1 00:00:01,280 --> 00:00:12,559 [Music] 2 00:00:15,679 --> 00:00:18,160 as you probably noticed we all had some 3 00:00:18,160 --> 00:00:20,160 spare time at our hands in the last two 4 00:00:20,160 --> 00:00:22,800 years because most of travel and daily 5 00:00:22,800 --> 00:00:25,519 commute fell away and 6 00:00:25,519 --> 00:00:29,199 some of us started sewing cooking baking 7 00:00:29,199 --> 00:00:31,599 bread or doing other hobbies and then 8 00:00:31,599 --> 00:00:33,680 there were people that spent the time 9 00:00:33,680 --> 00:00:36,079 slightly differently one of them is our 10 00:00:36,079 --> 00:00:39,040 next speakers um so please give 11 00:00:39,040 --> 00:00:41,520 and to hear what what he spent his last 12 00:00:41,520 --> 00:00:44,879 two years on um here's a tourmill with 13 00:00:44,879 --> 00:00:47,120 your my journey to find vulnerabilities 14 00:00:47,120 --> 00:00:49,839 in mac os 15 00:00:53,600 --> 00:00:55,760 all right thank you and it's great to 16 00:00:55,760 --> 00:00:58,079 see that there's so many of you here in 17 00:00:58,079 --> 00:01:00,640 the tent enjoying the warm weather and 18 00:01:00,640 --> 00:01:03,440 thank you all for coming and especially 19 00:01:03,440 --> 00:01:05,199 for you guys who are over there over 20 00:01:05,199 --> 00:01:07,280 here and also thank you for the all the 21 00:01:07,280 --> 00:01:09,040 who are watching the stream 22 00:01:09,040 --> 00:01:11,520 uh first of all it's great to be here 23 00:01:11,520 --> 00:01:13,680 i've been going to the old camp since 24 00:01:13,680 --> 00:01:15,360 the 2011 25 00:01:15,360 --> 00:01:17,680 and i really enjoyed this and it's great 26 00:01:17,680 --> 00:01:20,479 to be on the stage in this day but first 27 00:01:20,479 --> 00:01:23,600 of all i want to give another uh 28 00:01:23,600 --> 00:01:26,000 big hand for the all the organizers and 29 00:01:26,000 --> 00:01:28,000 angels and volunteers over here to 30 00:01:28,000 --> 00:01:29,840 making this great event to actually 31 00:01:29,840 --> 00:01:30,730 happen 32 00:01:30,730 --> 00:01:36,640 [Applause] 33 00:01:36,640 --> 00:01:38,799 all right so today i'm going to walk you 34 00:01:38,799 --> 00:01:40,799 through some of my 35 00:01:40,799 --> 00:01:43,119 hobby research what i've done 36 00:01:43,119 --> 00:01:45,840 during the last two years 37 00:01:45,840 --> 00:01:48,320 so my name is mikko kentala 38 00:01:48,320 --> 00:01:50,079 also known as turmeo 39 00:01:50,079 --> 00:01:52,720 and i'm one of a founder and ceo of 40 00:01:52,720 --> 00:01:54,399 sensor foo we 41 00:01:54,399 --> 00:01:56,240 built a cyber security solution to 42 00:01:56,240 --> 00:01:58,640 continuously monitor uh how well your 43 00:01:58,640 --> 00:02:00,719 network isolation is working but this is 44 00:02:00,719 --> 00:02:03,680 not nothing related to that in in that 45 00:02:03,680 --> 00:02:05,920 sense but this is more about my hobby 46 00:02:05,920 --> 00:02:07,200 stuff 47 00:02:07,200 --> 00:02:09,840 so 48 00:02:10,878 --> 00:02:14,000 i've done some hobby research related to 49 00:02:14,000 --> 00:02:16,319 the mac os before 50 00:02:16,319 --> 00:02:19,599 i found on critical vulnerability 51 00:02:19,599 --> 00:02:22,160 related to the mac os mile application 52 00:02:22,160 --> 00:02:25,040 application before which basically 53 00:02:25,040 --> 00:02:27,040 provided an attacker 54 00:02:27,040 --> 00:02:29,280 uh to access to change the mile 55 00:02:29,280 --> 00:02:32,800 application configuration via email so 56 00:02:32,800 --> 00:02:34,879 only thing what you needed to do was to 57 00:02:34,879 --> 00:02:37,920 send an email to the victim and it will 58 00:02:37,920 --> 00:02:40,480 exploit the vulnerability and change the 59 00:02:40,480 --> 00:02:43,519 configuration in your mile application 60 00:02:43,519 --> 00:02:46,400 you can see and find out all the details 61 00:02:46,400 --> 00:02:48,640 from my blog 62 00:02:48,640 --> 00:02:50,720 and this is uh 63 00:02:50,720 --> 00:02:53,200 uh something what i've done before but 64 00:02:53,200 --> 00:02:55,519 today i'm going to talk about a little 65 00:02:55,519 --> 00:02:59,120 bit different uh vulnerability 66 00:02:59,120 --> 00:03:02,319 chain and go through all the parts 67 00:03:02,319 --> 00:03:05,200 related to that chain and and just to 68 00:03:05,200 --> 00:03:06,879 make uh 69 00:03:06,879 --> 00:03:08,959 make sure that you know what you have 70 00:03:08,959 --> 00:03:10,959 been coming to watch i want to show the 71 00:03:10,959 --> 00:03:13,200 demonstration immediately at first so 72 00:03:13,200 --> 00:03:15,040 you can decide that if you want to see 73 00:03:15,040 --> 00:03:16,800 and learn all the details what's 74 00:03:16,800 --> 00:03:19,040 happening under the hood 75 00:03:19,040 --> 00:03:21,280 so i this is actually the same video 76 00:03:21,280 --> 00:03:23,840 what i sent to the apple so i just want 77 00:03:23,840 --> 00:03:25,920 to show you that the 78 00:03:25,920 --> 00:03:28,319 this was the beta version of the picture 79 00:03:28,319 --> 00:03:32,560 back then and showing that the oops 80 00:03:32,560 --> 00:03:34,159 let's try it again 81 00:03:34,159 --> 00:03:36,400 so 82 00:03:36,799 --> 00:03:39,599 so you can see that it's the uh mac os 83 00:03:39,599 --> 00:03:41,440 pixer and 84 00:03:41,440 --> 00:03:43,680 it has all the security mechanisms 85 00:03:43,680 --> 00:03:46,400 mechanisms enabled so the zip protection 86 00:03:46,400 --> 00:03:48,879 is enabled i will explain this later on 87 00:03:48,879 --> 00:03:50,159 what it means 88 00:03:50,159 --> 00:03:52,799 and if you try even in your terminal if 89 00:03:52,799 --> 00:03:55,120 you try to read your desktop you cannot 90 00:03:55,120 --> 00:03:57,280 do it because it's it's 91 00:03:57,280 --> 00:03:59,519 protected by other security and 92 00:03:59,519 --> 00:04:02,400 mechanisms so 93 00:04:02,400 --> 00:04:04,480 let's say the user is tricked to 94 00:04:04,480 --> 00:04:07,680 download something in this case 95 00:04:07,680 --> 00:04:10,080 it's a zip file 96 00:04:10,080 --> 00:04:13,599 and now the zip file is downloaded 97 00:04:13,599 --> 00:04:16,160 and it will take a while 98 00:04:16,160 --> 00:04:18,320 and that was the one click related that 99 00:04:18,320 --> 00:04:19,839 you need to allow the download to 100 00:04:19,839 --> 00:04:21,440 actually happen 101 00:04:21,440 --> 00:04:24,720 and now when the user next time launches 102 00:04:24,720 --> 00:04:26,400 the terminal 103 00:04:26,400 --> 00:04:29,680 something went wrong and you can see 104 00:04:29,680 --> 00:04:32,400 that the machine is infected and you can 105 00:04:32,400 --> 00:04:34,240 see that now the terminal was able to 106 00:04:34,240 --> 00:04:37,040 read all the files on the desktop and so 107 00:04:37,040 --> 00:04:38,240 on 108 00:04:38,240 --> 00:04:39,199 so 109 00:04:39,199 --> 00:04:40,000 this 110 00:04:40,000 --> 00:04:41,600 basically 111 00:04:41,600 --> 00:04:43,759 was the chain 112 00:04:43,759 --> 00:04:45,840 of vulnerabilities related to the 113 00:04:45,840 --> 00:04:48,320 different security mechanisms i'm going 114 00:04:48,320 --> 00:04:50,080 to walk you through that what's 115 00:04:50,080 --> 00:04:53,440 happening under the hood 116 00:04:53,440 --> 00:04:55,600 so but first of first of all a little 117 00:04:55,600 --> 00:04:59,120 bit background and how i normally find 118 00:04:59,120 --> 00:05:02,400 some vulnerabilities i'm really into 119 00:05:02,400 --> 00:05:03,199 a 120 00:05:03,199 --> 00:05:06,479 logic box so i enjoy finding those the 121 00:05:06,479 --> 00:05:09,039 most and because 122 00:05:09,039 --> 00:05:12,080 i find those also somewhat funny because 123 00:05:12,080 --> 00:05:13,840 i'm just using some of the features 124 00:05:13,840 --> 00:05:15,840 which might be over there and maybe 125 