081201 in time.

Microsoft Autoupdate Helper 3.18 (180410) + legacy SilverLight insecure installer package EoP

Scope of influence: Microsoft Office for Mac 2016 and SkypeForBusiness (16.17.0.65)

There are two major deficiencies in this report:

1. Code signature verification bypass

two。 Unsafe installer module loading.

XPC Verification Bypass

There is a XPC service com.microsoft.autoupdate.helper in / Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper.

The service is NSXPCConnection-based and provides only two XPC interfaces:

Protocol MAUHelperToolProtocol- (void) logString: (NSString *) arg1 atLevel: (int) arg2 fromAppName: (NSString *) arg3;- (void) installUpdateWithPackage: (NSString *) arg1 withXMLPath: (NSString *) arg2 withReply: (void (^) (NSString *)) arg3;@end

When the XPC establishes a connection, it will check whether the corresponding code signature of the pid is in the whitelist:

Char _ _ cdecl-[MAUHelperTool listener:shouldAcceptNewConnection:] (MAUHelperTool * self, SEL a2, id a3, id a4) {. Caller_pid = (unsigned _ int64) objc_msgSend (V6, "processIdentifier", self); ksecguestattrpid = kSecGuestAttributePid; number_with_pid = objc_msgSend (& OBJC_CLASS___NSNumber, "numberWithInt:", caller_pid); pid_as_nsnumber = objc_retainAutoreleasedReturnValue (number_with_pid) _ dict = objc_msgSend (& OBJC_CLASS___NSDictionary, "dictionaryWithObjects:forKeys:count:", & pid_as_nsnumber, & ksecguestattrpid, 1LL); attributes = objc_retainAutoreleasedReturnValue (_ dict); objc_release (pid_as_nsnumber); guest_code = 0LL; v12 = 0 If (! (unsigned int) SecCodeCopyGuestWithAttributes (0LL, attributes, 0LL, & guest_code)) / / kSecCSDefaultFlags {v43 = 0LL; v12 = 0 If (! (unsigned int) SecRequirementCreateWithString (CFSTR ("(identifier\" com.microsoft.autoupdate2\ "or identifier\" com.microsoft.autoupdate.fba\ ") and anchor apple generic and certificate 1 [field.1.2.840.113635.100.6.2.6] and certificate leaf [field.1.2.840.113635.100.6.1.13] and certificate leaf [subject.OU] = UBF8T346G9"), 0LL & v43) v12 = (unsigned int) SecCodeCheckValidity (guest_code, 0LL, v43) = 0 If (v43) CFRelease (v43)

Here are two (possible) ways to bypass:

First of all, it uses pid, which is not trusted because the exec* function can replace the process itself with another process and leave the previous pid unchanged. See MacOS/iOS userspace entitlement checking is racy and Don't Trust the PID for details!

In fact, this method is not available. When the caller tries to replace itself, the invalid handler is called, which causes the [MAUHelperTool shouldExit] method to return true.

V30 = _ NSConcreteStackBlock; v31 =-1040187392; v32 = 0; v33 = sub_100002748; v34 = & unk_100008440; v19 = (void *) objc_retain (v27, v7); v35 = v19; objc_copyWeak (& v36, & v43); objc_msgSend (v7, "setInvalidationHandler:", & v30); v20 = objc_msgSend (v19, "loggingConnections"); v21 = (void *) objc_retainAutoreleasedReturnValue (v20) Objc_msgSend (v21, "performSelectorOnMainThread:withObject:waitUntilDone:", "addObject:", v7, 1LL); objc_release (v21); _ int64 _ fastcall sub_100002748 (_ int64 A1) {void * v1; / rax void * v2; / / R14 _ int64 v3; / / rbx v1 = objc_msgSend (* (void * *) (A1 + 32), "loggingConnections"); v2 = (void *) objc_retainAutoreleasedReturnValue (v1); v3 = objc_loadWeakRetained (A1 + 40) Objc_msgSend (v2, "performSelectorOnMainThread:withObject:waitUntilDone:", "removeObject:", v3, 1LL); objc_release (v3); return objc_release (v2);}

The main event loop then terminates the process.

Another way is to use a valid process in DYLD_* env spawn to enable dynamic code injection.

