Unpacking Pkgs: A Look Inside MacOS Installer Packages
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 335 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/48434 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2794 / 335
8
9
12
14
32
38
41
58
60
61
72
75
83
87
92
96
108
115
128
132
143
152
158
159
191
193
218
230
268
271
273
276
278
295
310
320
321
335
00:00
BitComputer scienceNeuroinformatikLaptopRankingInformation securityCartesian coordinate systemSoftwareCompilation albumInstallation artDegree (graph theory)Physical systemGroup actionMeeting/InterviewLecture/Conference
00:45
Focus (optics)Information securityLocal GroupData managementVulnerability (computing)Regular graphMultiplication signData managementRankingComputer animation
01:04
Projective planeMultiplication signData managementAliasing
01:32
SoftwareComputer programmingUltraviolet photoelectron spectroscopyCartesian coordinate systemSoftwareNeuroinformatikIntegrated development environmentInstallation artProcess (computing)Client (computing)Information securityLaptopComputer animation
02:27
CurvatureExtension (kinesiology)Single-precision floating-point formatRaw image formatCurvatureInstallation artFile archiverMalwareExtension (kinesiology)Utility softwareFunction (mathematics)Directory serviceCartesian coordinate systemCodePhysical systemSign (mathematics)Open setFiber bundleFlagElectronic signatureComputer fileMobile appInformation securityExpandierender GraphComputer animation
04:04
Hacker (term)Data structureQuicksortDistribution (mathematics)Directory serviceOcean currentFunction (mathematics)Computer fileUtility software
04:25
ASCIIDistribution (mathematics)Directory serviceDistribution (mathematics)Scripting languageComputer fileDirectory serviceQuicksortData structureWindowComputer wormComputer animation
04:48
Scripting languageDistribution (mathematics)Raw image formatInstallation artInformationComputer fileElectronic mailing listRandom numberDirectory serviceFile archiverMetadataInstallation artMultiplication signUniform resource locatorProcess (computing)Data compressionComputer wormComputer fileType theoryScripting languageInformationPhysical systemDirectory serviceDistribution (mathematics)SubsetReading (process)WindowGroup actionCodeLine (geometry)QuicksortComputer animation
06:57
Computer fileFile archiverComputer fileComputer-assisted translationComputer animation
07:15
Computer fileDirectory serviceContent (media)Content (media)Directory serviceoutputFile archiverObject (grammar)Scripting languageJSON
07:47
Computer fileScripting languageComputer wormPhysical systemProcess (computing)Installation artUtility softwareComputer fileComputer animation
08:17
Scripting languageComputer wormInstallation artKernel (computing)Modul <Datentyp>Binary fileScripting languageInformationComputer fileMultiplication signInstallation artType theoryCodeReverse engineeringDistribution (mathematics)Mobile appComputer wormOperator (mathematics)QuicksortUniform resource locatorInformation securityMachine codeException handlingKernel (computing)Cartesian coordinate systemDirectory serviceVulnerability (computing)Computer animation
10:43
RootDirectory serviceCodeVulnerability (computing)SoftwareNumberVulnerability (computing)Link (knot theory)CodeSymbol tableComputer wormComputer animation
11:05
Vulnerability (computing)SoftwareRootExploit (computer security)LaptopPower (physics)Loop (music)Lattice (order)Installation artComputer wormComputer programmingComputer fileInstance (computer science)Ocean currentRootScripting languageGroup actionVulnerability (computing)SoftwareSystem administratorUtility softwareVideoconferencingBinary codeDirectory serviceInheritance (object-oriented programming)JSON
12:20
System administratorPhysical systemVideo game consoleOcean currentCASE <Informatik>Loop (music)Multiplication signProcess (computing)System administratorDirectory serviceLink (knot theory)Computer fileMathematicsState of matterScripting languageCartesian coordinate systemInstallation art
13:39
System administratorPhysical systemVulnerability (computing)Computer wormScripting languageLink (knot theory)Installation artComputer fileScripting languageDirection (geometry)Computer wormDirectory serviceBinary codeSymbol tableRootCASE <Informatik>Physical systemCartesian coordinate systemVarianceArc (geometry)MathematicsSlide ruleSoftware developerPoint (geometry)Computer animation
15:47
InformationRootDirectory serviceSymbol tableLink (knot theory)Computer wormInformationVulnerability (computing)Mathematics
16:48
Demo (music)Scripting languageVulnerability (computing)Computer file
17:06
Content (media)Physical systemComputer fileHacker (term)Distribution (mathematics)Computer animationSource code
17:23
Scripting languageComputer configurationDomain nameDistribution (mathematics)Computer wormInstallation artInstallation artComputer fileDistribution (mathematics)InformationRootScripting languageDirectory serviceSource codeJSONComputer animation
17:47
Distribution (mathematics)Computer wormScripting languageThermal expansionInformationInstallation artFunction (mathematics)Scripting languageDirectory serviceComputer fileReading (process)Vulnerability (computing)Installation artSource codeJSON
18:18