00:05:15,840 --> 00:05:17,039 using those 126 00:05:17,039 --> 00:05:19,199 uh to be clever enough to cause some 127 00:05:19,199 --> 00:05:21,360 confusion from the security point of 128 00:05:21,360 --> 00:05:23,919 view so i operate always with this 129 00:05:23,919 --> 00:05:27,440 method method uh i have a 130 00:05:27,440 --> 00:05:29,360 uh over 10 years of 131 00:05:29,360 --> 00:05:31,680 experience of doing different type of 132 00:05:31,680 --> 00:05:34,240 technical security audits and i've used 133 00:05:34,240 --> 00:05:37,440 this basically since the beginning so at 134 00:05:37,440 --> 00:05:40,560 first learn as much as possible from the 135 00:05:40,560 --> 00:05:42,240 target what you are testing or where you 136 00:05:42,240 --> 00:05:44,560 try to find out the vulnerabilities read 137 00:05:44,560 --> 00:05:47,919 the documentation but especially do the 138 00:05:47,919 --> 00:05:50,320 reverse engineering because many times 139 00:05:50,320 --> 00:05:52,800 you find hidden 140 00:05:52,800 --> 00:05:55,840 options or hidden services or hidden 141 00:05:55,840 --> 00:05:57,919 functions from the application what you 142 00:05:57,919 --> 00:06:00,160 are testing and you get the different 143 00:06:00,160 --> 00:06:02,400 kind of point of view compared to the 144 00:06:02,400 --> 00:06:04,240 maybe the developer who has actually 145 00:06:04,240 --> 00:06:07,039 done the software what you are testing 146 00:06:07,039 --> 00:06:08,720 so that's really important especially 147 00:06:08,720 --> 00:06:10,160 for me 148 00:06:10,160 --> 00:06:13,440 and the goal is to know how exactly the 149 00:06:13,440 --> 00:06:17,280 system what you are testing is working 150 00:06:17,440 --> 00:06:19,440 i use tools to 151 00:06:19,440 --> 00:06:21,440 trace the two scores when i run the 152 00:06:21,440 --> 00:06:24,560 application i run d trace or something 153 00:06:24,560 --> 00:06:26,000 like that to see that what's actually 154 00:06:26,000 --> 00:06:28,080 happening in the operating system to 155 00:06:28,080 --> 00:06:30,080 find out and learn what is actually 156 00:06:30,080 --> 00:06:32,639 going on under the hood try to find the 157 00:06:32,639 --> 00:06:35,919 anomaly so if you have a user input 158 00:06:35,919 --> 00:06:38,639 somewhere put something to that try to 159 00:06:38,639 --> 00:06:41,280 cause some troubles set 160 00:06:41,280 --> 00:06:44,400 maybe add some extra characters add some 161 00:06:44,400 --> 00:06:46,560 code do whatever try to cause some 162 00:06:46,560 --> 00:06:49,599 malfunction in the application and that 163 00:06:49,599 --> 00:06:50,960 might be it that might be the 164 00:06:50,960 --> 00:06:53,680 vulnerability test if you can manipulate 165 00:06:53,680 --> 00:06:55,680 it somehow the 166 00:06:55,680 --> 00:06:57,199 operating system or the environment 167 00:06:57,199 --> 00:06:59,039 where the application is running and 168 00:06:59,039 --> 00:07:00,880 then try to exploit it pretty 169 00:07:00,880 --> 00:07:03,759 straightforward but might take some time 170 00:07:03,759 --> 00:07:07,440 to actually get it all the done 171 00:07:07,440 --> 00:07:10,080 so in mac os if you want to achieve the 172 00:07:10,080 --> 00:07:12,400 code execution and if especially if you 173 00:07:12,400 --> 00:07:14,479 want to access the all the data in the 174 00:07:14,479 --> 00:07:16,720 system you need to circumvent plenty of 175 00:07:16,720 --> 00:07:18,960 different security mechanisms 176 00:07:18,960 --> 00:07:21,680 and the uh so in this case we need to 177 00:07:21,680 --> 00:07:24,160 exploit the initial vulnerability evade 178 00:07:24,160 --> 00:07:27,520 the gatekeeper evade the tcc 179 00:07:27,520 --> 00:07:30,160 and i will go that true in more details 180 00:07:30,160 --> 00:07:32,720 later on and if i evade the zip 181 00:07:32,720 --> 00:07:36,000 protection to access the tcc database 182 00:07:36,000 --> 00:07:38,560 in nutshell this i could spend much more 183 00:07:38,560 --> 00:07:41,520 time with this but the 184 00:07:41,520 --> 00:07:43,360 gatekeeper in general if you are running 185 00:07:43,360 --> 00:07:46,639 the mac os you see the uh 186 00:07:46,639 --> 00:07:48,080 pop-ups especially if you are 187 00:07:48,080 --> 00:07:49,919 downloading something from the internet 188 00:07:49,919 --> 00:07:51,520 and you want to run it 189 00:07:51,520 --> 00:07:54,160 applications and so on you see some 190 00:07:54,160 --> 00:07:56,160 pop-ups which tries to prevent you to 191 00:07:56,160 --> 00:07:57,919 actually running it and make this 192 00:07:57,919 --> 00:08:00,400 gatekeeper also make sure that the 193 00:08:00,400 --> 00:08:02,879 software is signed correctly and so on 194 00:08:02,879 --> 00:08:06,240 from the known developer and so on so 195 00:08:06,240 --> 00:08:09,120 it tries to prevent the 196 00:08:09,120 --> 00:08:11,680 execution of potential malicious 197 00:08:11,680 --> 00:08:15,680 binaries or applications in your system 198 00:08:15,680 --> 00:08:19,120 tcc on the other hand is the mechanized 199 00:08:19,120 --> 00:08:21,039 mechanism which is 200 00:08:21,039 --> 00:08:22,879 taking care of the 201 00:08:22,879 --> 00:08:26,000 all your most valuable data in your 202 00:08:26,000 --> 00:08:30,000 system it can be your camera in your mac 203 00:08:30,000 --> 00:08:32,880 it might be files and and other data 204 00:08:32,880 --> 00:08:34,880 what you might have in your machine 205 00:08:34,880 --> 00:08:39,519 calendar events may emails and so on so 206 00:08:39,519 --> 00:08:42,399 tcc controls that what application can 207 00:08:42,399 --> 00:08:46,000 actually access to some of the data so 208 00:08:46,000 --> 00:08:48,560 it is providing the sandboxing 209 00:08:48,560 --> 00:08:53,119 and the controlling the access controls 210 00:08:53,279 --> 00:08:56,560 uh then there's a sip system integrity 211 00:08:56,560 --> 00:08:59,040 protection which is actually in kernel 212 00:08:59,040 --> 00:09:02,880 it is it is protecting the most valuable 213 00:09:02,880 --> 00:09:06,480 files and the uh things related to the 214 00:09:06,480 --> 00:09:08,399 operating system 215 00:09:08,399 --> 00:09:09,200 so 216 00:09:09,200 --> 00:09:11,600 and it's providing a 217 00:09:11,600 --> 00:09:14,240 extra layer of protection so even if you 218 00:09:14,240 --> 00:09:17,200 are administrator or root in the system 219 00:09:17,200 --> 00:09:19,200 you cannot change some of the files 220 00:09:19,200 --> 00:09:21,279 because this sip kernel model is 221 00:09:21,279 --> 00:09:22,399 protecting 222 00:09:22,399 --> 00:09:24,720 protecting that 223 00:09:24,720 --> 00:09:26,880 okay so hopefully there was 224 00:09:26,880 --> 00:09:29,440 you can remember some of that 225 00:09:29,440 --> 00:09:34,720 so let's dive in to the actual topic 226 00:09:34,839 --> 00:09:37,120 uh the 227 00:09:37,120 --> 00:09:39,440 main thing related to this vulnerability 228 00:09:39,440 --> 00:09:41,519 chain and this is how everything started 229 00:09:41,519 --> 00:09:45,600 is related to the alias files in mac os 230 00:09:45,600 --> 00:09:48,240 uh so when you saw the video and the 231 00:09:48,240 --> 00:09:51,760 user downloaded the uh 232 00:09:51,760 --> 00:09:54,480 zip file from the internet basically 233 00:09:54,480 --> 00:09:57,040 that was the one click part so when when 234 00:09:57,040 --> 00:09:58,480 the user 235 00:09:58,480 --> 00:10:02,240 uh hits the potential download link or 236 00:10:02,240 --> 00:10:04,480 when go to the web page which provides 237 00:10:04,480 --> 00:10:05,200 the 238 00:10:05,200 --> 00:10:08,959 zip file you will be prompted about that 239 00:10:08,959 --> 00:10:10,959 do you want to do you really want to 240 00:10:10,959 --> 00:10:12,800 download this file and this was the one 241 00:10:12,800 --> 00:10:15,440 click related to this vulnerability