1 00:00:03,620 --> 00:00:06,839 all right hello nuncom today's talk is 2 00:00:06,839 --> 00:00:09,179 zero day up to your sleeve attacking 3 00:00:09,179 --> 00:00:11,040 Marcus environments 4 00:00:11,040 --> 00:00:14,099 my name is and I'm a head of mobile 5 00:00:14,099 --> 00:00:17,279 security at securing where I'm mostly 6 00:00:17,279 --> 00:00:20,699 focused on iOS and Mac OS application 7 00:00:20,699 --> 00:00:24,480 Security in my free time I run a Blog on 8 00:00:24,480 --> 00:00:27,119 voice record.blog which is about of 9 00:00:27,119 --> 00:00:29,519 course Apple security so if you are 10 00:00:29,519 --> 00:00:31,859 interested in this topic feel free 11 00:00:31,859 --> 00:00:36,360 um to visit my blog somebody of you may 12 00:00:36,360 --> 00:00:39,059 also know me from IOS Security Suite 13 00:00:39,059 --> 00:00:42,059 that I'm a creator of it's a free Swift 14 00:00:42,059 --> 00:00:45,059 open source library that helps 15 00:00:45,059 --> 00:00:47,460 developers and security teams making 16 00:00:47,460 --> 00:00:49,980 sure that their mobile application is 17 00:00:49,980 --> 00:00:52,559 compliant with OAS mobile application 18 00:00:52,559 --> 00:00:55,379 security verification framework checks 19 00:00:55,379 --> 00:00:58,260 and recently we also started in securing 20 00:00:58,260 --> 00:01:00,480 a new service that is macros environment 21 00:01:00,480 --> 00:01:02,840 security testing 22 00:01:02,840 --> 00:01:05,640 so let's go to the agenda and before 23 00:01:05,640 --> 00:01:07,920 I'll introduce you to this talk 24 00:01:07,920 --> 00:01:11,100 um I had an idea in my mind before I 25 00:01:11,100 --> 00:01:13,799 started creating the stock that I'd like 26 00:01:13,799 --> 00:01:18,140 to give uh like typical red theming talk 27 00:01:18,140 --> 00:01:21,240 but red team in talks are usually about 28 00:01:21,240 --> 00:01:24,360 Windows or Linux but I wanted to give a 29 00:01:24,360 --> 00:01:27,000 Mac OS related doc to share with that 30 00:01:27,000 --> 00:01:29,400 all these techniques that you know from 31 00:01:29,400 --> 00:01:31,979 attacking windows or Linux are also 32 00:01:31,979 --> 00:01:34,939 possible on Max that Max can also be 33 00:01:34,939 --> 00:01:37,259 successfully attacked 34 00:01:37,259 --> 00:01:40,680 all right so uh we'll start from a quick 35 00:01:40,680 --> 00:01:42,360 introduction 36 00:01:42,360 --> 00:01:45,299 um then we'll compare some different use 37 00:01:45,299 --> 00:01:48,439 cases of marks in corporate environments 38 00:01:48,439 --> 00:01:51,659 and then we'll start with setting up a 39 00:01:51,659 --> 00:01:55,079 C2 with mafic and then the standard red 40 00:01:55,079 --> 00:01:57,560 teaming procedure that is initial access 41 00:01:57,560 --> 00:02:00,600 persistence data collection lateral 42 00:02:00,600 --> 00:02:03,899 movement and because I don't like living 43 00:02:03,899 --> 00:02:06,719 people without the recommendations uh 44 00:02:06,719 --> 00:02:08,699 I'll talk a bit about hardening markers 45 00:02:08,699 --> 00:02:10,080 environments and of course the 46 00:02:10,080 --> 00:02:12,060 conclusion 47 00:02:12,060 --> 00:02:15,540 all right so I have one question to you 48 00:02:15,540 --> 00:02:17,760 or two questions but that's the first 49 00:02:17,760 --> 00:02:20,340 one uh please raise your hand if there 50 00:02:20,340 --> 00:02:24,200 is at least one mark in your company 51 00:02:24,200 --> 00:02:27,720 all right so it's like 90 percent of the 52 00:02:27,720 --> 00:02:30,720 audience I think that's good 53 00:02:30,720 --> 00:02:33,540 so the second question please raise your 54 00:02:33,540 --> 00:02:36,239 hand if that Mark has access to your 55 00:02:36,239 --> 00:02:38,340 company resources like other windows 56 00:02:38,340 --> 00:02:40,700 machines 57 00:02:41,160 --> 00:02:43,860 okay like I think like almost everybody 58 00:02:43,860 --> 00:02:46,200 who raised throughout their hand during 59 00:02:46,200 --> 00:02:47,879 the first question was if their hand 60 00:02:47,879 --> 00:02:49,980 during the second question what's good 61 00:02:49,980 --> 00:02:53,340 but because it it proves that my 62 00:02:53,340 --> 00:02:55,860 assumptions were correct 63 00:02:55,860 --> 00:02:58,440 all right so why did I decide to make 64 00:02:58,440 --> 00:03:02,040 this dog because marks are getting more 65 00:03:02,040 --> 00:03:04,800 common in corporate environments uh that 66 00:03:04,800 --> 00:03:07,319 are widely used by developers ux 67 00:03:07,319 --> 00:03:09,720 designers managers 68 00:03:09,720 --> 00:03:11,159 Etc 69 00:03:11,159 --> 00:03:14,459 um and small companies or software 70 00:03:14,459 --> 00:03:17,959 houses or ID companies in general 71 00:03:17,959 --> 00:03:21,239 those companies have large percent of 72 00:03:21,239 --> 00:03:23,659 Max in their environments 73 00:03:23,659 --> 00:03:27,379 and those marks are not symmetrically 74 00:03:27,379 --> 00:03:29,459 secured comparing them to Windows 75 00:03:29,459 --> 00:03:33,560 machine I spoke some time ago with with 76 00:03:33,560 --> 00:03:36,180 a person that works for a big 77 00:03:36,180 --> 00:03:37,620 International Bank 78 00:03:37,620 --> 00:03:40,799 and and he told me waiting but we don't 79 00:03:40,799 --> 00:03:43,680 have any marks in in our environment and 80 00:03:43,680 --> 00:03:46,980 I asked do you really you I I saw you 81 00:03:46,980 --> 00:03:48,900 have a mobile banking application for 82 00:03:48,900 --> 00:03:52,440 iOS so how do your developers uh 83 00:03:52,440 --> 00:03:54,299 program it and build it and then deploy 84 00:03:54,299 --> 00:03:55,019 it 85 00:03:55,019 --> 00:03:58,019 and uh he said okay I will return uh 86 00:03:58,019 --> 00:04:00,540 return to you of the answer on that and 87 00:04:00,540 --> 00:04:03,000 after a couple of days he told me yes 88 00:04:03,000 --> 00:04:06,420 actually we have a team an iOS team that 89 00:04:06,420 --> 00:04:08,879 that makes that application and you know 90 00:04:08,879 --> 00:04:11,459 what our Macs are not even a Max of that 91 00:04:11,459 --> 00:04:13,799 developers are not even enrolled to MDM 92 00:04:13,799 --> 00:04:15,780 or anything yeah you know they bring 93 00:04:15,780 --> 00:04:17,399 their own devices that are a blind spot 94 00:04:17,399 --> 00:04:20,519 for their socks so that's that was an 95 00:04:20,519 --> 00:04:23,040 interesting conversation 96 00:04:23,040 --> 00:04:26,340 so what are the problems that we 97 00:04:26,340 --> 00:04:30,479 identified uh during many Marcus 98 00:04:30,479 --> 00:04:33,180 environments assessments so there were 99 00:04:33,180 --> 00:04:35,580 old and vulnerable macros and versions 100 00:04:35,580 --> 00:04:37,800 everywhere like everywhere 101 00:04:37,800 --> 00:04:38,460 um 102 00:04:38,460 --> 00:04:42,360 we had one assessment uh when I 103 00:04:42,360 --> 00:04:43,680 um 104 00:04:43,680 --> 00:04:45,720 audit all the marks because it was a 105 00:04:45,720 --> 00:04:47,759 small company and it turned out that the 106 00:04:47,759 --> 00:04:49,979 person responsible for Finance in that 107 00:04:49,979 --> 00:04:53,100 company used Max use Mac not updated for 108 00:04:53,100 --> 00:04:54,840 three or four years 109 00:04:54,840 --> 00:04:56,820 and you know Max also have 110 00:04:56,820 --> 00:04:58,979 vulnerabilities right 111 00:04:58,979 --> 00:05:03,000 um by default Marcus system firewall is 112 00:05:03,000 --> 00:05:07,680 disabled so if there is nobody who uh 113 00:05:07,680 --> 00:05:09,840 force