Scripting languageComputer wormBlock (periodic table)Installation artThermal expansionPasswordMereologyScripting languageExploit (computer security)CalculusProof theoryGoodness of fitComputer fileJSONComputer animation
18:50
Block (periodic table)Computer wormScripting languageThermal expansionPasswordComputer wormComputer fileIdentifiabilityScripting languageFile archiverJSON
19:13
PasswordComputer wormScripting languageBlock (periodic table)Asynchronous Transfer ModeDirectory serviceComputer wormInstallation artJSON
19:31
Convex hullContinuum hypothesisSoftwareLink (knot theory)Term (mathematics)Execution unitSimultaneous localization and mappingRevision controlPasswordData Encryption StandardInstallation artData typeScripting languageComputer wormCellular automatonRootSystem administratorType theoryPasswordAnalytic continuationComputer fileCalculusDirectory serviceRootSource codeJSONProgram flowchart
19:51
Computer wormPhysical systemProxy serverScripting languageCodeUtility softwareIdentifiabilityRow (database)Physical systemInstallation artComputer wormScripting languageComputer fileMaxima and minimaBlogCartesian coordinate systemMultiplication signLevel (video gaming)Process (computing)Inheritance (object-oriented programming)MereologyRevision controlDistribution (mathematics)Computer animation
Transcript: English(auto-generated)
00:00
to talk to us a little bit about uh, Mac OS packaging. Thank you. Awesome, thank you, yeah. So I'm gonna talk about the packages used to install software on Mac systems on Apple software laptops. First, I'm gonna start a little bit about myself. I've been doing professional security for 11 years, focusing on application security. Been doing security
00:24
as a hobby for 20 plus years. I came to Defcon 9 as my first Defcon. Uh, I went up through self-taught ranks when I was in my early teens. Got a computer science degree from Stanford University, focusing on computer security. Went on to join the com- the
00:41
security consulting group, ISEC partners, that was acquired by NCC group and continue to do that to today. I got started just doing the regular pen tests, looking at uh applications, finding the vulnerabilities. Moved my rank- way up the ranks to become um uh the leader of the San Francisco team. Joined the management, did that for 5 years. Ran a
01:03
team of 30 people. Spent most of my time running that team of 30 people trying to find an excuse to do the projects my team was supposed to be doing. So I gave up the management stuff and I'm back doing the technical work and here presenting today. I- thank you. Uh, I'm probably best known though by my alias of Dana Vollmer's husband and um and
01:26
you can find out more about me and my time off to support her career online. So we're gonna talk about what led me to looking at packages and installers, then open up the packages, look inside, uh and then see what can go wrong ins- uh with these
01:43
installations. So, first, I've got trust issues. That's what's got me into computer security at the start. Digging into what was going on in my laptop, I wanted to better understand what was happening. You have these pop ups sometimes when you're installing software that says, this package is gonna run a program, do you wanna
02:03
continue? And then you don't get to know what that program is or what got ran, just it's gonna run something. Plus, I'm lucky enough that I get paid to do this as I was saying. And sometimes the client pays you to look at their application and their application doesn't work, so really all you have to go on is the installer and the
02:21
process and then you kinda have to give them their money's worth out of just that working environment. So let's look inside what these packages are. So, their technical term, their full name is Mac OSX installer flat packages. They have a dot PKG extension. There's not a whole lot of documentation provided by Apple on them, uh, but
02:44
you can find some reverse engineered unofficial documentation but it's kind of out of date and um and incomplete. Uh, the flat package aspect of this is that it's a single file. It's actually an extensible archive or czar. And you, in pre 10 dot 5 OSX, these
03:02
used to be bundles, uh, bundle packages and so those were more like directories like your dot app, um, package, uh, app bundles. There's some helpful tools, one even comes pre-installed on, uh, Mac OS called package util. This allows you to inspect, uh, the packages installed on your system, inspect a specific package and go through and open, open
03:24
them up, which is what we're gonna get into. There's a nifty, uh, third party, uh, package out there that specifically is designed to look at the security aspects of these packages and that's called suspicious package. It will highlight the code signing signature, it'll, it'll let you look at the, some of the files that gets run and will
03:43
highlight some, um, nuances of the application that might raise a red flag if it might be a malware installation. So, let's, let's look inside. What's inside these? The easiest way to do it is to use your pre-installed package util, give it the expand command and then give it the package and the output directory and it'll expand everything out there.