what 242 00:10:15,440 --> 00:10:16,959 user need to be 243 00:10:16,959 --> 00:10:19,519 a user need to do 244 00:10:19,519 --> 00:10:22,240 to actually be infected 245 00:10:22,240 --> 00:10:25,760 so what's happening under the hood 246 00:10:25,760 --> 00:10:29,120 when the zip file is downloaded 247 00:10:29,120 --> 00:10:31,920 safari will actually automatically 248 00:10:31,920 --> 00:10:35,519 uncompress the zip file this is because 249 00:10:35,519 --> 00:10:38,480 apple and mac os considers that zip 250 00:10:38,480 --> 00:10:41,040 files are so called save so you can 251 00:10:41,040 --> 00:10:42,720 automatically because test setting what 252 00:10:42,720 --> 00:10:44,480 you are most likely do anyway when you 253 00:10:44,480 --> 00:10:46,880 download the zip files so you will 254 00:10:46,880 --> 00:10:49,360 anyway uncompress it and that's what it 255 00:10:49,360 --> 00:10:51,839 does automatically so i was starting 256 00:10:51,839 --> 00:10:53,200 started to think that maybe i can 257 00:10:53,200 --> 00:10:55,920 leverage this and i was 258 00:10:55,920 --> 00:10:57,600 doing research before with the mile 259 00:10:57,600 --> 00:10:58,880 application and 260 00:10:58,880 --> 00:11:01,680 that was also handling the zip file so 261 00:11:01,680 --> 00:11:04,000 this was kind of side track of that 262 00:11:04,000 --> 00:11:05,839 vulnerability when i was researching 263 00:11:05,839 --> 00:11:06,640 that 264 00:11:06,640 --> 00:11:08,959 how i could get uh 265 00:11:08,959 --> 00:11:10,320 some 266 00:11:10,320 --> 00:11:12,160 analysis done 267 00:11:12,160 --> 00:11:14,560 uh with one click or with zero click so 268 00:11:14,560 --> 00:11:16,880 this was one track of it and this is 269 00:11:16,880 --> 00:11:18,480 basically how the 270 00:11:18,480 --> 00:11:22,240 application or the exploit chain starts 271 00:11:22,240 --> 00:11:25,600 so the zip fly file actually includes an 272 00:11:25,600 --> 00:11:29,519 application mac os application 273 00:11:29,519 --> 00:11:30,399 and it 274 00:11:30,399 --> 00:11:32,640 mac os applications are basically 275 00:11:32,640 --> 00:11:35,440 directories including multiple files 276 00:11:35,440 --> 00:11:37,200 there's a certain structure 277 00:11:37,200 --> 00:11:38,000 but 278 00:11:38,000 --> 00:11:41,040 including the main executable over there 279 00:11:41,040 --> 00:11:42,480 and in my case 280 00:11:42,480 --> 00:11:46,000 that executable was an alias file 281 00:11:46,000 --> 00:11:48,800 so what the heck is mac os alias files 282 00:11:48,800 --> 00:11:49,600 so 283 00:11:49,600 --> 00:11:50,399 uh 284 00:11:50,399 --> 00:11:52,160 that was actually that's something a 285 00:11:52,160 --> 00:11:53,600 little bit different compared to the 286 00:11:53,600 --> 00:11:56,240 linux and bsd 287 00:11:56,240 --> 00:11:58,160 links or 288 00:11:58,160 --> 00:11:59,600 windows 289 00:11:59,600 --> 00:12:02,560 link files so mac os 290 00:12:02,560 --> 00:12:04,639 has had an 291 00:12:04,639 --> 00:12:07,200 alias system since 292 00:12:07,200 --> 00:12:10,480 91 so this is 31 years old feature in 293 00:12:10,480 --> 00:12:12,399 the mac os which is still over there and 294 00:12:12,399 --> 00:12:14,160 this is a little bit different compared 295 00:12:14,160 --> 00:12:16,320 to the other operating system so 296 00:12:16,320 --> 00:12:19,279 basically those alias files are have 297 00:12:19,279 --> 00:12:21,120 extra features 298 00:12:21,120 --> 00:12:25,279 which can relate and point out to the 299 00:12:25,279 --> 00:12:27,519 files in your file system and even if 300 00:12:27,519 --> 00:12:29,519 you move those to different places the 301 00:12:29,519 --> 00:12:32,320 alias will still work so it tracks 302 00:12:32,320 --> 00:12:35,200 wherever the original file is but the 303 00:12:35,200 --> 00:12:37,519 good option or the cool thing about the 304 00:12:37,519 --> 00:12:40,079 alias files is that it can also point to 305 00:12:40,079 --> 00:12:43,279 the external external resource so for 306 00:12:43,279 --> 00:12:45,600 example samba mode or something like 307 00:12:45,600 --> 00:12:46,639 that 308 00:12:46,639 --> 00:12:49,680 and that exactly what is happening in 309 00:12:49,680 --> 00:12:50,720 the first 310 00:12:50,720 --> 00:12:54,079 first phase so when the when you when 311 00:12:54,079 --> 00:12:56,480 the application is downloaded 312 00:12:56,480 --> 00:12:58,880 it includes the main executable which is 313 00:12:58,880 --> 00:13:00,079 actually 314 00:13:00,079 --> 00:13:02,720 alias file which is pointing to the 315 00:13:02,720 --> 00:13:05,519 external resource resource which is the 316 00:13:05,519 --> 00:13:08,480 attacker samba server so when the alias 317 00:13:08,480 --> 00:13:10,160 file is 318 00:13:10,160 --> 00:13:13,279 automatically resolved by the lsd which 319 00:13:13,279 --> 00:13:15,040 is one of the background processes in 320 00:13:15,040 --> 00:13:17,839 mac os which is taking care of the 321 00:13:17,839 --> 00:13:20,480 things like if you have a if you want 322 00:13:20,480 --> 00:13:22,720 application which will be automatically 323 00:13:22,720 --> 00:13:25,440 launched when you boot your mac it 324 00:13:25,440 --> 00:13:27,440 checks out that kind of things 325 00:13:27,440 --> 00:13:28,480 so 326 00:13:28,480 --> 00:13:30,959 your mac os will find out that oh you 327 00:13:30,959 --> 00:13:33,120 have a new application 328 00:13:33,120 --> 00:13:36,240 lsd will go in index those files check 329 00:13:36,240 --> 00:13:39,120 specific files like the main binary it 330 00:13:39,120 --> 00:13:42,639 finds out that oh this is alias file so 331 00:13:42,639 --> 00:13:45,040 it won't include any data but since it's 332 00:13:45,040 --> 00:13:47,920 capable of triggering the mount it will 333 00:13:47,920 --> 00:13:50,720 automatically trigger the samba mode and 334 00:13:50,720 --> 00:13:51,680 now 335 00:13:51,680 --> 00:13:56,560 attackers have a possibility to mount 336 00:13:56,560 --> 00:14:00,079 their own data to the victim's machine 337 00:14:00,079 --> 00:14:03,079 automatically 338 00:14:03,680 --> 00:14:06,240 so what now attacker can trigger some 339 00:14:06,240 --> 00:14:08,639 amount but what can you do with that and 340 00:14:08,639 --> 00:14:10,079 that's a tricky 341 00:14:10,079 --> 00:14:12,160 question so i try to play around 342 00:14:12,160 --> 00:14:14,160 multiple things try to 343 00:14:14,160 --> 00:14:16,959 find out if i can maybe fool the user or 344 00:14:16,959 --> 00:14:19,360 find out automatic feature to launch 345 00:14:19,360 --> 00:14:22,079 malicious binaries from that samba mount 346 00:14:22,079 --> 00:14:24,000 but there was many obstacles like a 347 00:14:24,000 --> 00:14:25,680 gatekeeper for example because 348 00:14:25,680 --> 00:14:27,360 everything what i tried 349 00:14:27,360 --> 00:14:29,360 uh gatekeeper was blocking those because 350 00:14:29,360 --> 00:14:32,079 it was an external source and so on 351 00:14:32,079 --> 00:14:35,199 so what can i do 352 00:14:35,839 --> 00:14:38,399 i figure out that maybe i try to find 353 00:14:38,399 --> 00:14:41,279 out the way to actually mount 354 00:14:41,279 --> 00:14:42,000 the 355 00:14:42,000 --> 00:14:45,120 samba mount completely different path 356 00:14:45,120 --> 00:14:46,800 and this is important to know that when 357 00:14:46,800 --> 00:14:49,600 you normally open any image or network 358 00:14:49,600 --> 00:14:51,279 share in your mac 359 00:14:51,279 --> 00:14:53,040 all the 360 00:14:53,040 --> 00:14:55,680 modes will be done under these last 361 00:14:55,680 --> 00:14:56,880 volumes 362 00:14:56,880 --> 00:14:59,440 and the naming goes so that the after 363 00:14:59,440 --> 00:15:02,079 the volumes you have a name for the 364 00:15:02,079 --> 00:15:04,399 moment and that is taken from the last 365 00:15:04,399 --> 00:15:06,480 path from the