people to turn on their firewalls 114 00:05:09,840 --> 00:05:12,900 especially non-technical people uh the 115 00:05:12,900 --> 00:05:14,580 max probably will be left with the 116 00:05:14,580 --> 00:05:17,280 firewall disabled and anti-mother do 117 00:05:17,280 --> 00:05:19,979 marks even have viruses unfortunately 118 00:05:19,979 --> 00:05:23,039 yes we have to care about it 119 00:05:23,039 --> 00:05:25,320 um not even saying about standard users 120 00:05:25,320 --> 00:05:28,860 working on admin accounts 121 00:05:28,860 --> 00:05:32,460 um and I think that this uh common and 122 00:05:32,460 --> 00:05:34,500 some hardened Windows environments like 123 00:05:34,500 --> 00:05:36,600 this is lack of hardening white listing 124 00:05:36,600 --> 00:05:38,600 like 125 00:05:38,600 --> 00:05:40,860 white listing of an application is of 126 00:05:40,860 --> 00:05:42,419 course in the most hardened Windows 127 00:05:42,419 --> 00:05:45,660 environment but I didn't see in all 128 00:05:45,660 --> 00:05:48,360 assessment that we did we I didn't see 129 00:05:48,360 --> 00:05:50,580 at least once 130 00:05:50,580 --> 00:05:52,199 um corporate environment with the white 131 00:05:52,199 --> 00:05:53,639 listing on max 132 00:05:53,639 --> 00:05:57,060 and and mid-sized companies uh marks are 133 00:05:57,060 --> 00:06:01,020 not even enrolled to enrolled in mdms so 134 00:06:01,020 --> 00:06:02,580 that that's really bad there is no 135 00:06:02,580 --> 00:06:05,580 Central mechanism to to manage those 136 00:06:05,580 --> 00:06:09,780 marks in mid-size companies usually 137 00:06:09,780 --> 00:06:13,380 okay so let's compare now uh three 138 00:06:13,380 --> 00:06:15,720 situations where marks are present in 139 00:06:15,720 --> 00:06:17,940 corporate environments so the first 140 00:06:17,940 --> 00:06:21,300 scenario is that marks are directly 141 00:06:21,300 --> 00:06:23,160 banned to the ID so there's a classic 142 00:06:23,160 --> 00:06:25,199 active directory environment with 143 00:06:25,199 --> 00:06:28,020 Windows machines there are most Windows 144 00:06:28,020 --> 00:06:30,180 machines and some of the developers 145 00:06:30,180 --> 00:06:34,199 managers Etc use Max and those Macs are 146 00:06:34,199 --> 00:06:36,360 natively bound to the ad but that's the 147 00:06:36,360 --> 00:06:38,699 most rare situation to be honest from 148 00:06:38,699 --> 00:06:40,800 from my experience 149 00:06:40,800 --> 00:06:43,759 uh the second one uh a bit more common 150 00:06:43,759 --> 00:06:48,479 is that all right so this company has an 151 00:06:48,479 --> 00:06:51,240 active directory environment 152 00:06:51,240 --> 00:06:53,060 um those Macs are not bound to the ad 153 00:06:53,060 --> 00:06:56,880 but they have some how to access uh 154 00:06:56,880 --> 00:06:59,520 resources using the care girls so there 155 00:06:59,520 --> 00:07:01,560 is an application an extension called 156 00:07:01,560 --> 00:07:04,860 Nomad that handles kerberries for you so 157 00:07:04,860 --> 00:07:07,919 the user provides user or the admin 158 00:07:07,919 --> 00:07:10,680 provides the ID credentials to Kerber to 159 00:07:10,680 --> 00:07:14,280 to Nomad and it generates the whole uh 160 00:07:14,280 --> 00:07:16,139 caregivers communication 161 00:07:16,139 --> 00:07:18,380 foreign 162 00:07:18,380 --> 00:07:21,900 observed in in modern companies is that 163 00:07:21,900 --> 00:07:24,180 there is no active directory just one 164 00:07:24,180 --> 00:07:28,199 SSO like for example OCTA and uh we had 165 00:07:28,199 --> 00:07:30,660 this SSO that the person gets access to 166 00:07:30,660 --> 00:07:32,880 all these Services used by by the 167 00:07:32,880 --> 00:07:34,560 company that are of course in the cloud 168 00:07:34,560 --> 00:07:37,800 so there is ID is not necessary in this 169 00:07:37,800 --> 00:07:39,479 scenario 170 00:07:39,479 --> 00:07:42,840 okay but for this talk uh we will focus 171 00:07:42,840 --> 00:07:45,780 on such an environment so we will be 172 00:07:45,780 --> 00:07:47,940 attacking a Mac 173 00:07:47,940 --> 00:07:51,300 um that the Via openvpn 174 00:07:51,300 --> 00:07:54,180 has access to internal company resources 175 00:07:54,180 --> 00:07:57,120 it uses Nomad to 176 00:07:57,120 --> 00:07:59,580 um to talk to active directory and then 177 00:07:59,580 --> 00:08:01,979 via active directory gets access to 178 00:08:01,979 --> 00:08:05,580 Google workspace or jira software 179 00:08:05,580 --> 00:08:09,060 um this uh this this Mac also uses AWS 180 00:08:09,060 --> 00:08:11,400 there are token stored 181 00:08:11,400 --> 00:08:15,560 um has a browser in this case Firefox 182 00:08:15,560 --> 00:08:19,259 that connects you to Twitter Facebook or 183 00:08:19,259 --> 00:08:21,660 other social media and that's usually a 184 00:08:21,660 --> 00:08:24,000 common case especially for marketing 185 00:08:24,000 --> 00:08:27,560 teams because usually marketing 186 00:08:27,560 --> 00:08:30,000 department works on their private 187 00:08:30,000 --> 00:08:31,880 account linked to the company account 188 00:08:31,880 --> 00:08:35,940 and it's you know not really good to uh 189 00:08:35,940 --> 00:08:38,039 to bend your private accounts to the 190 00:08:38,039 --> 00:08:42,059 company's SSO so usually the 191 00:08:42,059 --> 00:08:44,640 connection to social media as out of 192 00:08:44,640 --> 00:08:47,880 Kerberos it's our out of SSO it's it's a 193 00:08:47,880 --> 00:08:50,220 like typical connection to to Social 194 00:08:50,220 --> 00:08:51,899 Media Services not via the company 195 00:08:51,899 --> 00:08:55,140 infrastructure uh so there will be uh 196 00:08:55,140 --> 00:08:56,700 for example stored password for social 197 00:08:56,700 --> 00:08:59,519 media accounts on such a machine 198 00:08:59,519 --> 00:09:01,740 and that company heard that signal is a 199 00:09:01,740 --> 00:09:03,660 secure messenger so we'll be attacking 200 00:09:03,660 --> 00:09:07,200 signal on those Macs and of course there 201 00:09:07,200 --> 00:09:09,959 will be some secret data certain desktop 202 00:09:09,959 --> 00:09:13,920 or other TCC protected directors 203 00:09:13,920 --> 00:09:16,560 all right so in order to uh to perform 204 00:09:16,560 --> 00:09:18,240 this attack 205 00:09:18,240 --> 00:09:20,640 um we will be using methic that's a 206 00:09:20,640 --> 00:09:23,459 really great red steaming framework with 207 00:09:23,459 --> 00:09:26,940 an extensive macro support uh it's open 208 00:09:26,940 --> 00:09:30,240 source it's created by Cody Thomas I 209 00:09:30,240 --> 00:09:32,220 really love mavic because as I told you 210 00:09:32,220 --> 00:09:34,680 it's open source it has really extensive 211 00:09:34,680 --> 00:09:37,440 docks so it's really easy to set up not 212 00:09:37,440 --> 00:09:40,140 not really common so 213 00:09:40,140 --> 00:09:44,180 it's not really detected for now 214 00:09:44,399 --> 00:09:48,480 okay so let me show you a quick demo so 215 00:09:48,480 --> 00:09:51,420 we have the metric set up already we'll 216 00:09:51,420 --> 00:09:54,380 log into Mythic 217 00:09:55,320 --> 00:09:58,920 that's the main dashboard uh we have one 218 00:09:58,920 --> 00:10:01,380 payload that is up fill the standard one 219 00:10:01,380 --> 00:10:06,240 and C2 profile uh HD that is http 220 00:10:06,240 --> 00:10:09,300 so let's create a new payload it's 221 00:10:09,300 --> 00:10:11,519 really simple generate new payload we 222 00:10:11,519 --> 00:10:13,620 select the operating system of the 223 00:10:13,620 --> 00:10:15,420 target