04:04
But we don't want the easy way, we want to do it the hacker way. We got trust issues. We don't trust what package util is doing, we want to make our own directory, we understand that command. We go into that directory because the, uh, way these are to extract these files works, it just, um, outputs right into the current working directory and so
04:22
now we're gonna go through and extract the package files. After you've extracted them, this is sort of the typical structure you find inside. You have a resources directory and then you have one or more package directories. These package directories contain a bill of materials, a package info, another plain text XML file and
04:43
then two compressed archives, uh, payload and scripts. So the distribution file, this is the customization of the installer window. It's a, it gives it the title, the welcome text, if there's a license, if there's, um, a read me, the background logo that, that is
05:00
displayed and sort of, uh, determines whether you restart or shut down or don't need to do anything after the installation is complete. These can also include JavaScript, specifically a subset called installer JS and this is supposed to be what triggers that pop-up of some, uh, code is going to run to check to see if your system's
05:20
compatible. It's in the compatibility check. You have the package info, this is more information about the individual packages that are just installed with that distribution. It has the specific requirements of that package, the install location where that payloads, uh, that package payload will be extracted to and then it'll also, also
05:40
include any paths to the scripts that will be run. And then you have the bill of materials. This is, um, a special file that lists out all the files that will be installed, updated or removed during the installation process and it includes their file permissions, the owner and group that they will have, the size of the files and
06:01
creation time and some other, uh, file metadata. Now we have these, um, compressed archives. These archives are actually CPIO archives that are, have been gzip compressed. The payload includes all those files that are going to be installed that are listed in the, um, bill of materials and the installation process here is actually just
06:23
extracting this archive into the install location specified in the package info. You have the scripts, um, if there's any scripts to be run before or afterwards, same type of archive, CPIO archive. You have pre-installation and post-installation scripts but
06:41
really this can contain any executable file that has an appropriate shebang at the first line. So it's typically bash python pearl. Uh, this gets extracted, um, during the, by the installer into a random directory and gets executed from that location. So to unpackage those packages, those archives within, within it, you, um, you can go, like I
07:05
said, it's a gzip CPIO file and so you can cat this, the pa- the archive into the decompression, into the archive extraction or CPIO actually natively detects that it's been gzip compressed and so you can just put it right into the CPIO and say it's input
07:24
and, um, and away you go, it'll dump right into the current directory, all the contents of that. If you did it the easy way to begin with, the expand command actually goes ahead and extracts this, uh, archive already and instead of having the scripts, um, object
07:41
be a, uh, archive, it is already a directory with the contents inside of it. You do the same thing as scripts for payload, you go through the CPIO command, um, sometimes in going through that payload and extracting the files, it has further packages in it, so you just recurse through if you want to find everything that's going to happen during the
08:03
course of your install. Unlike with scripts though, the package util does not auto expand this and you do have to go through the manual process of extracting the payload files if you want to see what's going to be installed on the system. So let's walk through what happens when you actually launch the installer with one of these
08:23
packages. The, you start with the distribution file, um, then we're working through sort of more the, the code execution flow. So, it checks to see is there any installer check, if so, it looks for the JavaScript that's going to be there, that JavaScript is defined within the XML file at, between script tags and it goes through and executes that
08:44
JavaScript. Then, if the package info, um, said there was any pre-installation scripts, it goes and runs that pre-installation script. Then you install the files, you extract the payload into the install location and then you do the post-installation
09:01
scripts if there was any specified in the package info. So now we're going to get into sort of the security concerns that can happen during the installation that, um, that can occur. You have the scripts and the payload which is where most of this is happening and the scripts you're going to look at the pre-installation, the post-
09:21
scripts and other files so you'll want to look at what's going on there. They're plain text, like I was saying, bash python pearl, pretty easy to audit and understand what's going on and look for common mistakes. Within the payload, you also have, um, you can also have more scripts, you've, I've seen un-installation scripts that are easy to
09:41
audit, some helper scripts for debugging or logging or error reporting that gets installed and then you also have your normal native apps that get installed, the actual application binary, the kernel modules, the libraries and if you want to go into it, you can go and look at for native application flaws through reverse engineering, fire up hopper. So the types of issues I was seeing when looking at these packages
10:05
