The Mouse is Mightier than the Sword

Video thumbnail (Frame 0) Video thumbnail (Frame 3141) Video thumbnail (Frame 5837) Video thumbnail (Frame 7156) Video thumbnail (Frame 8550) Video thumbnail (Frame 9447) Video thumbnail (Frame 14146) Video thumbnail (Frame 15202) Video thumbnail (Frame 16869) Video thumbnail (Frame 18216) Video thumbnail (Frame 19377) Video thumbnail (Frame 21184) Video thumbnail (Frame 22990) Video thumbnail (Frame 24832) Video thumbnail (Frame 25992) Video thumbnail (Frame 27868) Video thumbnail (Frame 30095) Video thumbnail (Frame 31114) Video thumbnail (Frame 33585) Video thumbnail (Frame 35312) Video thumbnail (Frame 36951) Video thumbnail (Frame 38091) Video thumbnail (Frame 39292) Video thumbnail (Frame 40400) Video thumbnail (Frame 41749) Video thumbnail (Frame 43352) Video thumbnail (Frame 44792) Video thumbnail (Frame 46147) Video thumbnail (Frame 48019) Video thumbnail (Frame 49867) Video thumbnail (Frame 52597) Video thumbnail (Frame 54227) Video thumbnail (Frame 55323) Video thumbnail (Frame 56621) Video thumbnail (Frame 57712) Video thumbnail (Frame 60312) Video thumbnail (Frame 61368) Video thumbnail (Frame 63405) Video thumbnail (Frame 65722) Video thumbnail (Frame 66982)
Video in TIB AV-Portal: The Mouse is Mightier than the Sword

Formal Metadata

Title
The Mouse is Mightier than the Sword
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
In today's digital world the mouse, not the pen is arguably mightier than the sword. Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed. Authorize outgoing network connection? click ...allowed. Luckily security-conscious users will (hopefully) heed such warning dialogues—stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way? Well, then everything pretty much goes to hell. Of course OS vendors such as Apple are keenly aware of this 'attack' vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately they failed. In this talk we'll discuss a vulnerability (CVE-2017-7150) found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple's touted 'User-Approved Kext' security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And as Apple's patch was incomplete (surprise surprise) we'll drop an 0day that (still) allows unprivileged code to post synthetic events and bypass various security mechanisms on a fully patched macOS box! And while it may seem that such synthetic interactions with the UI will be visible to the user, we'll discuss an elegant way to ensure they happen completely invisibly!
Suite (music) Enterprise architecture Proxy server Connectivity (graph theory) Transport Layer Security Keyboard shortcut Event horizon Software bug Mechanism design Malware Roundness (object) Personal digital assistant Hacker (term) Speech synthesis Moving average Quicksort Information security Proxy server Local ring
Point (geometry) Group action Proxy server Variety (linguistics) Code Multiplication sign Firewall (computing) Event horizon Theory Revision control Mechanism design Malware Single-precision floating-point format Logic Query language Extension (kinesiology) Information security Proxy server Physical system Cybersex Email Key (cryptography) Interactive television Code Trojanisches Pferd <Informatik> Group action Public-key cryptography Kernel (computing) Personal digital assistant Phase transition Statement (computer science) Game theory Operating system
Sensitivity analysis Slide rule Connectivity (graph theory) Motion capture Password Maxima and minima Information privacy Event horizon Public key certificate Latent heat Malware Energy level Information security Physical system Injektivität Execution unit Public key certificate Information Token ring Content (media) Cartesian coordinate system Public-key cryptography Information privacy Process (computing) Password Right angle Key (cryptography) Queue (abstract data type) Information security
Group action Context awareness Code 1 (number) Information privacy Telephone number mapping Malware Mechanism design Kernel (computing) Core dump Electronic visual display Software framework Extension (kinesiology) Local ring Information security Vulnerability (computing) Physical system Scripting language Firewall (computing) Block (periodic table) Menu (computing) Proof theory Root Process (computing) Vector space Oval Information security Block (periodic table) Hacker (term) Dialect Slide rule Proxy server Firewall (computing) Connectivity (graph theory) Event horizon Theory Product (business) Revision control Root Hacker (term) Vector graphics User interface Interface (computing) Interactive television Memory management Code Generic programming Core dump Exploit (computer security) Information privacy Antivirus software Uniform resource locator Kernel (computing) Event horizon Personal digital assistant Operating system Buffer overflow Computer worm Extension (kinesiology)