of course Mac OS in our case 224 00:10:15,420 --> 00:10:18,440 upfell the the default one 225 00:10:18,440 --> 00:10:21,839 we select all the commands that will be 226 00:10:21,839 --> 00:10:23,040 accessible 227 00:10:23,040 --> 00:10:25,620 and we decided to use the simplest 228 00:10:25,620 --> 00:10:30,320 connection that's HTTP not developed SSL 229 00:10:30,360 --> 00:10:34,220 we provide them the Callback host 230 00:10:35,020 --> 00:10:37,560 [Music] 231 00:10:37,560 --> 00:10:40,920 we click next 232 00:10:40,920 --> 00:10:43,200 create payload 233 00:10:43,200 --> 00:10:44,760 and now 234 00:10:44,760 --> 00:10:47,100 we can download it and and use it to to 235 00:10:47,100 --> 00:10:50,640 attack the victim 236 00:10:51,420 --> 00:10:54,060 all right but uh there are there are 237 00:10:54,060 --> 00:10:56,220 some problems on how can we get the 238 00:10:56,220 --> 00:10:57,360 initial access 239 00:10:57,360 --> 00:11:00,180 so according to Apple all the software 240 00:11:00,180 --> 00:11:02,519 downloaded directly with your browser or 241 00:11:02,519 --> 00:11:04,620 in general from the internet must be 242 00:11:04,620 --> 00:11:08,160 notarized and it's the case for macros 243 00:11:08,160 --> 00:11:10,440 applications non-up bundles disk images 244 00:11:10,440 --> 00:11:14,100 flat installer packages so most of the 245 00:11:14,100 --> 00:11:15,959 car come on 246 00:11:15,959 --> 00:11:17,100 um 247 00:11:17,100 --> 00:11:19,500 stuff that executes your code on your 248 00:11:19,500 --> 00:11:20,899 machines right 249 00:11:20,899 --> 00:11:24,560 and what's that notarization so 250 00:11:24,560 --> 00:11:27,959 notarization requires uh developers to 251 00:11:27,959 --> 00:11:31,500 have a developer ID 252 00:11:31,500 --> 00:11:35,880 the paid one and to distribute their 253 00:11:35,880 --> 00:11:37,440 application 254 00:11:37,440 --> 00:11:39,660 but before they they can distribute 255 00:11:39,660 --> 00:11:41,339 their applications they have to upload 256 00:11:41,339 --> 00:11:43,200 it to Apple their application has to 257 00:11:43,200 --> 00:11:45,480 meet some requirements the security 258 00:11:45,480 --> 00:11:48,240 policies and it's verifying against 259 00:11:48,240 --> 00:11:51,839 against the malicious code if there is 260 00:11:51,839 --> 00:11:54,000 there is some malicious code in in those 261 00:11:54,000 --> 00:11:55,140 applications 262 00:11:55,140 --> 00:11:57,180 but you may ask me all right but what 263 00:11:57,180 --> 00:11:59,940 happens if I don't notarize my my 264 00:11:59,940 --> 00:12:02,459 application or my payload 265 00:12:02,459 --> 00:12:05,120 um so unfortunately Mac OS will block it 266 00:12:05,120 --> 00:12:07,920 there will be a prompt that uh no 267 00:12:07,920 --> 00:12:09,779 notarized app cannot be opened because 268 00:12:09,779 --> 00:12:12,720 the developer cannot be verified so we 269 00:12:12,720 --> 00:12:14,519 have to somehow 270 00:12:14,519 --> 00:12:16,680 may pass it 271 00:12:16,680 --> 00:12:19,620 so this is the talk this is what the 272 00:12:19,620 --> 00:12:22,019 talk is this talk is about 273 00:12:22,019 --> 00:12:24,899 um so let's find some solutions we can 274 00:12:24,899 --> 00:12:27,300 of course buy a proper developer 275 00:12:27,300 --> 00:12:30,300 certificate create a legit per PKG file 276 00:12:30,300 --> 00:12:32,940 and now it arise it but we are risking 277 00:12:32,940 --> 00:12:36,800 our certificate to be revoked right 278 00:12:37,560 --> 00:12:40,100 so there is there is the second solution 279 00:12:40,100 --> 00:12:43,459 uh commonly used by by current malware 280 00:12:43,459 --> 00:12:45,079 so 281 00:12:45,079 --> 00:12:50,339 we can provide our payload uh bundled in 282 00:12:50,339 --> 00:12:54,000 a DMG file and DMG file as a disk image 283 00:12:54,000 --> 00:12:57,060 where we can set the background of so as 284 00:12:57,060 --> 00:12:59,100 you can see here that's that's an 285 00:12:59,100 --> 00:13:01,920 example of real malware uh there is a 286 00:13:01,920 --> 00:13:04,200 background with an instruction to the 287 00:13:04,200 --> 00:13:07,500 victim on how to bypass their uh how to 288 00:13:07,500 --> 00:13:09,120 make the victim bypass their own 289 00:13:09,120 --> 00:13:12,000 security mechanisms right so the the 290 00:13:12,000 --> 00:13:15,180 malware asked the user to right click on 291 00:13:15,180 --> 00:13:18,060 the on the package unsigned package and 292 00:13:18,060 --> 00:13:19,860 click open and there will be a prompt 293 00:13:19,860 --> 00:13:22,019 that the application was downloaded from 294 00:13:22,019 --> 00:13:24,360 the internet it wasn't verified by Apple 295 00:13:24,360 --> 00:13:28,139 so please click OK and and you know risk 296 00:13:28,139 --> 00:13:30,779 your Mac hacked and so that's that's the 297 00:13:30,779 --> 00:13:32,700 second idea 298 00:13:32,700 --> 00:13:36,000 uh the third idea uh because this talk 299 00:13:36,000 --> 00:13:38,100 is about zero days 300 00:13:38,100 --> 00:13:41,760 um we can find a gatekeeper bypass a 301 00:13:41,760 --> 00:13:44,339 gatekeeper is the mechanism that on Mac 302 00:13:44,339 --> 00:13:47,100 OS side verifies if the application was 303 00:13:47,100 --> 00:13:49,139 indeed notarized 304 00:13:49,139 --> 00:13:52,139 um so we can bypass it with a zero day I 305 00:13:52,139 --> 00:13:56,579 even find one uh one year ago uh but 306 00:13:56,579 --> 00:13:59,180 it's fixed 307 00:13:59,339 --> 00:14:01,980 and we have the fourth technique and 308 00:14:01,980 --> 00:14:03,240 that's the technique you probably know 309 00:14:03,240 --> 00:14:05,760 from attacking Windows that's a 310 00:14:05,760 --> 00:14:07,519 technique that involves Microsoft Word 311 00:14:07,519 --> 00:14:12,320 on Microsoft Word uh there is also uh 312 00:14:12,320 --> 00:14:16,380 macros macro possibility attack so we 313 00:14:16,380 --> 00:14:19,079 have a Visual Basic and how to open 314 00:14:19,079 --> 00:14:22,440 subroutine which will be executed after 315 00:14:22,440 --> 00:14:25,920 user opens that document file and allows 316 00:14:25,920 --> 00:14:27,779 macros 317 00:14:27,779 --> 00:14:30,600 um and and that subroutine we can call 318 00:14:30,600 --> 00:14:31,940 Max script 319 00:14:31,940 --> 00:14:37,560 that in the end will will execute our 320 00:14:37,560 --> 00:14:40,880 bash commands so in that case I just 321 00:14:40,880 --> 00:14:45,000 download the uh our payload created with 322 00:14:45,000 --> 00:14:49,019 mavic and I run it with also script 323 00:14:49,019 --> 00:14:51,779 all right so 324 00:14:51,779 --> 00:14:53,760 let's assume that that user downloaded 325 00:14:53,760 --> 00:14:56,000 it and and clicked 326 00:14:56,000 --> 00:14:59,940 enable macros the code has been executed 327 00:14:59,940 --> 00:15:02,459 but the problem is that 328 00:15:02,459 --> 00:15:06,180 Microsoft Word is a Sandbox so even if 329 00:15:06,180 --> 00:15:10,820 we use that trick with macros our 330 00:15:10,820 --> 00:15:13,980 our remote cell will be not that cool 331 00:15:13,980 --> 00:15:17,100 because it will still run in a sandbox 332 00:15:17,100 --> 00:15:21,260 process context so we can do 333 00:15:21,260 --> 00:15:24,720 you know unlimited stuff on that machine 334 00:15:24,720 --> 00:15:27,060 however there is there is another bypass 335 00:15:27,060 --> 00:15:30,660 for it uh made by madhubat that shared a 336 00:15:30,660 --> 00:15:33,540 really cool technique uh that allows us 337 00:15:33,540 --> 00:15:36,600 to escape World