largely amount to time of check, time of use, except they weren't doing any checks. They're, they're operating within the temp directory which is world writable by anybody and, uh, they're doing reads out of it that are untrusted, they're
10:21
doing writes into it that are untrusted or they're executing files in it without confirming that file is what they believe it should be. I've also seen the, um, some of these installers go through and set 777 permissions on what gets installed or what's getting written into different locations and that just allows everybody to mess with whatever you wrote there and it's no longer a trusted install. So now we're going to
10:44
dig into the actual vulnerabilities I gotta see while looking at this for the past couple months. So, I found a number of privilege escalation issues, um, did some symbolic link abuse, uh, and got some arbitrary code execution which was fun. So the first one, we
11:03
have this installation, we're going to go through the payload installs, uh, um, an installer util binary, that's just a helper program for the installation to go through and then the post install script actually calls that with sudo, with super user powers and, um, and executes it. This is written to the temp directory, temp directory is
11:23
world writable. This is actually, um, the payload is installing as the current user, um, the way this installation was working and then the post install is calling that user-owned, uh, file with super user powers. So, in this instance, I'm possibly an unprivileged user
11:41
asking my IT administrator to install video conferencing software so I can join a meeting later that afternoon. So, I would have audited this program, looked at, at this, seen this vulnerability and then written up a little script to run in the background, a while loop say, while this file doesn't exist, do nothing and then when it, when it does exist,
12:03
remove that file and put in my payload, um, in, in its place and then the post install is going to come around and execute that with root privileges and I've just escalated from my unprivileged user to my IT administrative's, uh, root powers over my laptop.
12:21
Another package I saw, um, during the pre-installation, it tries to do some cleanup in case it previously run the installer, it deletes this, um, install, installation file in the temp directory and then later on it writes to that and wants to make sure further installations unassociated with this install can also write to it so it sets
12:40
777 permissions, uh, using sudo and then also makes the owner of it, um, the current console user. So, in this attack, any user on the system, any process that can write to temp, the temp directory, which should be all of them, can attack the system administrator or whoever's installing the software. So, you go ahead and you, you touch
13:02
that file ahead of time so it exists so then your while loop can say while this file exists, wait and do nothing and then once that file has been deleted during the pre-installation, go through and create a symbolic link to a directory that you want to gain write access to such as slash applications and link that to that file's name. Now,
13:24
when they're going through the post-installation, they'll try to write to this, it'll fail, things fail silently unless you're doing an explicit checking of failure states during these scripts and then when you get to this sudo change permissions to 777, that's gonna follow that symbolic link and make slash applications world writable and then it'll
13:45
also go through and have the, the happenstance of changing the ownership of applications to the current user. At this point, we don't really care about that because it's world writable, we can drop whatever applications we want onto the system now. Another package was privilege escalation, this is not, um, current user to
14:06
root, this is any user to the current installing user's privileges. So, they go through, they, um, during the pre-installation, in case it had run before, it deletes the 7-zip file, um, 7-6 archive, uh, binary in the temp directory and then it goes
14:22
through and tries to extract this 7-zip, um, file that came with the pa- payload and then execute that 7-zip file. This is all happening within slash temp, so pretty straightforward, before this install was ever run, I just put my payload as that name. You notice none of this is sudo, this isn't running with root privileges, so they can't
14:44
delete my file that's sitting there. So, the rm fails, the overwrite from the unzip fails, but the execution happens because like I said, these fail silently inside the scripts. So, I just went from, just put, putting a, a file there on the system, the
15:01
installer happily goes through and executes it as the current installing user and I've gained the privilege as them. Another, uh, example we have here is another symbolic link attack, uh, helper script outside of the payload, so once you're running the application, this was for some debug reporting back to the, um, the developer, it
15:21
tries to clean up, um, some of the logging it was doing in the temp directory for, to capture that debug log, and so it does, um, an rm dash rf of this temp directory slash star and then it does, uh, remove the direct directory, uh, notably with a slash at the end of the path. So, the attack here is, before the scripts ever run, any, any user
15:41
can go and write to that, um, that temp directory, I have a typo in my slides, I say slash var, I realize, instead of slash temp, but in the payload it should be slash temp slash sdu, and the way the symbolic links work, that rm dash rf with a slash star will follow the symbolic link and delete everything in the user's home directory in this example, and
16:02