url 366 00:15:06,480 --> 00:15:08,720 uh which is pointing to the samba mount 367 00:15:08,720 --> 00:15:10,720 for example and that will be the name 368 00:15:10,720 --> 00:15:12,720 for the directory 369 00:15:12,720 --> 00:15:14,880 however i tried to do the most obvious 370 00:15:14,880 --> 00:15:17,279 things uh try to do 371 00:15:17,279 --> 00:15:19,360 dot slash and so on 372 00:15:19,360 --> 00:15:21,680 but couldn't get anything like uh 373 00:15:21,680 --> 00:15:24,560 valuable from the hacking point of view 374 00:15:24,560 --> 00:15:26,880 to in place actually and none of the 375 00:15:26,880 --> 00:15:29,600 tricks what i tried actually worked 376 00:15:29,600 --> 00:15:30,959 except 377 00:15:30,959 --> 00:15:33,440 there was one anomaly 378 00:15:33,440 --> 00:15:36,079 so i was able to make the file naming 379 00:15:36,079 --> 00:15:38,399 logic to fail from the 380 00:15:38,399 --> 00:15:41,519 default one if i add then 381 00:15:41,519 --> 00:15:42,560 percent 382 00:15:42,560 --> 00:15:45,759 0 0 which is null at the end of the url 383 00:15:45,759 --> 00:15:47,920 so something weird happened and instead 384 00:15:47,920 --> 00:15:50,000 of normal logic the samba mount was 385 00:15:50,000 --> 00:15:52,000 mounted with the in the way that you 386 00:15:52,000 --> 00:15:54,560 have a slash volume and fully qualified 387 00:15:54,560 --> 00:15:56,880 domain name of that samba share so 388 00:15:56,880 --> 00:15:59,040 something definitely went wrong and i 389 00:15:59,040 --> 00:16:00,959 started to figure think about that can i 390 00:16:00,959 --> 00:16:03,680 leverage that somehow 391 00:16:03,680 --> 00:16:05,279 and it turned out 392 00:16:05,279 --> 00:16:06,399 that the 393 00:16:06,399 --> 00:16:09,199 i i started to think that well 394 00:16:09,199 --> 00:16:11,839 it's a little bit restrictive to 395 00:16:11,839 --> 00:16:13,680 play around with the domains but then i 396 00:16:13,680 --> 00:16:15,440 remember that well you can do wildcard 397 00:16:15,440 --> 00:16:17,680 domain names so which basically points 398 00:16:17,680 --> 00:16:19,519 always to the same ip address but you 399 00:16:19,519 --> 00:16:22,720 can set anything you like to the uh 400 00:16:22,720 --> 00:16:25,199 domain name and that should work so i 401 00:16:25,199 --> 00:16:28,320 started to play around a bit more 402 00:16:28,320 --> 00:16:29,600 and 403 00:16:29,600 --> 00:16:30,639 this 404 00:16:30,639 --> 00:16:31,920 did the trick 405 00:16:31,920 --> 00:16:33,920 i don't know if you can see it hopefully 406 00:16:33,920 --> 00:16:35,839 you can but i will walk it through step 407 00:16:35,839 --> 00:16:37,360 by step 408 00:16:37,360 --> 00:16:39,360 so first thing 409 00:16:39,360 --> 00:16:40,160 uh 410 00:16:40,160 --> 00:16:44,000 break the default naming method uh 411 00:16:44,000 --> 00:16:46,160 to set the mousepad the default mount 412 00:16:46,160 --> 00:16:47,680 path so that's the number one thing 413 00:16:47,680 --> 00:16:50,800 which is at the end of that url that 414 00:16:50,800 --> 00:16:53,120 percent 0 0 415 00:16:53,120 --> 00:16:55,120 so now we are relying to the fully 416 00:16:55,120 --> 00:16:58,399 qualified domain name so next one is to 417 00:16:58,399 --> 00:16:59,360 use 418 00:16:59,360 --> 00:17:01,759 double encoding for some reason to 419 00:17:01,759 --> 00:17:04,799 follow some of the parsers so if you 420 00:17:04,799 --> 00:17:08,240 use just a normal url encoding i guess 421 00:17:08,240 --> 00:17:09,679 those won't be 422 00:17:09,679 --> 00:17:11,439 though some some of the parsers didn't 423 00:17:11,439 --> 00:17:14,160 accept that so i used double encoding to 424 00:17:14,160 --> 00:17:15,919 cause it 425 00:17:15,919 --> 00:17:17,599 to actually 426 00:17:17,599 --> 00:17:20,559 and that way it will be encoded as an 427 00:17:20,559 --> 00:17:23,679 dot dot slash and that was like a valid 428 00:17:23,679 --> 00:17:25,679 from the point of view of samba mode so 429 00:17:25,679 --> 00:17:28,240 that way i could do the same thing do 430 00:17:28,240 --> 00:17:30,799 tests like uh dot dot slash private 431 00:17:30,799 --> 00:17:33,039 slash temp slash test 432 00:17:33,039 --> 00:17:36,559 and but then there was one problem which 433 00:17:36,559 --> 00:17:38,160 is that you still have the rest of the 434 00:17:38,160 --> 00:17:40,480 domain name which will be included to 435 00:17:40,480 --> 00:17:42,559 the path the name of the path so for 436 00:17:42,559 --> 00:17:46,080 that reason you need to add another null 437 00:17:46,080 --> 00:17:49,120 character to actually terminate the 438 00:17:49,120 --> 00:17:51,360 string what you want to use in your path 439 00:17:51,360 --> 00:17:53,760 and with that way i was able to cause 440 00:17:53,760 --> 00:17:56,480 the arbitrary mount path for that samba 441 00:17:56,480 --> 00:17:58,160 mount so instead 442 00:17:58,160 --> 00:18:00,480 of having it mounted to this last volume 443 00:18:00,480 --> 00:18:02,720 slash stamp it would be 444 00:18:02,720 --> 00:18:05,280 mounted slash volumes dot dot slash 445 00:18:05,280 --> 00:18:07,840 private slash stamp slash test so it's 446 00:18:07,840 --> 00:18:10,640 completely different directory then 447 00:18:10,640 --> 00:18:13,679 okay so now i have a 448 00:18:13,679 --> 00:18:16,720 possibility to mount 449 00:18:16,720 --> 00:18:20,640 some amounts automatically to any 450 00:18:20,640 --> 00:18:23,919 path what i want 451 00:18:24,240 --> 00:18:26,640 but what to do next still no code 452 00:18:26,640 --> 00:18:29,440 execution 453 00:18:29,440 --> 00:18:33,440 how i can leverage this to actually 454 00:18:33,440 --> 00:18:36,160 cause and code execution and in 455 00:18:36,160 --> 00:18:39,120 history of exploitation in this part of 456 00:18:39,120 --> 00:18:41,919 the exploit chain it shouldn't be too 457 00:18:41,919 --> 00:18:44,400 hard to actually actually achieve it if 458 00:18:44,400 --> 00:18:48,400 you are able to arbitrary uh mount some 459 00:18:48,400 --> 00:18:52,240 external files to any path you want 460 00:18:52,240 --> 00:18:55,120 it shouldn't be too hard however 461 00:18:55,120 --> 00:18:57,520 it was quite hard mainly because there 462 00:18:57,520 --> 00:18:59,919 was a couple of limitations so normal 463 00:18:59,919 --> 00:19:02,559 way to leverage this is to actually use 464 00:19:02,559 --> 00:19:04,960 some existing softwares in the system so 465 00:19:04,960 --> 00:19:05,840 maybe 466 00:19:05,840 --> 00:19:08,240 do a mount to path with it will which 467 00:19:08,240 --> 00:19:10,720 will include plugins or another features 468 00:19:10,720 --> 00:19:12,880 which will be automatically loaded 469 00:19:12,880 --> 00:19:15,200 however i had a huge and this is 470 00:19:15,200 --> 00:19:16,880 actually part of the 471 00:19:16,880 --> 00:19:19,200 uh this i spent most of the time to 472 00:19:19,200 --> 00:19:20,799 figuring out this even though it 473 00:19:20,799 --> 00:19:23,039 shouldn't be too hard but it turned out 474 00:19:23,039 --> 00:19:26,960 to be quite hard mainly because of the 475 00:19:26,960 --> 00:19:28,559 fact that the last 476 00:19:28,559 --> 00:19:31,120 speed pump over there that the mounting 477 00:19:31,120 --> 00:19:34,240 mount point directory need to be new in 478 00:19:34,240 --> 00:19:37,280 the system so all the existing softwares 479 00:19:37,280 --> 00:19:40,640 which were in place where actually 480 00:19:40,640 --> 00:19:42,880 all the folders and the paths were 481 00:19:42,880 --> 00:19:44,799 actually already created so i couldn't 482 00:19:44,799 --> 00:19:47,679 use those i needed to find out the way 483 00:19:47,679 --> 00:19:49,840 to actually 484 00:19:49,840 --> 00:19:52,080 create a new directory which will be 485 00:19:52,080 --> 00:19:53,440 loaded 486 00:19:53,440 --> 00:19:55,039 but even after that there was the 487 