sandbox however it 338 00:15:36,600 --> 00:15:39,120 requires the user to reboot their Max 339 00:15:39,120 --> 00:15:40,560 so 340 00:15:40,560 --> 00:15:43,139 it's it's good technique especially when 341 00:15:43,139 --> 00:15:45,180 you know for example that Apple will 342 00:15:45,180 --> 00:15:48,120 push some updates and you can infect the 343 00:15:48,120 --> 00:15:49,980 machines right before that update so 344 00:15:49,980 --> 00:15:52,440 you'll be sure that most of the users 345 00:15:52,440 --> 00:15:54,720 maybe if it's enforced for example will 346 00:15:54,720 --> 00:15:57,060 reboot their Max but you know it's not 347 00:15:57,060 --> 00:16:00,060 like 100 effective we'd like to see 348 00:16:00,060 --> 00:16:02,940 something more effective 349 00:16:02,940 --> 00:16:06,360 so we have our own zero days and I now 350 00:16:06,360 --> 00:16:07,800 present a marker sandbox SK 351 00:16:07,800 --> 00:16:09,199 vulnerability 352 00:16:09,199 --> 00:16:14,279 unfortunately is not fixed so I won't 353 00:16:14,279 --> 00:16:17,160 show you the the actual code so you have 354 00:16:17,160 --> 00:16:19,380 to trust me that the the the this demo 355 00:16:19,380 --> 00:16:21,680 is real 356 00:16:22,019 --> 00:16:26,160 all right so this this zero day is for 357 00:16:26,160 --> 00:16:29,579 um the whole standard macros unboxing 358 00:16:29,579 --> 00:16:30,260 um 359 00:16:30,260 --> 00:16:32,940 mechanism it's not only for escaping the 360 00:16:32,940 --> 00:16:34,860 word but it's for the whole standard 361 00:16:34,860 --> 00:16:38,279 sandboxing mechanism so let's see how it 362 00:16:38,279 --> 00:16:41,699 works so the user clicks on the document 363 00:16:41,699 --> 00:16:45,300 file clicks enable macros 364 00:16:45,300 --> 00:16:47,820 and as you can see we have now an active 365 00:16:47,820 --> 00:16:49,620 callback 366 00:16:49,620 --> 00:16:53,339 we can now use it we I wrote shell I 367 00:16:53,339 --> 00:16:54,899 come on to the mafic and now we can 368 00:16:54,899 --> 00:16:57,360 execute any shell command we want 369 00:16:57,360 --> 00:17:01,160 so let's start with qmi 370 00:17:01,199 --> 00:17:05,000 regula that is my user 371 00:17:06,059 --> 00:17:08,880 and now let's try with alas uh the 372 00:17:08,880 --> 00:17:11,880 user's directory which if succeeds means 373 00:17:11,880 --> 00:17:17,360 that we have unsun boxed code execution 374 00:17:19,319 --> 00:17:22,319 yeah so we can see two users which means 375 00:17:22,319 --> 00:17:24,299 that our code is now 376 00:17:24,299 --> 00:17:26,760 unsigned and unsun boxed run by the 377 00:17:26,760 --> 00:17:28,380 victim that's good 378 00:17:28,380 --> 00:17:30,900 we have the initial access now let's 379 00:17:30,900 --> 00:17:35,039 talk about the persistence so on Mac OS 380 00:17:35,039 --> 00:17:37,580 uh there are a bunch of typical 381 00:17:37,580 --> 00:17:39,960 persistence techniques like launch 382 00:17:39,960 --> 00:17:42,780 agents lunch demons login items Crown 383 00:17:42,780 --> 00:17:45,480 jobs and tons of others my friend 384 00:17:45,480 --> 00:17:48,900 chapafields documented it on his block 385 00:17:48,900 --> 00:17:53,039 so it's now like 27 or something uh 386 00:17:53,039 --> 00:17:55,020 persistence techniques the document and 387 00:17:55,020 --> 00:17:58,080 so it's quite a lot 388 00:17:58,080 --> 00:18:00,900 but in this talk we'll use the standard 389 00:18:00,900 --> 00:18:05,280 one so we pass the persist uh launch to 390 00:18:05,280 --> 00:18:07,740 the command to the Mythic and now with 391 00:18:07,740 --> 00:18:09,720 the Osa script the very same command 392 00:18:09,720 --> 00:18:12,539 that I used in the word macros we will 393 00:18:12,539 --> 00:18:15,440 be running the 394 00:18:15,440 --> 00:18:20,299 the payload created by math right 395 00:18:27,539 --> 00:18:31,140 we can change the label to look more 396 00:18:31,140 --> 00:18:33,740 stealthy 397 00:18:35,760 --> 00:18:39,020 and click task 398 00:18:39,360 --> 00:18:41,160 Let's Wait a While 399 00:18:41,160 --> 00:18:44,640 for the method to uh to create the 400 00:18:44,640 --> 00:18:48,240 launch agent it's as you can see the 401 00:18:48,240 --> 00:18:50,700 file has been written 402 00:18:50,700 --> 00:18:52,140 so 403 00:18:52,140 --> 00:18:55,020 now the Second Step because now we we 404 00:18:55,020 --> 00:18:57,179 registered the the launch agent but now 405 00:18:57,179 --> 00:19:00,299 we'd like to load it 406 00:19:00,299 --> 00:19:02,820 and that's simple we just take the 407 00:19:02,820 --> 00:19:03,419 um 408 00:19:03,419 --> 00:19:05,820 the path again shell 409 00:19:05,820 --> 00:19:07,620 land CTL 410 00:19:07,620 --> 00:19:10,440 load and Dot path 411 00:19:10,440 --> 00:19:12,059 click task 412 00:19:12,059 --> 00:19:14,400 and in a while you will see that we will 413 00:19:14,400 --> 00:19:18,380 have the second active callback 414 00:19:19,039 --> 00:19:20,700 yeah 415 00:19:20,700 --> 00:19:23,400 the second one so now we have answered 416 00:19:23,400 --> 00:19:26,460 boxed unassigned code execution on Mac 417 00:19:26,460 --> 00:19:28,799 web persistence right so even if the 418 00:19:28,799 --> 00:19:30,419 victim reboots the computer it will be 419 00:19:30,419 --> 00:19:33,360 still able to connect to that reverse 420 00:19:33,360 --> 00:19:35,520 shell 421 00:19:35,520 --> 00:19:36,960 all right 422 00:19:36,960 --> 00:19:37,679 um 423 00:19:37,679 --> 00:19:39,840 a quick update 424 00:19:39,840 --> 00:19:40,440 um 425 00:19:40,440 --> 00:19:42,840 in Macos Ventura that will be released 426 00:19:42,840 --> 00:19:44,520 this fall 427 00:19:44,520 --> 00:19:45,360 um 428 00:19:45,360 --> 00:19:47,760 there will be a new tab and in general 429 00:19:47,760 --> 00:19:50,520 settings that will show all the launch 430 00:19:50,520 --> 00:19:53,039 agents and lunch demons registered in in 431 00:19:53,039 --> 00:19:55,919 Macos so this technique is will be not 432 00:19:55,919 --> 00:19:58,500 that stealthy anymore however as I told 433 00:19:58,500 --> 00:20:00,539 you there are plenty of different 434 00:20:00,539 --> 00:20:02,460 techniques and apple covers maybe three 435 00:20:02,460 --> 00:20:05,280 or four of them in that pencil just 436 00:20:05,280 --> 00:20:07,320 switched another personal technique it's 437 00:20:07,320 --> 00:20:10,200 it's really easy to do so 438 00:20:10,200 --> 00:20:15,240 great so we have uh taken over the uh 439 00:20:15,240 --> 00:20:17,700 the Mac now let's focus on the data 440 00:20:17,700 --> 00:20:20,640 collection right so we are interested 441 00:20:20,640 --> 00:20:24,360 mostly in VPN credentials ad credentials 442 00:20:24,360 --> 00:20:28,200 signal messages browser cookies keychain 443 00:20:28,200 --> 00:20:32,220 entries AWS or other Cloud keys and 444 00:20:32,220 --> 00:20:34,740 desktop and document files 445 00:20:34,740 --> 00:20:36,500 let's start with 446 00:20:36,500 --> 00:20:40,400 openvpn so openvpn 447 00:20:40,400 --> 00:20:44,760 starts and stores its profiles and 448 00:20:44,760 --> 00:20:47,520 application support directory that can 449 00:20:47,520 --> 00:20:49,260 be accessed without any additional 450 00:20:49,260 --> 00:20:51,900 privileges like standard markers user 451 00:20:51,900 --> 00:20:54,539 can access it without providing any 452 00:20:54,539 --> 00:20:58,620 password it's not encrypted so if the 453 00:20:58,620 --> 00:21:00,480 all the credentials required to 454 00:21:00,480 --> 00:21:04,559 establish a VPN connection are there 455 00:21:04,559 --> 