then the, the remove directory command with the slash at the end will follow that symbolic link and blow away their home directory also. So, now you're here left with the symbolic link that points to nothing because everything's been deleted. Next, we have a vulnerability that, um, has in the package info, it says we're gonna extract the
16:24
payload into slash temp, specifically this razor synapse place using root privileges, we're running as the root user, so you don't even need sudo here, everything just runs as, uh, the super user. During the post installation, we're gonna change into that directory and then we're gonna look for star dot pkgs and install them, once again, with root
16:44
privileges. So, this has been fixed by razor, and so we're gonna use this as our demo today, going through everything I've talked about here, we're gonna download the package, um, extract the files, audit the package, find this, um, this vulnerability, develop an exploit for it, and then drop the payload and watch it take place. So here I go
17:08
through and I download the package, once it's on my system, I'm gonna go through the hacker way to create the directory, extract the contents of that package into the directory,
17:22
and then I'm gonna go look at the file. So I'm looking at the distribution file first to see if there's any installer text. They don't see any installer text, so I'm gonna move on, I'm gonna look at the package info to see what's going on. Here we have that it's extracted into the temp directory, it's installing as root, and there's an extra little tidbit there that it's gonna ask to restart at the end. It also notes here that
17:44
there's a post install script. So let's go see what's happening in that post install script. We're gonna create our, our, our collection directory so we don't clutter the current directory, extract the pa- uh, the scripts into it, and then we have all these extra files in here but we're interested in what it named, the post install script. So
18:03
now this is the whole post install script, we're, we're reading it, we're really fast at finding vulnerabilities, here's our vulnerability that, that we just looked at. So we're gonna go through, we're gonna, and now we're gonna take advantage of this. Now that we know about this vulnerability, we can become the malicious user. So Mallory's gonna take
18:20
over and she's gonna go through and develop a, a malicious payload, a package that will be installed, um, as part of this exploit. So we create our scripts directory, we create our pre-installation script, so we put in the shebang, we touch, we just touch a temp file and echo the current running user into it so we know what privilege this exploit
18:42
runs at, and then every good proof of concept pops calc, and so we'll also pop calc as part of our proof of concept. Now we have to make that executable or else it doesn't run, and now we use package build to make up our package. We can give an identifier, this isn't
19:01
really necessary, but it, it just shows another aspect that you can label and call what these are. Here I specify that there's no payload here, there's no files being extracted and so it doesn't try to look to create that payload archive, it's a script only package. Create the package, I create that directory because um, razor hasn't been
19:20
installed yet and I move the payload into that directory and now I'm done. Now I wait for Bob to come around and run the installer. Bob's gonna do it right now. Bob's not actually an administrator on here, so Alice is gonna have to come and type in her admin password. It's gonna continue through, pop calc, and then we go and look at the temp
19:47
directory file to see that we just ran as the root user here. In my final minute, I wanted to um, make some notes about what we just observed, that there was um, some
20:02
unexpected things happen when you do this no payload um, package that I just created there. When you c- when you install anything with a payload, the installer creates a receipt and you can uh, you can look at your system of all the packages that have been installed by that identifier and then you can give the pa- the package util that identifier and look at all the files that were installed during that process. However, if
20:23
no files are installed because there's no payload, there's no receipt that that package installer ever ran. So there's no um, appropriate system record that you could look up an audit to see that this, this ran. It also, if you get super fancy for minimal clicks and user interaction, you can actually have that installer check in the
20:43
distribution XML file. That JavaScript can call system dot run and execute any f- scripts that are inside that script file. So within the system check, when it's like, do you wanna check if your system's compatible? You, it will actually execute script which can extract an um, a zip file and copy those files around your system and that's a one
21:03
click install instead of all the multiple clicks you normally have to go through. And then for, for extra fun, you can then call kill all installer and the installer quits itself and the user is immediately um, back to it's desktop. Some of these uh, tips and tricks have been used by the people over at Proteran. They wrote an awesome blog post
21:21
series, 2 parts, um, about bypassing application whitelisting, specifically Google Santa, um, to uh, using the installer. Um, the quick, quick version of that is application whitelisting happens at the, basically the, the process ex- executing level and installer is whitelisted reasonably and all of this installer check JavaScript, all the
21:43
pre and post script, scripts run as part of that installer process and so they're all whitelisted also. I'll be stepping off to the stage as I think I ran a minute long and so I don't have time to take your questions right now but uh, I'll be happy to talk to you here.