Because the following files are not protected, they can be abused to bypass signature checking:

/ Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AutoUpdate/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app/Contents/MacOS/Microsoft AU Daemon

If you want to protect these binaries, you can use any of the following methods:

1. Library validation, adding-o library to "Other Code Signing Flags"

If there is a Segment segment named _ _ RESTRICT in the Header of the 2.macho file, and there is a sections named _ _ restrict in that segment, macho blocks the attachment of the process.

3. Use entitlements to sign the MachO file.

Now, I have the ability to communicate with XPC.

The interface provided by MAU has a-[MAUHelperTool installUpdateWithPackage:withXMLPath:withReply:], which accepts the path from the XPC client and installs it, but it locks the package file and performs digital signature verification on the package!

Unsafe module loading in legacy SilverLight package

Under no circumstances can I bypass the signature verification on the pkg file. So I decided to give up bypassing it.

After checking some valid packages, I found legacy SilverLight installer: https://www.microsoft.com/getsilverlight/Get-Started/Install/Default.

$pkgutil-- check-sign / Volumes/Silverlight/silverlight.pkgPackage "silverlight.pkg": Status: signed by a certificate trusted by Mac OS X Certificate Chain: 1. Developer ID Installer: Microsoft Corporation (UBF8T346G9) SHA1 fingerprint: 9B 6B 91 3B B1 3F 68 26 12 20 EC 72 11 F0F20E 92 E4 B1 EB-- -- 2. Developer ID Certification Authority SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86- -- 3. Apple Root CA SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

In addition, the post-install script here also caught my attention.

Set global write permissions:

Pushd / Library/Internet\ Plug-Ins/rm-rf WPFe.plugin/chown-R root:admin Silverlight.plugin/chmod-R 775 Silverlight.plugin/popdpushd / Library/Application\ Support/Microsoft/chown-R root:admin Silverlight/chmod-R 775 Silverlight/popdpushd / Library/Application\ Support/chown root:admin Microsoft/chmod 775 Microsoft/

Interesting commands:

_ PRIBX= `ls-r "/ Library/Application Support/Microsoft/PlayReady/Cache" | grep .key | awk'{if (NR==1) {print $1}} '`if ["$_ PRIBX"] then _ PRIBXVER=. / PlayReadyGetIBXVersionTool "/ Library/Application Support/Microsoft/PlayReady/Cache/" $_ PRIBX`if ["$_ PRIBXVER" = "mspribx.1.5.8"] pushd "/ tmp/SilverlightInstallTools" _ SPRDResult= `. / rundylib "/ Library/Internet Plug-Ins / Silverlight.plugin/Contents/MacOS/SLMSPRBootstrap.dylib "`

And use rundylib to open a linked library with a fixed path.

What does this rundylib do? Just like its name.

Int _ cdecl main (int argc, const char * * argv, const char * * envp) {. V3 = argv [1]; if (! v3) {puts ("ERROR: Invalid path"); return 1;} v5 = dlopen (v3,5);}

What about PlayReadyGetIBXVersionTool?

Signed int _ cdecl GetDyLibVersion (const char * path, unsigned int * a2, unsigned int * a3, unsigned int * a4) {. Handle = dlopen (path, 1); if (handle) {V6 = _ dyld_image_count (); for (I = 0;; + + I) {if (I = = V6) goto LABEL_22; v8 = _ dyld_get_image_name (I); if (! V8) {v9 = dlerror (); printf ("Image name not found or index out of range. Error:% s\ n ", v9); v5 = 5; goto LABEL_21;} if (! strcmp (v8, path)) break;} v10 = _ dyld_get_image_header (I); if (! v10) {

Its role is to load and execute a shared library from "Cache" in a privileged process to get its version information.

/ Library/Internet Plug-Ins/Silverlight.plugin/Contents/MacOS/SLMSPRBootstrap.dylib

And

/ Library/Application Support/Microsoft/PlayReady/Cache

Can be written by unprivileged users. But replacing SLMSPRBootstrap.dylib requires conditional competition, which is more difficult to control, while Cache does not have this problem.

Utilization

The steps of utilization are as follows:

1.DYLD_INSERT_LIBRARIES injects "Microsoft AutoUpdate"

two。 Place the vulnerable SilverLight installer under a certain path and send XPC to updaterhelper to request installation

3. Create a cache folder and place the shared libraries in the root directory

4. The installer is executed and our malicious code will be loaded by the rooted process.

On how to use MS Office for Mac's Legacy Package for CVE-2018-8412 vulnerability analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.