00:21:05,700 you 456 00:21:05,700 --> 00:21:07,400 that's it 457 00:21:07,400 --> 00:21:12,299 but usually uh the the profiles don't 458 00:21:12,299 --> 00:21:15,780 store uh user login and password so we 459 00:21:15,780 --> 00:21:18,360 have profile but we still need to uh to 460 00:21:18,360 --> 00:21:19,559 steal the user's login and password 461 00:21:19,559 --> 00:21:21,419 right 462 00:21:21,419 --> 00:21:22,200 um 463 00:21:22,200 --> 00:21:24,780 because of the notarization applications 464 00:21:24,780 --> 00:21:27,539 have to have the hardened runtime there 465 00:21:27,539 --> 00:21:30,299 on so we cannot easily inject to those 466 00:21:30,299 --> 00:21:33,440 applications however on purpose 467 00:21:33,440 --> 00:21:35,820 developers can disable some of the 468 00:21:35,820 --> 00:21:37,440 security mechanisms for their 469 00:21:37,440 --> 00:21:38,880 applications 470 00:21:38,880 --> 00:21:42,240 and that's the openvpn does it's another 471 00:21:42,240 --> 00:21:43,940 kind of zero day 472 00:21:43,940 --> 00:21:47,700 it has the two uh problematic 473 00:21:47,700 --> 00:21:50,100 entitlements the first one is allow 474 00:21:50,100 --> 00:21:52,200 build environment variables and the 475 00:21:52,200 --> 00:21:53,580 second one is disabled Library 476 00:21:53,580 --> 00:21:54,900 validation 477 00:21:54,900 --> 00:21:58,260 so with that knowledge of those two 478 00:21:58,260 --> 00:22:00,960 entitlements we can now inject our 479 00:22:00,960 --> 00:22:03,720 Dynamic library inside of the of the 480 00:22:03,720 --> 00:22:05,580 openvpn context 481 00:22:05,580 --> 00:22:07,020 and 482 00:22:07,020 --> 00:22:08,700 yeah 483 00:22:08,700 --> 00:22:12,360 we can for example steel keychain 484 00:22:12,360 --> 00:22:16,100 entries uh that openvpn stores are 485 00:22:16,100 --> 00:22:20,400 launch a key logger inside of the of the 486 00:22:20,400 --> 00:22:23,100 of the openvpn so 487 00:22:23,100 --> 00:22:25,799 why couldn't I use a global keylogger 488 00:22:25,799 --> 00:22:29,580 because on new Mac OS versions uh if 489 00:22:29,580 --> 00:22:31,919 you'd like to register a system-wide 490 00:22:31,919 --> 00:22:33,419 keylogger it requires a special 491 00:22:33,419 --> 00:22:35,039 permission from the user there will be a 492 00:22:35,039 --> 00:22:36,780 prompt that the application wants to 493 00:22:36,780 --> 00:22:38,820 record all user input and we'd like to 494 00:22:38,820 --> 00:22:43,320 avoid it but you know if you are in the 495 00:22:43,320 --> 00:22:45,960 context of an application you can get 496 00:22:45,960 --> 00:22:47,760 all the keystroke that user passes to 497 00:22:47,760 --> 00:22:49,500 the application without any additional 498 00:22:49,500 --> 00:22:51,960 privileges because it would you know 499 00:22:51,960 --> 00:22:55,440 don't have any sense to to to do so it's 500 00:22:55,440 --> 00:22:56,640 it's 501 00:22:56,640 --> 00:22:59,159 um expected Behavior right so the 502 00:22:59,159 --> 00:23:01,140 application may catch the user 503 00:23:01,140 --> 00:23:03,900 keystrokes right so I created an open 504 00:23:03,900 --> 00:23:06,120 source keylogger uh that you can 505 00:23:06,120 --> 00:23:08,400 download from my GitHub uh it's on guest 506 00:23:08,400 --> 00:23:11,360 it's a really short code 507 00:23:11,700 --> 00:23:14,659 and we have the adult insert libraries 508 00:23:14,659 --> 00:23:18,840 we can inject to to the openvpn 509 00:23:18,840 --> 00:23:20,760 and wait for the user login since 510 00:23:20,760 --> 00:23:23,580 password and that's how we can instill 511 00:23:23,580 --> 00:23:26,520 the VPN credentials from from user again 512 00:23:26,520 --> 00:23:29,400 it didn't require from us any additional 513 00:23:29,400 --> 00:23:33,740 privileges like just standard user 514 00:23:34,320 --> 00:23:38,700 nice so we have openvpn uh taken over 515 00:23:38,700 --> 00:23:41,400 now let's go to to nomad 516 00:23:41,400 --> 00:23:44,039 and Nomad saves your active directory 517 00:23:44,039 --> 00:23:47,460 credentials in Macos keychain and the 518 00:23:47,460 --> 00:23:49,500 keychain has a flow that allows getting 519 00:23:49,500 --> 00:23:53,100 entries from it without any prompt root 520 00:23:53,100 --> 00:23:56,640 access or user passwords I documented it 521 00:23:56,640 --> 00:23:58,740 and my blog post so if you are 522 00:23:58,740 --> 00:24:03,659 interested how did it work uh feel 523 00:24:03,659 --> 00:24:06,000 invited to to read that post 524 00:24:06,000 --> 00:24:10,020 however I also open sourced a Nomas 525 00:24:10,020 --> 00:24:12,539 credential Steeler tool 526 00:24:12,539 --> 00:24:15,840 um that will do all the job for you so 527 00:24:15,840 --> 00:24:18,480 it's it's pretty simple you just run the 528 00:24:18,480 --> 00:24:20,760 Nomad Nomad credential stereo 529 00:24:20,760 --> 00:24:23,880 application and it will dump 530 00:24:23,880 --> 00:24:26,280 the active directory credentials right 531 00:24:26,280 --> 00:24:27,780 from the kitchen without basically any 532 00:24:27,780 --> 00:24:30,299 problem again no additional privileges 533 00:24:30,299 --> 00:24:33,659 standard user so 534 00:24:33,659 --> 00:24:37,140 because we were able to get all of the 535 00:24:37,140 --> 00:24:40,820 credentials from the Marcus keychain 536 00:24:40,820 --> 00:24:43,440 we are now able to access all the 537 00:24:43,440 --> 00:24:46,380 company's resources that are hidden 538 00:24:46,380 --> 00:24:51,320 um after behind the adaf SSO right 539 00:24:53,900 --> 00:24:58,200 okay now let's torture signal who thinks 540 00:24:58,200 --> 00:25:00,179 that signal is secure 541 00:25:00,179 --> 00:25:00,980 raise your hand 542 00:25:00,980 --> 00:25:04,210 [Music] 543 00:25:05,940 --> 00:25:08,460 all right 544 00:25:08,460 --> 00:25:11,100 um I hope so as well that signal is 545 00:25:11,100 --> 00:25:14,700 secure but the thing with signal is that 546 00:25:14,700 --> 00:25:17,400 signal claims that they protect your 547 00:25:17,400 --> 00:25:20,820 data only in transit they don't care 548 00:25:20,820 --> 00:25:23,700 about your endpoint security 549 00:25:23,700 --> 00:25:25,460 so 550 00:25:25,460 --> 00:25:29,400 all your messages on Mac from signal are 551 00:25:29,400 --> 00:25:32,159 encrypted there is a database in sqlite 552 00:25:32,159 --> 00:25:34,919 free database that's encrypted however 553 00:25:34,919 --> 00:25:37,279 what about the key 554 00:25:37,279 --> 00:25:39,600 the key is not stored in the keychain 555 00:25:39,600 --> 00:25:42,360 it's stored in a flat file accessible by 556 00:25:42,360 --> 00:25:46,400 a standard user so you go to the library 557 00:25:46,400 --> 00:25:49,140 application support signal config.json 558 00:25:49,140 --> 00:25:52,020 you grab the key pass to the sqlite 559 00:25:52,020 --> 00:25:54,120 database and we have all your messages 560 00:25:54,120 --> 00:25:57,080 unencrypted 561 00:25:58,500 --> 00:26:00,600 yeah 562 00:26:00,600 --> 00:26:04,320 so the next Target is is Firefox 563 00:26:04,320 --> 00:26:07,140 so Firefox starts saved logins and 564 00:26:07,140 --> 00:26:09,720 passwords in an encrypted form that's 565 00:26:09,720 --> 00:26:10,500 good 566 00:26:10,500 --> 00:26:13,320 but if the master password is not set 567 00:26:13,320 --> 00:26:15,840 that is a default configuration the safe 568 00:26:15,840 --> 00:26:17,640 credentials can be done again without 569 00:26:17,640 --> 00:26:18,779 root 570 00:26:18,779 --> 00:26:21,080 and personally 571 00:26:21,080 --> 00:26:25,100 whoever