00:19:55,039 --> 00:19:56,880 gatekeeper which was which was 488 00:19:56,880 --> 00:20:00,320 preventing me to get the code execution 489 00:20:00,320 --> 00:20:02,640 however there's always a way you just 490 00:20:02,640 --> 00:20:04,799 need to sit on your laptop or computer 491 00:20:04,799 --> 00:20:06,720 and figure it out 492 00:20:06,720 --> 00:20:09,120 and the in this phase i 493 00:20:09,120 --> 00:20:12,559 ended up using the jet sh configuration 494 00:20:12,559 --> 00:20:14,320 file which is 495 00:20:14,320 --> 00:20:17,600 uh zsh is the default shell in your 496 00:20:17,600 --> 00:20:20,000 system if you are using the mac os and 497 00:20:20,000 --> 00:20:22,799 it includes the configuration directory 498 00:20:22,799 --> 00:20:25,520 related to the keyboard layouts and so 499 00:20:25,520 --> 00:20:28,960 on which will be included every time 500 00:20:28,960 --> 00:20:32,000 when the jet sh is initialized 501 00:20:32,000 --> 00:20:32,880 so 502 00:20:32,880 --> 00:20:35,520 i went to that path i mounted the 503 00:20:35,520 --> 00:20:38,480 my samba mount including my special 504 00:20:38,480 --> 00:20:41,919 configuration file for the jet sh to the 505 00:20:41,919 --> 00:20:44,960 user's folder and whenever the user will 506 00:20:44,960 --> 00:20:46,640 launch a terminal that will be 507 00:20:46,640 --> 00:20:48,400 automatically included 508 00:20:48,400 --> 00:20:50,799 and i have a code execution 509 00:20:50,799 --> 00:20:53,679 so that was quite handy although it took 510 00:20:53,679 --> 00:20:56,400 surprisingly long time to actually find 511 00:20:56,400 --> 00:20:58,720 out and we need to remember that this is 512 00:20:58,720 --> 00:21:01,200 not vulnerability this is just a feature 513 00:21:01,200 --> 00:21:02,960 there's nothing to fix it it's working 514 00:21:02,960 --> 00:21:05,840 as it should be this specific part so 515 00:21:05,840 --> 00:21:09,200 this is not in that sense this was the 516 00:21:09,200 --> 00:21:11,679 trivial obstacle 517 00:21:11,679 --> 00:21:13,840 turned out to be a quite hard one to 518 00:21:13,840 --> 00:21:16,720 actually solve 519 00:21:16,720 --> 00:21:20,480 so now we have a code execution also but 520 00:21:20,480 --> 00:21:22,320 what to do next 521 00:21:22,320 --> 00:21:24,799 i cannot access any personal files and 522 00:21:24,799 --> 00:21:27,120 since the sandboxing is working as it 523 00:21:27,120 --> 00:21:30,480 should be all the most important user 524 00:21:30,480 --> 00:21:32,799 files are still 525 00:21:32,799 --> 00:21:34,799 in the protections of the other security 526 00:21:34,799 --> 00:21:36,320 mechanisms 527 00:21:36,320 --> 00:21:39,840 so what to do next 528 00:21:40,720 --> 00:21:42,960 and the main target in this phase is the 529 00:21:42,960 --> 00:21:46,799 tcc and the tcc was the one uh 530 00:21:46,799 --> 00:21:49,520 transparent consent and control so the 531 00:21:49,520 --> 00:21:51,440 thing what you use whenever you are 532 00:21:51,440 --> 00:21:53,760 launching an application and allowing 533 00:21:53,760 --> 00:21:55,760 them to access to your camera or 534 00:21:55,760 --> 00:21:58,159 specific files or so on so this will 535 00:21:58,159 --> 00:22:00,480 block quite a lot of things so 536 00:22:00,480 --> 00:22:01,280 let's 537 00:22:01,280 --> 00:22:04,640 we need to somehow circumvent the dcc to 538 00:22:04,640 --> 00:22:07,039 actually find it out 539 00:22:07,039 --> 00:22:10,640 so tcc actually works so that every user 540 00:22:10,640 --> 00:22:13,600 has a tcc database in their own home 541 00:22:13,600 --> 00:22:17,600 directory and a library in there 542 00:22:17,600 --> 00:22:20,640 the tcc database is actually just sqlite 543 00:22:20,640 --> 00:22:23,280 database and nothing fancy with that 544 00:22:23,280 --> 00:22:25,760 including all the configuration what you 545 00:22:25,760 --> 00:22:28,799 might do via graphical user interface 546 00:22:28,799 --> 00:22:32,480 but it is also protected by the zip and 547 00:22:32,480 --> 00:22:34,880 the zip is providing the protection to 548 00:22:34,880 --> 00:22:37,200 that database in a way that you should 549 00:22:37,200 --> 00:22:40,720 be only able to change the configuration 550 00:22:40,720 --> 00:22:42,880 from the graphical user interface what 551 00:22:42,880 --> 00:22:45,919 you saw beforehand on the previous slide 552 00:22:45,919 --> 00:22:47,760 so that's that's the normal way to 553 00:22:47,760 --> 00:22:49,120 actually 554 00:22:49,120 --> 00:22:52,000 control that database but since that 555 00:22:52,000 --> 00:22:54,240 includes heavily the user interaction 556 00:22:54,240 --> 00:22:56,000 that was obviously problem for me 557 00:22:56,000 --> 00:22:58,960 because i wanted to cause some automatic 558 00:22:58,960 --> 00:23:01,440 uh changes in the system and within the 559 00:23:01,440 --> 00:23:04,640 tcc database so we need to 560 00:23:04,640 --> 00:23:07,840 find out the way to circumvent this sip 561 00:23:07,840 --> 00:23:11,520 which is protecting the tcc database 562 00:23:11,520 --> 00:23:14,720 so this sip is protecting specific file 563 00:23:14,720 --> 00:23:16,559 in the system and it's built in the 564 00:23:16,559 --> 00:23:18,799 kernel level so i needed to figure out 565 00:23:18,799 --> 00:23:21,360 how to solve that 566 00:23:21,360 --> 00:23:23,760 so uh dcc 567 00:23:23,760 --> 00:23:26,880 is you tcc database is used by the 568 00:23:26,880 --> 00:23:29,600 service called tccd 569 00:23:29,600 --> 00:23:32,400 and the dccd process is owned by the 570 00:23:32,400 --> 00:23:33,520 user 571 00:23:33,520 --> 00:23:36,000 so since i have already access to run 572 00:23:36,000 --> 00:23:38,720 arbitrary code in the system in as with 573 00:23:38,720 --> 00:23:40,960 the user 574 00:23:40,960 --> 00:23:43,679 user permissions i was thinking of that 575 00:23:43,679 --> 00:23:45,840 there has to be a way to actually 576 00:23:45,840 --> 00:23:49,120 manipulate the files 577 00:23:49,760 --> 00:23:51,600 but to see because the sip is protecting 578 00:23:51,600 --> 00:23:53,679 the dcc database 579 00:23:53,679 --> 00:23:56,000 uh we needed to find out to do some 580 00:23:56,000 --> 00:23:58,480 trick to fool all the 581 00:23:58,480 --> 00:24:00,799 security measures around it 582 00:24:00,799 --> 00:24:04,240 and turns out this did the trick so no 583 00:24:04,240 --> 00:24:06,000 worries if you are not seeing it i will 584 00:24:06,000 --> 00:24:07,360 walk it through that what's happening 585 00:24:07,360 --> 00:24:08,880 over there 586 00:24:08,880 --> 00:24:10,400 so 587 00:24:10,400 --> 00:24:11,360 since 588 00:24:11,360 --> 00:24:13,679 in the beginning uh 589 00:24:13,679 --> 00:24:16,960 first we kill the process the eccd 590 00:24:16,960 --> 00:24:19,279 to force it to load 591 00:24:19,279 --> 00:24:21,840 all the environments and all the 592 00:24:21,840 --> 00:24:25,039 everything related to that process again 593 00:24:25,039 --> 00:24:27,919 immediately after that we mount a new 594 00:24:27,919 --> 00:24:31,679 directory to the protected path from 595 00:24:31,679 --> 00:24:34,000 from the image so we have an image which 596 00:24:34,000 --> 00:24:35,039 includes 597 00:24:35,039 --> 00:24:36,000 new 598 00:24:36,000 --> 00:24:39,760 database uh the tcc database and we 599 00:24:39,760 --> 00:24:41,039 mount that 600 00:24:41,039 --> 00:24:43,600 image to that exact path 601 00:24:43,600 --> 00:24:45,919 where the files normally are and where 602 00:24:45,919 --> 00:24:48,159 the database are 603 00:24:48,159 --> 00:24:49,520 already 604 00:24:49,520 --> 00:24:53,440 so when the dc-cd process will start 605 00:24:53,440 --> 00:24:56,400 it will automatically load the dcc 606 00:24:56,400 --> 00:24:58,159 database 607 00:24:58,159 --> 00:25:01,840 from the specific path but now that path 608 00:25:01,840 --> 00:25:05,200 it