Slide rule Complex (psychology) Group action Context awareness Proxy server Code Firewall (computing) Maschinenbau Kiel Password Web browser Parameter (computer programming) Event horizon Local Group Revision control Uniform resource locator Root Term (mathematics) Utility software Process (computing) Proxy server Information security Task (computing) Scripting language Authentication Context awareness Content (media) Core dump Line (geometry) Control flow Group action Connected space Process (computing) Event horizon Normed vector space Convex hull Clique problem Physical system
Group action Computer file Code Multiplication sign Event horizon 2 (number) Malware Operator (mathematics) Core dump Utility software Software framework Maize output Information security Scripting language Twin prime Keyboard shortcut Projective plane Content (media) Correlation and dependence Core dump Public-key cryptography Event horizon Computer hardware output Key (cryptography) Electronic visual display Physical system
Keyboard shortcut Group action Code Structural load Keyboard shortcut Core dump Group action Latent class model Mereology Event horizon Uniform resource locator Kernel (computing) Event horizon Personal digital assistant Core dump Extension (kinesiology)
Keyboard shortcut Game controller Server (computing) Group action Electric generator Key (cryptography) Code Wrapper (data mining) Keyboard shortcut Interactive television Core dump Event horizon Number Element (mathematics) Inflection point Type theory Malware Event horizon Core dump Dualism Information security Compilation album Task (computing) Physical system
Group action Proxy server Firewall (computing) Web browser Event horizon Rule of inference Product (business) Malware Core dump File system Directed set output Extension (kinesiology) Social class Physical system Installation art Flock (web browser) Programming language Firewall (computing) Projective plane Sampling (statistics) Interactive television Electronic mailing list Core dump Client (computing) Database Web browser Product (business) Antivirus software Category of being Uniform resource locator Process (computing) Event horizon Interface (computing) Object (grammar) Hacker (term) Family Window Online chat Extension (kinesiology)
Touchscreen Proxy server Computer file System administrator Software bug Revision control Malware Root File system Vulnerability (computing) Installation art Electronic mailing list Computer Menu (computing) Attribute grammar Motion capture Control flow Cartesian coordinate system Stokes' theorem Root System programming Right angle Gastropod shell Authorization Information security Routing Operating system
Proxy server Computer file Binary code Electronic mailing list Database Cartesian coordinate system Information privacy Event horizon Power (physics) String (computer science) String (computer science) output Right angle Utility software Information security Hacker (term) Physical system
Scripting language Slide rule Proxy server Cross-platform Connectivity (graph theory) Binary code Keyboard shortcut Maxima and minima Password Client (computing) Database Cartesian coordinate system Total S.A. Malware Root Right angle Library (computing) Backdoor (computing)
Malware Proxy server Database Event horizon
Scripting language Demon Demon Lemma (mathematics) Database Database Cartesian coordinate system Information privacy Event horizon Information privacy Electronic signature Revision control Radical (chemistry) Malware Analogy Convex hull Right angle Process (computing) Local ring Message passing Information security Error message Operating system
Asynchronous Transfer Mode Game controller Password Information privacy Event horizon Revision control Term (mathematics) Kernel (computing) String (computer science) Core dump Videoconferencing File system Error message Physical system Authentication Electric generator Binary code Core dump System call Plane (geometry) Inclusion map Process (computing) Kernel (computing) Event horizon Password Normed vector space Operating system Reverse engineering Asynchronous Transfer Mode Library (computing)
Ocean current Slide rule Digital filter Greatest element Computer file Logarithm Firewall (computing) Open set Information privacy Event horizon Session Initiation Protocol Malware Root Term (mathematics) Core dump Information security Proxy server Scripting language Software developer Core dump Database Control flow Cartesian coordinate system Akkumulator <Informatik> Information privacy Product (business) Antivirus software Root Event horizon Systems integrator Logic Password Right angle Information security Window Session Initiation Protocol
Installation art User interface Group action Demo (music) Firewall (computing) Block (periodic table) Software developer Firewall (computing) Event horizon Thomas Kuhn Product (business) Malware Root Process (computing) Authorization Videoconferencing Electronic visual display output Convex hull Right angle Block (periodic table) Error message