uses Firefox 572 00:26:25,860 --> 00:26:27,480 okay 573 00:26:27,480 --> 00:26:30,900 and do you have the master password set 574 00:26:30,900 --> 00:26:34,679 no Nobody Does it 575 00:26:34,679 --> 00:26:38,340 uh so yeah there is a tool uh on GitHub 576 00:26:38,340 --> 00:26:40,919 made by you note that's called Firefox 577 00:26:40,919 --> 00:26:43,620 decorate and I will show you a quick 578 00:26:43,620 --> 00:26:47,178 demo on how it works 579 00:26:49,799 --> 00:26:52,980 so I run it with python select profile 580 00:26:52,980 --> 00:26:55,760 and we're done 581 00:26:57,120 --> 00:27:00,739 no additional privileges again 582 00:27:01,320 --> 00:27:03,678 foreign 583 00:27:04,620 --> 00:27:07,620 so 584 00:27:08,159 --> 00:27:11,940 AWS and desktop and other projector 585 00:27:11,940 --> 00:27:14,460 resources are left so let's now focus on 586 00:27:14,460 --> 00:27:15,900 the TCC 587 00:27:15,900 --> 00:27:18,299 so whenever you're install a new 588 00:27:18,299 --> 00:27:20,700 application on Mac and that will require 589 00:27:20,700 --> 00:27:23,340 your camera access or screen share so 590 00:27:23,340 --> 00:27:25,679 for example maybe Microsoft teams or or 591 00:27:25,679 --> 00:27:28,100 Google meet or anything 592 00:27:28,100 --> 00:27:30,960 when the application tries to access 593 00:27:30,960 --> 00:27:32,940 those resources those protective results 594 00:27:32,940 --> 00:27:35,520 of the camera etc for the first time 595 00:27:35,520 --> 00:27:38,340 there will be a prompt 596 00:27:38,340 --> 00:27:42,960 um and that that prompt uh is is a 597 00:27:42,960 --> 00:27:45,720 protection of your uh privacy sensitive 598 00:27:45,720 --> 00:27:49,740 data uh and the the mechanism behind of 599 00:27:49,740 --> 00:27:53,279 that prompt is called TCC 600 00:27:53,279 --> 00:27:57,299 and now uh TCC protects a lot of 601 00:27:57,299 --> 00:27:59,460 sensitive resources like camera calendar 602 00:27:59,460 --> 00:28:03,179 Bluetooth automation contacts Network 603 00:28:03,179 --> 00:28:07,020 shares uh photos music and many many 604 00:28:07,020 --> 00:28:08,460 more 605 00:28:08,460 --> 00:28:10,760 foreign 606 00:28:13,700 --> 00:28:16,620 have that Mythic shell 607 00:28:16,620 --> 00:28:20,279 and you will try to for example do the 608 00:28:20,279 --> 00:28:24,240 list of desktop 609 00:28:24,240 --> 00:28:25,980 and click task 610 00:28:25,980 --> 00:28:27,960 you will see that there will be a prompt 611 00:28:27,960 --> 00:28:30,600 and if the user clicks don't allow the 612 00:28:30,600 --> 00:28:33,120 operation will be not allowed 613 00:28:33,120 --> 00:28:34,080 um 614 00:28:34,080 --> 00:28:36,840 and the case is also for for a root so 615 00:28:36,840 --> 00:28:39,360 even if you if you have root you cannot 616 00:28:39,360 --> 00:28:42,480 bypass this prompt uh Apple decided to 617 00:28:42,480 --> 00:28:45,480 make this prompts to be clicked by user 618 00:28:45,480 --> 00:28:48,240 with a clear intention so it has to be 619 00:28:48,240 --> 00:28:50,580 done by user even if there is a root 620 00:28:50,580 --> 00:28:52,080 account on Mac 621 00:28:52,080 --> 00:28:54,059 it's still that that doesn't mean 622 00:28:54,059 --> 00:28:56,100 anything you can bypass this problem you 623 00:28:56,100 --> 00:28:58,679 can you can't do this 624 00:28:58,679 --> 00:29:00,299 however 625 00:29:00,299 --> 00:29:04,320 uh there are tons of TCC bypasses 626 00:29:04,320 --> 00:29:06,720 um I was called speaking last year ago 627 00:29:06,720 --> 00:29:09,779 on blackhead in the US about 20 plus 628 00:29:09,779 --> 00:29:11,940 ways to bypass your Marcus privacy 629 00:29:11,940 --> 00:29:13,740 mechanisms 630 00:29:13,740 --> 00:29:17,039 um but yeah that will re that would 631 00:29:17,039 --> 00:29:18,480 require zero that is that those 632 00:29:18,480 --> 00:29:21,360 vulnerabilities are not are all now 633 00:29:21,360 --> 00:29:22,380 fixed 634 00:29:22,380 --> 00:29:26,520 so we can try abusing other applications 635 00:29:26,520 --> 00:29:29,039 that are installed already on Mac OS 636 00:29:29,039 --> 00:29:31,380 but applications that 637 00:29:31,380 --> 00:29:36,260 have the already permissions granted 638 00:29:37,340 --> 00:29:40,760 so there is a problem with electron apps 639 00:29:40,760 --> 00:29:44,340 uh yesterday there was a wonderful talk 640 00:29:44,340 --> 00:29:49,020 about abusing electron remotely now 641 00:29:49,020 --> 00:29:51,059 that's a technique that allows abusing 642 00:29:51,059 --> 00:29:53,159 electron locally 643 00:29:53,159 --> 00:29:56,100 so if you are interested feel free to 644 00:29:56,100 --> 00:29:57,539 read it 645 00:29:57,539 --> 00:29:59,279 however as 646 00:29:59,279 --> 00:30:01,860 I promised you to to show some zero days 647 00:30:01,860 --> 00:30:04,080 uh 648 00:30:04,080 --> 00:30:07,200 that there was as the the this was a 649 00:30:07,200 --> 00:30:10,080 zero day but it was recently fixed by 650 00:30:10,080 --> 00:30:12,419 Apple which is good 651 00:30:12,419 --> 00:30:14,880 um so there was a back-end launch 652 00:30:14,880 --> 00:30:17,399 services that allowed us to bypass the 653 00:30:17,399 --> 00:30:19,159 TCC 654 00:30:19,159 --> 00:30:22,380 and I wanted to give you 655 00:30:22,380 --> 00:30:24,899 um some insight on how this exploit 656 00:30:24,899 --> 00:30:27,419 worked when unfortunately I found a 657 00:30:27,419 --> 00:30:29,340 bypass for for that fixed stuff I'm 658 00:30:29,340 --> 00:30:32,580 sorry maybe next time I will show the 659 00:30:32,580 --> 00:30:35,159 the full exploit with the 660 00:30:35,159 --> 00:30:37,860 with the bypassport effects 661 00:30:37,860 --> 00:30:40,500 but I will show you a demo 662 00:30:40,500 --> 00:30:42,659 to not leave you without 663 00:30:42,659 --> 00:30:44,700 anything right 664 00:30:44,700 --> 00:30:47,240 so 665 00:30:47,460 --> 00:30:50,399 let's verify if this Mac OS is com is 666 00:30:50,399 --> 00:30:52,320 updated and securing that times it was 667 00:30:52,320 --> 00:30:54,480 the newest markers the system Integrity 668 00:30:54,480 --> 00:30:57,559 protection is enabled 669 00:30:57,600 --> 00:30:59,719 um 670 00:30:59,820 --> 00:31:02,760 when I would verify that the application 671 00:31:02,760 --> 00:31:06,059 that bypass this C by me uh 672 00:31:06,059 --> 00:31:09,179 has no TCC permissions granted so 673 00:31:09,179 --> 00:31:12,539 there's nothing for the bypass DC by me 674 00:31:12,539 --> 00:31:14,100 apps 675 00:31:14,100 --> 00:31:16,140 now let's open it 676 00:31:16,140 --> 00:31:18,539 and there are two buttons 677 00:31:18,539 --> 00:31:21,539 made for the proof of concept reasons we 678 00:31:21,539 --> 00:31:23,760 click still address book and as you can 679 00:31:23,760 --> 00:31:25,799 see it's stolen 680 00:31:25,799 --> 00:31:28,440 and still iMessage chat as you can see 681 00:31:28,440 --> 00:31:30,240 it's stolen 682 00:31:30,240 --> 00:31:34,440 now let's verify if everything succeeded 683 00:31:34,440 --> 00:31:38,100 so we go to TMP and the file will verify 684 00:31:38,100 --> 00:31:42,480 if it's work yeah file was able to 685 00:31:42,480 --> 00:31:45,179 allow the both of the data databases 686 00:31:45,179 --> 00:31:49,340 that means that we have bypassed the TC 687 00:31:51,179 --> 00:31:55,440 okay so we have our DC bypass 688 00:31:55,440 --> 00:31:58,260 um but there is one more thing 689 00:31:58,260 --> 00:32:01,140 with the TCC bypass we were able to 690 00:32:01,140 --> 00:32:03,140 allow desktop 691 00:32:03,140 --> 00:32:05,580 