it includes actually our payload and 609 00:25:05,200 --> 00:25:08,400 our configuration will be loaded 610 00:25:08,400 --> 00:25:10,400 so sip 611 00:25:10,400 --> 00:25:12,080 is actually still protecting the 612 00:25:12,080 --> 00:25:14,720 original files in the file systems but 613 00:25:14,720 --> 00:25:18,000 the trick is that the 614 00:25:18,000 --> 00:25:20,559 we instead of using those exact files 615 00:25:20,559 --> 00:25:22,640 which are now protected by sip we 616 00:25:22,640 --> 00:25:26,799 actually fool the tccd process to load 617 00:25:26,799 --> 00:25:30,240 the my new files from the system and i 618 00:25:30,240 --> 00:25:33,039 have to say this was completely lucky 619 00:25:33,039 --> 00:25:35,120 strike this was 620 00:25:35,120 --> 00:25:37,840 first thing what i tried when i got this 621 00:25:37,840 --> 00:25:40,960 obstacle so i was thinking of how how 622 00:25:40,960 --> 00:25:44,080 can i fool this this dc cd 623 00:25:44,080 --> 00:25:47,200 uh to actually load some my database 624 00:25:47,200 --> 00:25:48,960 first thing what came to my mind was 625 00:25:48,960 --> 00:25:50,400 let's try to mount something to that 626 00:25:50,400 --> 00:25:52,320 directory will it work and it worked and 627 00:25:52,320 --> 00:25:53,760 i was stunted 628 00:25:53,760 --> 00:25:55,039 this was it 629 00:25:55,039 --> 00:25:57,360 really but uh 630 00:25:57,360 --> 00:25:59,600 it doesn't necessarily mean that it was 631 00:25:59,600 --> 00:26:01,919 poorly implemented but i got the lucky 632 00:26:01,919 --> 00:26:03,919 strike because i was playing around 633 00:26:03,919 --> 00:26:06,320 previously with the mount so obviously 634 00:26:06,320 --> 00:26:07,840 that was the first thing to come to my 635 00:26:07,840 --> 00:26:10,320 mind that what the heck let's try that 636 00:26:10,320 --> 00:26:12,400 and it worked and i was like completely 637 00:26:12,400 --> 00:26:15,840 surprised that this was it 638 00:26:15,840 --> 00:26:17,200 so success 639 00:26:17,200 --> 00:26:20,480 the puzzle was solved uh this was 640 00:26:20,480 --> 00:26:23,760 now attacker can use mac os alias files 641 00:26:23,760 --> 00:26:26,400 to cause one click network mount 642 00:26:26,400 --> 00:26:29,360 to arbitrary directory which will lead 643 00:26:29,360 --> 00:26:31,919 the remote or arbitrary code execution 644 00:26:31,919 --> 00:26:34,400 with the user privileges and since we 645 00:26:34,400 --> 00:26:35,760 can 646 00:26:35,760 --> 00:26:39,039 after that we combine that with the 647 00:26:39,039 --> 00:26:41,120 aviations related to the other security 648 00:26:41,120 --> 00:26:43,520 mechanisms we can actually access all 649 00:26:43,520 --> 00:26:44,480 the 650 00:26:44,480 --> 00:26:48,640 users data and sensitive data in the mac 651 00:26:48,640 --> 00:26:49,760 os 652 00:26:49,760 --> 00:26:52,400 so it turned out that 653 00:26:52,400 --> 00:26:53,679 this was a 654 00:26:53,679 --> 00:26:56,720 i started as a 655 00:26:57,440 --> 00:26:58,320 fun 656 00:26:58,320 --> 00:27:00,480 let's play around a bit 657 00:27:00,480 --> 00:27:03,039 and some something started to come up i 658 00:27:03,039 --> 00:27:05,520 started to continue to play around a bit 659 00:27:05,520 --> 00:27:06,640 more 660 00:27:06,640 --> 00:27:09,200 and found the new things but after the 661 00:27:09,200 --> 00:27:11,200 multiple steps the 662 00:27:11,200 --> 00:27:13,520 puzzle was solved and the 663 00:27:13,520 --> 00:27:17,360 uh also this would help the 100 million 664 00:27:17,360 --> 00:27:21,039 mac os users in the world and 665 00:27:21,039 --> 00:27:24,640 we we got it fixed in that way 666 00:27:24,640 --> 00:27:27,120 so from the initial access user will 667 00:27:27,120 --> 00:27:29,039 download the zip file 668 00:27:29,039 --> 00:27:31,679 zip file will be automatically extracted 669 00:27:31,679 --> 00:27:34,640 by safari lsd process will come in and 670 00:27:34,640 --> 00:27:36,799 automatically index the new files which 671 00:27:36,799 --> 00:27:38,799 are over there it will find out that 672 00:27:38,799 --> 00:27:41,200 this alias interesting alias file and 673 00:27:41,200 --> 00:27:43,760 will resolve that which will cause the 674 00:27:43,760 --> 00:27:45,840 infection of the mac os and now you have 675 00:27:45,840 --> 00:27:48,399 the malicious mount in your system 676 00:27:48,399 --> 00:27:50,559 and whenever the user launches the 677 00:27:50,559 --> 00:27:54,000 terminal it will trigger the arbitrary 678 00:27:54,000 --> 00:27:56,320 code execution because it will load the 679 00:27:56,320 --> 00:28:00,080 configuration and immediately do the 680 00:28:00,080 --> 00:28:03,360 evasions for the security mechanism in 681 00:28:03,360 --> 00:28:06,399 the mac os and that way can access all 682 00:28:06,399 --> 00:28:09,679 the data in the user's environment and 683 00:28:09,679 --> 00:28:12,159 do whatever what what the attacker wants 684 00:28:12,159 --> 00:28:15,360 with that data uploading those 685 00:28:15,360 --> 00:28:19,199 to third-party servers or so on 686 00:28:20,320 --> 00:28:22,559 so 687 00:28:23,120 --> 00:28:26,080 timeline i actually found this bug 688 00:28:26,080 --> 00:28:28,480 in 2020 689 00:28:28,480 --> 00:28:31,840 in the late over there and uh got the 690 00:28:31,840 --> 00:28:34,000 discussion going on with the apple 691 00:28:34,000 --> 00:28:35,600 reported about it 692 00:28:35,600 --> 00:28:37,279 and got the discussions going on with 693 00:28:37,279 --> 00:28:38,159 them 694 00:28:38,159 --> 00:28:42,000 they had some troubles to reproduce the 695 00:28:42,000 --> 00:28:44,000 issue because it includes the samba 696 00:28:44,000 --> 00:28:45,679 server and 697 00:28:45,679 --> 00:28:46,799 they 698 00:28:46,799 --> 00:28:50,399 couldn't get it like done in a way how i 699 00:28:50,399 --> 00:28:52,880 was configured it so i actually prepared 700 00:28:52,880 --> 00:28:54,880 the virtual machine for them 701 00:28:54,880 --> 00:28:57,440 uh to use it as a samba server to 702 00:28:57,440 --> 00:28:59,360 actually make the full vulnerability 703 00:28:59,360 --> 00:29:02,240 chained actually fixed or they test it 704 00:29:02,240 --> 00:29:05,520 and later on those will those were fixed 705 00:29:05,520 --> 00:29:07,600 in quite early phase 706 00:29:07,600 --> 00:29:10,480 then it took quite a long time 707 00:29:10,480 --> 00:29:15,200 and 2025 uh just in december the report 708 00:29:15,200 --> 00:29:17,840 was qualified as an apple security 709 00:29:17,840 --> 00:29:20,880 bounty so it took something like 710 00:29:20,880 --> 00:29:23,120 a bit over one year to 711 00:29:23,120 --> 00:29:25,520 figure out that if it's a 712 00:29:25,520 --> 00:29:28,960 eligible for the bounty 713 00:29:29,200 --> 00:29:30,880 just want to show you that this is how 714 00:29:30,880 --> 00:29:32,799 it look like when they 715 00:29:32,799 --> 00:29:34,640 when they 716 00:29:34,640 --> 00:29:38,480 release the fixes and how it looks like 717 00:29:38,480 --> 00:29:40,399 in the chains lock 718 00:29:40,399 --> 00:29:42,399 so mounting malicious crafted samba 719 00:29:42,399 --> 00:29:44,880 server network uh network share may lead 720 00:29:44,880 --> 00:29:47,279 to arbitrary code execution and the back 721 00:29:47,279 --> 00:29:49,919 in the time a couple of years ago 722 00:29:49,919 --> 00:29:51,440 i think these 723 00:29:51,440 --> 00:29:54,960 uh chains locks were actually not that 724 00:29:54,960 --> 00:29:57,440 exact as they are in the current 725 00:29:57,440 --> 00:29:59,679 currently and i'm really happy about 726 00:29:59,679 --> 00:30:01,840 that 727 00:30:01,840 --> 00:30:03,360 the second 728 00:30:03,360 --> 00:30:04,799 vulnerability 729 00:30:04,799 --> 00:30:06,960 it looks like this and it turned out 730 00:30:06,960 --> 00:30:08,960 that there was a bug collision related 731 