Keyboard shortcut Server (computing) Mobile app Group action Proxy server State of matter Connectivity (graph theory) Source code Event horizon Number Pointer (computer programming) Core dump Process (computing) Normal (geometry) Extension (kinesiology) Curvature Proxy server Exception handling Physical system Scripting language Execution unit Touchscreen Electric generator Key (cryptography) Information Mapping Firewall (computing) Block (periodic table) Keyboard shortcut Code Computer simulation Control flow Fluid Root Process (computing) Kernel (computing) Event horizon Software Radio-frequency identification Normal (geometry) Convex hull Hill differential equation Right angle Key (cryptography) Quicksort Simulation Physical system Operating system
Graphics tablet Scripting language Group action Electric generator Key (cryptography) Code Keyboard shortcut Interior (topology) Maxima and minima Code Set (mathematics) Line (geometry) Cartesian coordinate system Event horizon Number Event horizon Oval Block (periodic table) Fingerprint Sinc function Physical system
Functional (mathematics) Key (cryptography) Token ring Password Convex hull Utility software Key (cryptography) Event horizon Information security Operating system Software bug Hand fan
Key (cryptography) Public-key cryptography Information privacy Proof theory Kernel (computing) Personal digital assistant Kernel (computing) Password Point cloud Convex hull Hill differential equation Thumbnail Information security Extension (kinesiology) Proxy server Information security Operating system Booting Extension (kinesiology)
Touchscreen Group action Statistics Code Firewall (computing) Stack (abstract data type) Event horizon Neuroinformatik Number 2 (number) Optical disc drive Facebook Malware Videoconferencing Energy level Process (computing) Extension (kinesiology) Proxy server Vulnerability (computing) Physical system Software development kit Touchscreen Key (cryptography) Structural load System call Kernel (computing) Loop (music) Event horizon Systems integrator output Key (cryptography) Electronic visual display Buffer overflow Window
Touchscreen Group action Patch (Unix) Password Power (physics) 2 (number) Malware Goodness of fit Electronic visual display Proxy server Vulnerability (computing) Context awareness Touchscreen Key (cryptography) Menu (computing) Mathematics Message passing Event horizon Intrusion detection system Oval Password Right angle Key (cryptography) Electronic visual display Operating system Session Initiation Protocol
Point (geometry) Group action Proxy server Variety (linguistics) Code Parameter (computer programming) Information privacy Event horizon 2 (number) Software bug Revision control Malware Mechanism design Flag Software testing Extension (kinesiology) Information security Vulnerability (computing) Physical system Key (cryptography) Structural load Line (geometry) Information privacy Uniform resource locator Kernel (computing) Process (computing) Event horizon Personal digital assistant Order (biology)
Point (geometry) Group action Scripting language Proxy server View (database) Patch (Unix) Event horizon Chain Mechanism design Goodness of fit Graphical user interface Core dump Computer-assisted translation Information security Game theory Data integrity Key (cryptography) Core dump Motion capture Cartesian coordinate system Word Event horizon Personal digital assistant Infinite conjugacy class property Quicksort Game theory Block (periodic table)
Freeware Enterprise architecture Information Personal digital assistant Multiplication sign Feedback Digital signal Musical ensemble Object (grammar) Information security Information security
so this is one of the most highly coveted speaking slots first thing on Sunday morning at any hacker con I have done this this slot before and I and I know how much fun it is so let's give Patrick a big round of applause and thanks for taking this highly coveted first thing in the morning Sunday slot [Applause] all right Aloha and welcome to my talk the mouse is mightier than the sword so my name is Patrick I work at digital security and very briefly we are working on creating cybersecurity tools for the Mac Enterprise I'm also the creator of the mat security website and tool suite objective-c okay so today we're going to talk about synthetic events on Mac OS and by synthetic I mean those that are programmatically generated think mouse and keyboard events so we're going to start by looking at components or local security mechanisms of Mac OS that can be attacked via synthetic events we're then going to look at the fairly long history of attacks that utilize synthetic events for example to bypass local security mechanisms now of course Apple has responded to these attacks so we'll now look at how they implement security mechanisms to detect filter and in some cases attempt to block these synthetic events well then talk about a recent bug I discovered that allowed me to interact with any component of the U OS synthetically for example to click on security prompts and then we're gonna end with describing how to weaponize this bug for example to bypass security prompts and do all sorts of nefarious things in an invisible manner okay so let's start by looking at user interfaces UI components of Mac OS that attackers or malware may seek to interact with via synthetic events so