documents downloads and other protected 692 00:32:05,580 --> 00:32:09,380 resources but what about the cloud keys 693 00:32:09,380 --> 00:32:12,539 the cloud credentials 694 00:32:12,539 --> 00:32:15,659 good good news for retimers there are 695 00:32:15,659 --> 00:32:17,460 stored in home directory which is not 696 00:32:17,460 --> 00:32:20,279 TCC protected so if you'd like to steal 697 00:32:20,279 --> 00:32:24,480 uh AWS or SSH keys or Azure or gcloud or 698 00:32:24,480 --> 00:32:27,480 or anything that stores uh their secrets 699 00:32:27,480 --> 00:32:30,179 in in home directory you don't even have 700 00:32:30,179 --> 00:32:33,840 to uh use any TCC bypasses it's a 701 00:32:33,840 --> 00:32:35,520 directory that's not protected by the 702 00:32:35,520 --> 00:32:37,820 TCC 703 00:32:38,940 --> 00:32:41,760 all right so uh with all that knowledge 704 00:32:41,760 --> 00:32:45,779 we were able to fully compromise the Mac 705 00:32:45,779 --> 00:32:46,980 OS machine 706 00:32:46,980 --> 00:32:49,380 and because as I told you I don't want 707 00:32:49,380 --> 00:32:53,460 you to live without any recommendations 708 00:32:53,460 --> 00:32:56,700 um there are six points the very minimum 709 00:32:56,700 --> 00:32:59,220 you have to implement in in your max 710 00:32:59,220 --> 00:33:01,860 micros infrastructure the first one is 711 00:33:01,860 --> 00:33:05,100 enroll your company's Max to MDM Maybe 712 00:33:05,100 --> 00:33:11,460 jump or into any md12 you like keep them 713 00:33:11,460 --> 00:33:14,940 updated because as I approved on the on 714 00:33:14,940 --> 00:33:16,559 the presentation that our 715 00:33:16,559 --> 00:33:18,539 vulnerabilities for Mac OS so please 716 00:33:18,539 --> 00:33:20,940 keep the keep them updated and for 717 00:33:20,940 --> 00:33:23,399 security policies like system Integrity 718 00:33:23,399 --> 00:33:25,500 protection without system Integrity 719 00:33:25,500 --> 00:33:28,679 protection TCC is not even in place 720 00:33:28,679 --> 00:33:30,840 there there are no ver there are no 721 00:33:30,840 --> 00:33:34,799 checks with SIP disabled uh you can 722 00:33:34,799 --> 00:33:37,320 elevate your privileges to root without 723 00:33:37,320 --> 00:33:40,860 providing even a user's password so make 724 00:33:40,860 --> 00:33:43,740 sure that there are policies that are 725 00:33:43,740 --> 00:33:45,299 enforced 726 00:33:45,299 --> 00:33:47,460 there is a 727 00:33:47,460 --> 00:33:48,080 um 728 00:33:48,080 --> 00:33:51,600 an interesting story because 729 00:33:51,600 --> 00:33:54,419 you know for the last few years when I 730 00:33:54,419 --> 00:33:57,059 was you know Googling for finding some 731 00:33:57,059 --> 00:34:00,539 uh example calls on Macos or something 732 00:34:00,539 --> 00:34:03,600 stopped working I of course Google for 733 00:34:03,600 --> 00:34:06,059 stacked overflow right and in stack 734 00:34:06,059 --> 00:34:07,799 Overflow there are a lot of 735 00:34:07,799 --> 00:34:10,199 recommendations that claim all right so 736 00:34:10,199 --> 00:34:11,940 you can't run this application because 737 00:34:11,940 --> 00:34:13,639 there is notarization 738 00:34:13,639 --> 00:34:16,859 so let's try disabling Sip and maybe 739 00:34:16,859 --> 00:34:18,540 that will work and there are so many 740 00:34:18,540 --> 00:34:21,000 answers on stack Overflow uh that Miss 741 00:34:21,000 --> 00:34:22,980 guide users to disable system Integrity 742 00:34:22,980 --> 00:34:26,480 protection so you really want to be sure 743 00:34:26,480 --> 00:34:29,760 that your organization have 744 00:34:29,760 --> 00:34:34,020 um security policies enforced 745 00:34:34,020 --> 00:34:36,839 um disabled offices office macros 746 00:34:36,839 --> 00:34:39,780 um I can bet that in most cases if you 747 00:34:39,780 --> 00:34:41,339 have modern infrastructure and you have 748 00:34:41,339 --> 00:34:45,119 mac users they don't even use word word 749 00:34:45,119 --> 00:34:48,480 macros uh on Mac OS of course on our 750 00:34:48,480 --> 00:34:51,199 Windows the finance department 751 00:34:51,199 --> 00:34:54,359 will probably use them but most of Mac 752 00:34:54,359 --> 00:34:58,619 users they don't use word macros so I 753 00:34:58,619 --> 00:35:00,680 bet you can disable it 754 00:35:00,680 --> 00:35:04,200 install an anti-mado resolution EDR or 755 00:35:04,200 --> 00:35:06,839 whatever Max have viral system they have 756 00:35:06,839 --> 00:35:08,720 that they need to be protected 757 00:35:08,720 --> 00:35:11,820 and monitor your marks because there is 758 00:35:11,820 --> 00:35:14,579 always a something that may go wrong 759 00:35:14,579 --> 00:35:16,820 right 760 00:35:16,859 --> 00:35:17,460 um 761 00:35:17,460 --> 00:35:19,680 if you'd like to verify if you're a Mac 762 00:35:19,680 --> 00:35:22,079 OS infrastructure or environment is 763 00:35:22,079 --> 00:35:25,640 secure you can always hire us to do this 764 00:35:25,640 --> 00:35:28,740 we can perform a red teaming for you or 765 00:35:28,740 --> 00:35:32,099 or just assess your your environment so 766 00:35:32,099 --> 00:35:34,800 you have a contact to me 767 00:35:34,800 --> 00:35:39,240 and to sum up that will be the shortest 768 00:35:39,240 --> 00:35:40,560 sum up ever 769 00:35:40,560 --> 00:35:43,020 please remember that Max like any other 770 00:35:43,020 --> 00:35:45,780 machines have viruses can be attacked 771 00:35:45,780 --> 00:35:49,079 have to be updated so please do it and 772 00:35:49,079 --> 00:35:50,920 stay safe thank you very much 773 00:35:50,920 --> 00:35:54,289 [Music] 774 00:35:56,520 --> 00:36:00,320 does anyone have any questions 775 00:36:03,359 --> 00:36:07,619 hey uh great talk so for the uh Word 776 00:36:07,619 --> 00:36:09,420 document that gets downloaded with the 777 00:36:09,420 --> 00:36:12,720 macro uh would it get quarantined with 778 00:36:12,720 --> 00:36:14,880 the extended attribute flag and I know 779 00:36:14,880 --> 00:36:17,220 there's bypass for that as well but at 780 00:36:17,220 --> 00:36:19,200 least it's an initial difference 781 00:36:19,200 --> 00:36:23,400 so where documents are not quarantined 782 00:36:23,400 --> 00:36:25,099 even if they have the tag applied 783 00:36:25,099 --> 00:36:27,480 because that would have no sense right 784 00:36:27,480 --> 00:36:29,520 because you want to have apps 785 00:36:29,520 --> 00:36:33,060 quarantined like images like of course 786 00:36:33,060 --> 00:36:35,400 disk images like 787 00:36:35,400 --> 00:36:39,180 um packages like applications Etc that's 788 00:36:39,180 --> 00:36:43,320 what you want to have quarantined but 789 00:36:43,320 --> 00:36:46,619 for example PNG images or you know text 790 00:36:46,619 --> 00:36:49,380 files you you don't want to have them 791 00:36:49,380 --> 00:36:51,660 signed you know in order to open so 792 00:36:51,660 --> 00:36:54,240 there are there is an allo list of 793 00:36:54,240 --> 00:36:57,420 extensions uh that don't have quarantine 794 00:36:57,420 --> 00:37:00,500 and Word Documents are one of those 795 00:37:00,500 --> 00:37:03,119 non-quarantined extensions 796 00:37:03,119 --> 00:37:06,480 uh one more question about the TCC uh 797 00:37:06,480 --> 00:37:07,560 bypass 798 00:37:07,560 --> 00:37:10,560 uh I noticed uh terminal had access to 799 00:37:10,560 --> 00:37:12,660 contacts so I think it's relying on the 800 00:37:12,660 --> 00:37:14,640 attribution change of the parent process 801 00:37:14,640 --> 00:37:17,640 in the demo the the term the terminal 802 00:37:17,640 --> 00:37:19,619 hacked by the world which