00:30:08,960 --> 00:30:11,760 to this one however i did the 732 00:30:11,760 --> 00:30:14,000 it seems so that i did the first one we 733 00:30:14,000 --> 00:30:15,679 just discussed with the other 734 00:30:15,679 --> 00:30:17,760 researchers about it and it seems so 735 00:30:17,760 --> 00:30:20,960 that i found it first but anyway 736 00:30:20,960 --> 00:30:23,360 there was a multiple researchers doing 737 00:30:23,360 --> 00:30:26,080 research especially tcc and i guess we 738 00:30:26,080 --> 00:30:28,240 have another talk coming today about 739 00:30:28,240 --> 00:30:29,840 that also 740 00:30:29,840 --> 00:30:32,480 so go and check that too 741 00:30:32,480 --> 00:30:34,080 but there were there has been quite a 742 00:30:34,080 --> 00:30:37,600 lot of issues related to the tcc and 743 00:30:37,600 --> 00:30:40,720 quite a lot of vulnerabilities 744 00:30:40,720 --> 00:30:41,600 so 745 00:30:41,600 --> 00:30:44,320 hopefully it's better in future however 746 00:30:44,320 --> 00:30:46,399 it includes the fundamental issue that 747 00:30:46,399 --> 00:30:49,120 the you as an user you have a permission 748 00:30:49,120 --> 00:30:51,279 to do the changes for that 749 00:30:51,279 --> 00:30:53,840 and at the same time it so it means that 750 00:30:53,840 --> 00:30:56,640 you get infected there might be multiple 751 00:30:56,640 --> 00:30:58,799 ways to actually 752 00:30:58,799 --> 00:31:01,360 uh exploit the 753 00:31:01,360 --> 00:31:04,720 tcc database and it seems so at least so 754 00:31:04,720 --> 00:31:06,240 far let's see how the 755 00:31:06,240 --> 00:31:08,720 how the future will come 756 00:31:08,720 --> 00:31:11,919 so it looks like that i'm uh i was quite 757 00:31:11,919 --> 00:31:15,120 fast related to compared to the timing 758 00:31:15,120 --> 00:31:16,880 what i was trying before 759 00:31:16,880 --> 00:31:19,440 so at this moment i i want to thank you 760 00:31:19,440 --> 00:31:23,840 all and take q a and and if you have 761 00:31:23,840 --> 00:31:25,519 some questions later on i want to show 762 00:31:25,519 --> 00:31:27,919 you that we are i'm from finland so we 763 00:31:27,919 --> 00:31:29,760 are in the finnish village you can find 764 00:31:29,760 --> 00:31:31,760 it right next to the sauna so come and 765 00:31:31,760 --> 00:31:33,279 have a chat with me 766 00:31:33,279 --> 00:31:35,360 and let's discuss more about this and 767 00:31:35,360 --> 00:31:38,240 maybe have a sauna or salmiakki 768 00:31:38,240 --> 00:31:43,240 together with us so thank you 769 00:31:43,460 --> 00:31:46,549 [Music] 770 00:31:48,560 --> 00:31:51,279 [Music] 771 00:31:51,279 --> 00:31:53,600 thank you very much tomio if you have 772 00:31:53,600 --> 00:31:55,440 any questions please line up at the two 773 00:31:55,440 --> 00:31:57,039 microphones we have here in the middle 774 00:31:57,039 --> 00:31:59,440 of the room um yes i know it's hot and 775 00:31:59,440 --> 00:32:01,440 you have to move unfortunately we can't 776 00:32:01,440 --> 00:32:03,600 bring the mics to you 777 00:32:03,600 --> 00:32:05,760 are there any questions in the audience 778 00:32:05,760 --> 00:32:07,200 if there are take your time to get to 779 00:32:07,200 --> 00:32:09,760 the microphone just indicate that you're 780 00:32:09,760 --> 00:32:11,679 moving 781 00:32:11,679 --> 00:32:14,919 i guess 782 00:32:16,559 --> 00:32:18,240 don't don't tap on the mic just close to 783 00:32:18,240 --> 00:32:19,679 the microphone and start talking that 784 00:32:19,679 --> 00:32:21,919 should work can you hear me yes 785 00:32:21,919 --> 00:32:24,000 i just had a simple question 786 00:32:24,000 --> 00:32:26,320 will the slides be available 787 00:32:26,320 --> 00:32:27,360 yes 788 00:32:27,360 --> 00:32:31,279 those will be all right thanks 789 00:32:32,000 --> 00:32:33,440 okay um 790 00:32:33,440 --> 00:32:35,840 thanks for the great talk and the 791 00:32:35,840 --> 00:32:39,039 uh awesome research so uh my question 792 00:32:39,039 --> 00:32:41,200 maybe is uh because you have been 793 00:32:41,200 --> 00:32:43,360 looking at uh these things for quite a 794 00:32:43,360 --> 00:32:46,240 long time so uh what have you been doing 795 00:32:46,240 --> 00:32:49,279 after 2020 796 00:32:49,919 --> 00:32:51,679 let's see it might be that there will be 797 00:32:51,679 --> 00:32:55,360 more dragons so let's see but 798 00:32:55,360 --> 00:32:57,279 i do this as a hobby so 799 00:32:57,279 --> 00:32:59,679 as you most likely all of your fellow 800 00:32:59,679 --> 00:33:02,559 hackers know your attention goes to some 801 00:33:02,559 --> 00:33:05,519 place something new always so there 802 00:33:05,519 --> 00:33:09,120 might be some time also but let's see 803 00:33:09,120 --> 00:33:11,440 uh if there's more coming related to the 804 00:33:11,440 --> 00:33:13,440 mac os vulnerabilities 805 00:33:13,440 --> 00:33:15,679 uh but in the meantime i've been also 806 00:33:15,679 --> 00:33:17,919 doing other things sometimes even with 807 00:33:17,919 --> 00:33:20,960 the family doing something so and i 808 00:33:20,960 --> 00:33:22,799 wanted at this at this point i want to 809 00:33:22,799 --> 00:33:25,440 thank the family and they 810 00:33:25,440 --> 00:33:27,840 and you be patient with me when i was 811 00:33:27,840 --> 00:33:29,600 finding this because those were quite 812 00:33:29,600 --> 00:33:32,240 long day days and they needed to be 813 00:33:32,240 --> 00:33:36,080 flexible also so thank you 814 00:33:36,880 --> 00:33:39,840 hi uh yeah thanks for the talk actually 815 00:33:39,840 --> 00:33:42,159 i have two questions um yes before you 816 00:33:42,159 --> 00:33:44,320 start could you move closer to the mic 817 00:33:44,320 --> 00:33:46,240 yes i can hear you i can try do it like 818 00:33:46,240 --> 00:33:48,960 in heavy metal 819 00:33:50,240 --> 00:33:52,640 i was quite surprised how 820 00:33:52,640 --> 00:33:54,159 simple 821 00:33:54,159 --> 00:33:56,960 in quotes uh this attack was it was 822 00:33:56,960 --> 00:33:59,440 nothing like really what people might 823 00:33:59,440 --> 00:34:02,240 imagine yeah what hacking is like it's 824 00:34:02,240 --> 00:34:03,840 the simplest kinds of exploits that you 825 00:34:03,840 --> 00:34:07,360 can think of yeah um 826 00:34:07,360 --> 00:34:09,599 first question how was your experience 827 00:34:09,599 --> 00:34:12,480 um actually in communicating 828 00:34:12,480 --> 00:34:14,159 with apple about this 829 00:34:14,159 --> 00:34:16,560 how did they react how were the reaction 830 00:34:16,560 --> 00:34:18,800 times and stuff like that 831 00:34:18,800 --> 00:34:21,280 so uh so i've reported multiple 832 00:34:21,280 --> 00:34:24,000 vulnerabilities for them uh but the 833 00:34:24,000 --> 00:34:26,560 let's say let's pick this email communic 834 00:34:26,560 --> 00:34:28,480 email issue and this one 835 00:34:28,480 --> 00:34:31,440 so the email was real email issue was 836 00:34:31,440 --> 00:34:33,040 really straightforward because it was so 837 00:34:33,040 --> 00:34:34,960 easy to reproduce and it was clear for 838 00:34:34,960 --> 00:34:37,199 everybody that was going on this was a 839 00:34:37,199 --> 00:34:39,760 bit more trickier i get the 840 00:34:39,760 --> 00:34:41,679 they replied quite quickly and thanked 841 00:34:41,679 --> 00:34:45,199 for it uh they were able to reproduce it 842 00:34:45,199 --> 00:34:47,040 part of the issues 843 00:34:47,040 --> 00:34:49,040 so that got also 844 00:34:49,040 --> 00:34:50,879 fixed quite early on 845 00:34:50,879 --> 00:34:52,800 but i needed to poke around a bit that 846 00:34:52,800 --> 00:34:54,480 hey what's going on if there is still 847 00:34:54,480 --> 00:34:56,960 some issues or because i didn't hear 848 00:34:56,960 --> 00:34:58,079 about them 849 00:34:58,079 --> 00:35:00,400 from after quite long time two months or 850 00:35:00,400 --> 00:35:03,040 so and then they ask