first here's the attackers conundrum so let's assume an attacker or piece of malware has somehow gotten on to an end system a Mac computer perhaps via a malicious email attachment a Trojan a zero-day or even an evil made attack now it wants to do something unfortunately at least for the attackers and malware on modern versions of Mac OS many useful actions will now be blocked and generate an alert until at least in theory the user interacts with the alert clicking allow or denied so this phase the stage of a cyber attack is kind of where this talk fits in specifically how to interact or bypass such alerts so that the malicious actions can continue now we'll take a closer look at a variety of these UI alerts but we're talking about things like accessing the keychain prompts that protect the loading of kernel extensions or even installing a system-wide key logger and then we'll also talk about some third-party security tools for example firewalls and their alerts and show how malware perhaps could synthetically interact with those as well now this is a good good time to kind of make the point the generalized statement about synthetic events and really kind of mention how much of a powerful capability they really are because if you have a way to programmatically interact with these alerts you can generically bypass a ton of security mechanisms it's really a tool agnostic attack it's really in these cases the UI is the single point of failure so even if the security mechanisms are all implemented in different ways they all share for example the UI so if you can programmatically interact and just click allow you can bypass a ton of these mechanisms all right so the goal for the
attacker then is to either avoid all these these alerts in the first place and we'll show some examples of how to do this or if an alert is shown how to programmatically interact with it to dismiss it via code so for example here's a piece of malware and we'll talk about this a little more in detail later but it allows the attacker to interact with the operating system remotely here for example we see an alert that is displayed when the malware tries to dump the keychain so what a remote attacker can do is send a synthetic mouse event to click for example the allow key here to dump an RSA private key now of course Apple prize to prevent these synthetic interactions but it's really a cat-and-mouse game and we'll talk more about apples defenses but it surely come as no surprise that Apple keeps losing okay so what are attackers
or malware targeting via these synthetic events well we briefly already mentioned the keychain so let's take a closer look at this now because it's actually a very common target for both malware and attackers for obvious reasons it really stores a ton of sense of information for example private keys passwords certificates autofill data and also even sensitive applications specific data so until recently you didn't need any special privileges to dump the unencrypted contents of the keychain there was just a single access prompt that was displayed so that was all that was standing between all your passwords and goodies and full unencrypted access for a local attacker or a piece of Mauer so again if the attacker has the ability to synthetically interact with this keychain prompt all your secrets are essentially there's another target that
Apple seeks to protect from synthetic events is the security and privacy accessibility pane which is found in the System Preferences application and the reason that this is protected is once an application has gained accessibility rights they can control other processes like it says on the slide for example it can inject invents or do things like capture keystrokes at the system level of course these are very powerful capabilities that malware or an attacker would love to have thus this UI component is protected another aspect of
the OS that a malware or a local attacker may seek to interact with synthetically our privacy alerts that are displayed for example when you try to access the users location their contacts or the calendar events so for example here we can see on the slide if you execute this code to try to figure out the geolocation of the infected system the operating system will block this action and display an alert and in theory only continue when the user clicks allow a newer target for synthetic events is the interface for approving the loading of kernel extensions so in high sierra apple introduced something called user approved kernel extension loading which basically says a user has to manually approve the loading of a kernel extension so on recent versions of Mac OS kernel extensions have to be signed but one attack vector is an attacker or malware could bring a legitimate third-party kernel extension that is signed but has a vulnerability in it and then load and exploit that so I talked about this previously at Def Con found a exploitable heap overflow in the Little Snitch kernel extension and it was buggy and yes it was patched but since I had an old copy of the kernel extension I could still load and exploit that so Apple as I mentioned tries to thwart this attack with this user approved kernel extension