one uh had 803 00:37:19,619 --> 00:37:22,140 access to the contacts in the demo so is 804 00:37:22,140 --> 00:37:25,260 it relying on like the parent process uh 805 00:37:25,260 --> 00:37:26,640 attribution chain 806 00:37:26,640 --> 00:37:28,220 and no 807 00:37:28,220 --> 00:37:32,280 uh it's the the story behind this back 808 00:37:32,280 --> 00:37:34,440 is really interesting because I found it 809 00:37:34,440 --> 00:37:36,359 really accidentally 810 00:37:36,359 --> 00:37:38,880 and I couldn't believe it worked it's 811 00:37:38,880 --> 00:37:41,700 it's a part of mechanism that I think 812 00:37:41,700 --> 00:37:44,820 all of my friends researchers knew about 813 00:37:44,820 --> 00:37:47,700 that behavior and even even I knew about 814 00:37:47,700 --> 00:37:50,460 this behavior for maybe two years and 815 00:37:50,460 --> 00:37:54,180 you know one night I I was I was asleep 816 00:37:54,180 --> 00:37:56,220 and I was like hmm 817 00:37:56,220 --> 00:37:58,440 the idea stumbled across my mind I said 818 00:37:58,440 --> 00:38:00,720 wow but that shouldn't be working right 819 00:38:00,720 --> 00:38:02,400 there and I went to the computer and it 820 00:38:02,400 --> 00:38:05,099 worked so that's really obvious bypass 821 00:38:05,099 --> 00:38:06,240 but 822 00:38:06,240 --> 00:38:10,500 I can't I'm sorry uh disclose it today 823 00:38:10,500 --> 00:38:13,500 foreign 824 00:38:14,180 --> 00:38:16,910 does anyone else have any questions okay 825 00:38:16,910 --> 00:38:21,420 [Music] 826 00:38:21,420 --> 00:38:24,240 amazing talk uh actually uh in your 827 00:38:24,240 --> 00:38:27,000 sandbox escape the technique you discuss 828 00:38:27,000 --> 00:38:29,280 about the persist launch I missed that 829 00:38:29,280 --> 00:38:31,440 point like how it works 830 00:38:31,440 --> 00:38:35,220 I the the Sun Bug escape the question 831 00:38:35,220 --> 00:38:37,920 was about the Mythic uh persist launch 832 00:38:37,920 --> 00:38:40,440 the purse is launched 833 00:38:40,440 --> 00:38:43,320 um that 834 00:38:43,320 --> 00:38:45,480 that technique that was presented that 835 00:38:45,480 --> 00:38:49,380 required reboot uh was the login items 836 00:38:49,380 --> 00:38:51,839 but my sandbox Escape 837 00:38:51,839 --> 00:38:54,599 uh 838 00:38:54,599 --> 00:38:56,760 you know that's not what I can when I 839 00:38:56,760 --> 00:38:58,680 can disclose I have all the details 840 00:38:58,680 --> 00:39:01,440 regarding this technique but yes there 841 00:39:01,440 --> 00:39:04,920 is something with lunch D but 842 00:39:04,920 --> 00:39:07,380 I'm not saying anymore okay anything 843 00:39:07,380 --> 00:39:09,560 more 844 00:39:09,560 --> 00:39:12,740 thank you 845 00:39:14,660 --> 00:39:17,660 foreign 846 00:39:26,300 --> 00:39:29,700 box escaping technique right so were you 847 00:39:29,700 --> 00:39:31,140 also able to do anything interesting 848 00:39:31,140 --> 00:39:34,740 without sandbox Escape 849 00:39:34,740 --> 00:39:38,760 um so with sandbox turned on you could 850 00:39:38,760 --> 00:39:41,520 be able to access only those resources 851 00:39:41,520 --> 00:39:44,880 that are available to word so it's not 852 00:39:44,880 --> 00:39:47,520 really much you can make connections you 853 00:39:47,520 --> 00:39:51,720 can establish a shell with uh with with 854 00:39:51,720 --> 00:39:54,420 the machine but it's not really uh it's 855 00:39:54,420 --> 00:39:56,520 not really worthy you know 856 00:39:56,520 --> 00:40:00,540 if word has access to some resources uh 857 00:40:00,540 --> 00:40:03,780 like I don't know camera but it's a rare 858 00:40:03,780 --> 00:40:07,260 case that would be maybe worth something 859 00:40:07,260 --> 00:40:11,040 but mostly you in most cases you will 860 00:40:11,040 --> 00:40:12,960 need to have an unsung box code 861 00:40:12,960 --> 00:40:14,099 execution 862 00:40:14,099 --> 00:40:17,099 and another follow-up so 863 00:40:17,099 --> 00:40:19,200 have you also seen similar attacks in 864 00:40:19,200 --> 00:40:21,000 production like in the wild being 865 00:40:21,000 --> 00:40:23,040 exploited once again have you seen 866 00:40:23,040 --> 00:40:25,440 similar attacks being exploited in the 867 00:40:25,440 --> 00:40:27,960 wild or is this something such such 868 00:40:27,960 --> 00:40:30,960 experts before it right uh yes 869 00:40:30,960 --> 00:40:32,840 okay thanks 870 00:40:32,840 --> 00:40:34,619 [Music] 871 00:40:34,619 --> 00:40:36,839 any other questions from the back 872 00:40:36,839 --> 00:40:39,380 okay 873 00:40:41,700 --> 00:40:43,740 first of all thanks for the talk it's 874 00:40:43,740 --> 00:40:46,020 really fantastic so I have a doubt 875 00:40:46,020 --> 00:40:48,300 related to disabling the Sip is it 876 00:40:48,300 --> 00:40:51,119 possible to disable the sap through the 877 00:40:51,119 --> 00:40:52,740 tool you shown 878 00:40:52,740 --> 00:40:56,579 and in order to disable sip uh you have 879 00:40:56,579 --> 00:41:00,980 to reboot your Mac so no not from the 880 00:41:00,980 --> 00:41:03,960 maybe if you have a zero day yes but 881 00:41:03,960 --> 00:41:06,180 there is no standard technique to do is 882 00:41:06,180 --> 00:41:08,940 without having a vulnerability you have 883 00:41:08,940 --> 00:41:10,740 to reboot your Mac to this okay thank 884 00:41:10,740 --> 00:41:12,979 you 885 00:41:13,579 --> 00:41:16,180 any other questions 886 00:41:16,180 --> 00:41:26,660 [Music] 887 00:41:26,660 --> 00:41:30,720 so in the organization some part I have 888 00:41:30,720 --> 00:41:33,839 seen uh when you have to connect 889 00:41:33,839 --> 00:41:37,020 critical environments so they do allowed 890 00:41:37,020 --> 00:41:39,119 the developers will be still be using 891 00:41:39,119 --> 00:41:40,440 Mac machine but when they have to 892 00:41:40,440 --> 00:41:41,640 connect to the 893 00:41:41,640 --> 00:41:43,740 to the production environment they were 894 00:41:43,740 --> 00:41:46,920 using some sort of vdi uh to connect 895 00:41:46,920 --> 00:41:49,700 back to the corporate environment so 896 00:41:49,700 --> 00:41:52,440 that's where I see that there is a gap 897 00:41:52,440 --> 00:41:53,450 like 898 00:41:53,450 --> 00:41:55,200 [Music] 899 00:41:55,200 --> 00:41:57,300 metrical security controls are not 900 00:41:57,300 --> 00:42:00,060 deployed on those Mac devices because 901 00:42:00,060 --> 00:42:01,859 they are not directly connecting to the 902 00:42:01,859 --> 00:42:03,060 corporate or to the production 903 00:42:03,060 --> 00:42:04,200 environment 904 00:42:04,200 --> 00:42:06,780 so is that something you see reasonable 905 00:42:06,780 --> 00:42:08,760 or you think okay there are bypass over 906 00:42:08,760 --> 00:42:12,480 the vdis that can lead to uh compromise 907 00:42:12,480 --> 00:42:16,079 or like someone can get into your uh 908 00:42:16,079 --> 00:42:20,160 franuals or your production environment 909 00:42:20,160 --> 00:42:21,960 um it really depends but the answer 910 00:42:21,960 --> 00:42:23,460 would be really long for that question 911 00:42:23,460 --> 00:42:26,460 so maybe let's do it after okay 912 00:42:26,460 --> 00:42:28,820 sure 913 00:42:28,820 --> 00:42:32,220 uh any other questions 914 00:42:32,220 --> 00:42:34,920 okay thank you so the uh thanks again 915 00:42:34,920 --> 00:42:37,200 watch it thanks a lot so the lunch break 916 00:42:37,200 --> 00:42:38,820 is going to start in one minute from 12 917 00:42:38,820 --> 00:42:41,099 45 to 2 PM and we'll see you again thank 918 00:42:41,099 --> 00:42:42,180 you 919 00:42:42,180 --> 00:42:45,180 foreign