that okay we have a 851 00:35:03,040 --> 00:35:05,440 hard time to reproduce this part related 852 00:35:05,440 --> 00:35:07,040 to the samba mount 853 00:35:07,040 --> 00:35:08,720 and i 854 00:35:08,720 --> 00:35:10,960 recorded the video for them 855 00:35:10,960 --> 00:35:13,599 and how it actually goes and 856 00:35:13,599 --> 00:35:14,839 then 857 00:35:14,839 --> 00:35:18,160 uh tried to help them to do the samba 858 00:35:18,160 --> 00:35:20,240 server but then figured out what the 859 00:35:20,240 --> 00:35:22,160 heck i just do the virtual machine and 860 00:35:22,160 --> 00:35:23,599 because that's the easiest way and 861 00:35:23,599 --> 00:35:26,880 that's way everything will be in place 862 00:35:26,880 --> 00:35:29,760 and after that it went rather smoothly 863 00:35:29,760 --> 00:35:32,000 although once again after because there 864 00:35:32,000 --> 00:35:34,240 was no no no comments related to the 865 00:35:34,240 --> 00:35:36,400 backbone there i started to ask around 866 00:35:36,400 --> 00:35:39,119 that hey when when you are able to check 867 00:35:39,119 --> 00:35:41,760 out the if this is a valid for the 868 00:35:41,760 --> 00:35:44,720 backbone the or if they're what's what's 869 00:35:44,720 --> 00:35:46,640 going to happen related to that and i 870 00:35:46,640 --> 00:35:48,160 want to quickly comment since we have 871 00:35:48,160 --> 00:35:50,800 some time to the uh 872 00:35:50,800 --> 00:35:54,079 fact that these are rather trivial 873 00:35:54,079 --> 00:35:55,200 bugs 874 00:35:55,200 --> 00:35:56,400 but the 875 00:35:56,400 --> 00:35:58,400 actually the original idea was that 876 00:35:58,400 --> 00:36:01,680 because i i'm i'm using mac os myself i 877 00:36:01,680 --> 00:36:02,960 follow the 878 00:36:02,960 --> 00:36:05,200 security changes and follow what the 879 00:36:05,200 --> 00:36:07,200 other researchers are doing and i've 880 00:36:07,200 --> 00:36:09,520 been i started to think about that maybe 881 00:36:09,520 --> 00:36:10,720 there's some 882 00:36:10,720 --> 00:36:13,040 old things what we used to find out from 883 00:36:13,040 --> 00:36:15,440 the unix systems back in the 10 years 884 00:36:15,440 --> 00:36:17,599 ago maybe it seems that nobody is 885 00:36:17,599 --> 00:36:20,079 fighting those kinds of parks so let's 886 00:36:20,079 --> 00:36:21,680 see what's going on over there maybe 887 00:36:21,680 --> 00:36:24,000 there's a similar kind of issues because 888 00:36:24,000 --> 00:36:26,160 for me it looks like the security 889 00:36:26,160 --> 00:36:28,240 community in general is working so that 890 00:36:28,240 --> 00:36:30,400 there's a sauron's eye which is turning 891 00:36:30,400 --> 00:36:32,480 to the some direction everybody is 892 00:36:32,480 --> 00:36:34,560 hacking the same things and 893 00:36:34,560 --> 00:36:36,560 or at least most of the not everybody 894 00:36:36,560 --> 00:36:38,720 obviously but the most of the persons 895 00:36:38,720 --> 00:36:40,800 are finding when there's a new 896 00:36:40,800 --> 00:36:42,880 interesting thing everybody goes there 897 00:36:42,880 --> 00:36:44,320 and start to figure out that maybe 898 00:36:44,320 --> 00:36:46,240 there's uh some more vulnerabilities so 899 00:36:46,240 --> 00:36:48,720 i started to think that i'm i'm not that 900 00:36:48,720 --> 00:36:50,880 clever so maybe it's better that i look 901 00:36:50,880 --> 00:36:52,560 to other direction and find out if 902 00:36:52,560 --> 00:36:55,359 there's some leftovers from the 10 years 903 00:36:55,359 --> 00:36:58,400 ago to find out and there was and the 904 00:36:58,400 --> 00:37:00,560 that's also which 905 00:37:00,560 --> 00:37:02,480 which is a little bit concerning for me 906 00:37:02,480 --> 00:37:04,560 is that the how much there's there 907 00:37:04,560 --> 00:37:06,720 actually is eyes for this kind of logic 908 00:37:06,720 --> 00:37:09,280 box because it seems that there's plenty 909 00:37:09,280 --> 00:37:12,640 of those on the field still to find out 910 00:37:12,640 --> 00:37:13,680 so 911 00:37:13,680 --> 00:37:16,640 uh even though we have a great ctf over 912 00:37:16,640 --> 00:37:19,119 here so every now and then when you feel 913 00:37:19,119 --> 00:37:21,040 that maybe we should do a ctf and 914 00:37:21,040 --> 00:37:22,320 participate to some of those 915 00:37:22,320 --> 00:37:25,520 competitions maybe it could it is good 916 00:37:25,520 --> 00:37:28,320 idea to try to find out vulnerabilities 917 00:37:28,320 --> 00:37:30,320 for mac os or any other operating 918 00:37:30,320 --> 00:37:32,079 systems because there's a similar issues 919 00:37:32,079 --> 00:37:34,160 what we have been seeing over the last 920 00:37:34,160 --> 00:37:37,520 20 years or so in the unique system so 921 00:37:37,520 --> 00:37:39,119 it might be worth to check out and there 922 00:37:39,119 --> 00:37:42,560 might be some low hanging fruits 923 00:37:42,560 --> 00:37:43,920 okay 924 00:37:43,920 --> 00:37:47,119 thank you quick second question yep 925 00:37:47,119 --> 00:37:49,119 since you exploited quite a chain of 926 00:37:49,119 --> 00:37:51,119 vulnerabilities 927 00:37:51,119 --> 00:37:53,440 you just found one possible way to 928 00:37:53,440 --> 00:37:56,560 execute code by mounting your malicious 929 00:37:56,560 --> 00:38:00,880 folder to the zsh zsh folder 930 00:38:00,880 --> 00:38:02,560 so this means 931 00:38:02,560 --> 00:38:05,520 on one hand the victim has to open that 932 00:38:05,520 --> 00:38:08,079 terminal force this to become effective 933 00:38:08,079 --> 00:38:09,680 yeah it also means that there might 934 00:38:09,680 --> 00:38:12,160 potentially be other paths that would 935 00:38:12,160 --> 00:38:15,200 automatically execute code 936 00:38:15,200 --> 00:38:17,920 without the user having to do anything 937 00:38:17,920 --> 00:38:19,520 yeah this is quite concerning i think 938 00:38:19,520 --> 00:38:22,160 even more yes absolutely and 939 00:38:22,160 --> 00:38:23,119 i was 940 00:38:23,119 --> 00:38:25,359 heavily considering to do more research 941 00:38:25,359 --> 00:38:28,079 on that to cause it like a trigger 942 00:38:28,079 --> 00:38:29,359 different way 943 00:38:29,359 --> 00:38:31,440 but 944 00:38:31,440 --> 00:38:34,000 i decided that because this is not the 945 00:38:34,000 --> 00:38:35,520 part where the actual 946 00:38:35,520 --> 00:38:38,240 vulnerability is it's kind of irrelevant 947 00:38:38,240 --> 00:38:40,880 because because after all the initial 948 00:38:40,880 --> 00:38:42,880 vector is the vulnerability and how i 949 00:38:42,880 --> 00:38:44,880 exploit the other security measures 950 00:38:44,880 --> 00:38:47,359 later on are those vulnerabilities i 951 00:38:47,359 --> 00:38:49,520 decided that this is good enough for the 952 00:38:49,520 --> 00:38:51,440 proof of concept there should be other 953 00:38:51,440 --> 00:38:53,839 options i was able to do a couple of 954 00:38:53,839 --> 00:38:56,400 things also which were like something to 955 00:38:56,400 --> 00:38:58,880 maybe do research more in the future but 956 00:38:58,880 --> 00:39:01,760 the but yeah there's plenty of speed 957 00:39:01,760 --> 00:39:04,640 bumps and obstacles so whatever in work 958 00:39:04,640 --> 00:39:06,560 for me in this case because this is not 959 00:39:06,560 --> 00:39:09,119 the core part of the vulnerability 960 00:39:09,119 --> 00:39:11,680 thanks thanks 961 00:39:11,680 --> 00:39:14,560 any further questions 962 00:39:14,560 --> 00:39:16,560 i think everyone's everyone wants to go 963 00:39:16,560 --> 00:39:18,560 for a swim well 964 00:39:18,560 --> 00:39:20,079 if there are no further questions i 965 00:39:20,079 --> 00:39:22,560 would like to ask you give another very 966 00:39:22,560 --> 00:39:25,440 cool round of applause to tormeo 967 00:39:25,440 --> 00:39:28,920 thank you very much 968 00:39:30,400 --> 00:39:33,630 [Music]