loading now obviously what an attacker would try to do is synthetically interact with the allow button that Apple has put up to block the kernel extension from loading and again if the hacker can just send a synthetic mouse a click event to click this button it would completely bypass this new security mechanism finally we've got the user interfaces of third-party tools you can think of ones like firewalls or antivirus products and again these tools may detect and block an attacker or malware's activity and so this is obviously something that again attackers or malware would like to interact with so some examples are the Mac OS firewall a generic ransomware detector I wrote and another tool called block block which will detect and prevent persistence so if these tools detect an attacker or the payload what they will do is again block the attack and display in a prompt to the user asking to allow the action or to deny it so what a savvy attacker do is try to synthetically interact with these alerts another thing to point out most of these security tools run with root privileges so an unprivileged piece of malware or an attacker couldn't do things like disable the process or interact with them however the UI if you want to interact with it that runs in the context of the user session and mostly you don't need special privileges so again an unprivileged attacker if they have a way to synthetically interact with these alerts can completely bypass generically all these tools without even needing any special privileges alright so now let's talk
about some past attacks so over the years there's been a myriad of attacks that sought to interact with the UI in a synthetic manner and we've seen proof of concepts but also actual malware specimens that implemented these attacks so let's take a look at these now now we'll dig into these but there are several ways to synthetically interact with UI components and that Apple has tried to mitigate but that attackers have also used so we'll look at some of these closer some one include Apple script the core graphics framework and even in some cases simply sidestepping the alerts all together so first up is
Apple script you might be familiar with this it's a kind of a basic capability normally used for the automating automation of mundane tasks but it's actually rather powerful because it can allow you to interact with other processes for example generating cliques or actions that then will actually appear to originate from the context of the target process so in terms of Apple script actions for example you can very easily in a few lines of code to display an authentication prompt for example to locally fish for the users password the user might be tricked into believing this is legitimate and provide their credentials you can also do things like bypass firewalls for example assuming that the firewall trusts the browser via a few lines of Apple script you can kindly ask the browser to browse to an attacker controlled URL and a and any data you want to exfiltrate in a get parameter and again you can do this invisibly now the firewall will likely see this connection but as it's originating from the context of the browser it will be allowed so
AppleScript is very powerful now in the context of this talk though we're most interested in utilizing JavaScript to generate synthetic events so here for example we have an attacker who is trying to dump the contact contents of a keychain either via the API or using the built-in security utility as mentioned this will generate an access prompt that Apple wants the user and only the user to interact with now using AppleScript though on older versions of Mac OS you could synthetically click send a click event to this prompt clicking allow on this button so on the slide we have the code to do this and basically you can see we're telling the security agent to click the allow button you don't need any crazy exploit you don't need any you know complex code root privileges all you need to do is click this button with Apple script you could dump everything in the keychain so let's look at some
malware that did this all the way back in 2011 so devil robber was a cryptocurrency miner and it contains a file called KC underscore dump SH KC obviously for teaching and if we look at the script we can see it executes two other scripts the first one KDE sh just invokes apples security utility to dump the keychain and again this will generate a keychain access pump the second script kcd just continually clicks the allow always button in the keychain access so again using this Apple script it can synthetically click the allow button and dump the unencrypted contents of the keychain which are password private keys etc etc now probably the most common way
that attackers seek to interact with these UI prompts programmatically is using Apple's core graphics framework and Apple notes you can use this core graphics framework to do things like low-level user input events so yes you can legitimately generate synthetic events but you can also use this framework to do things like sniff or capture mouse and keyboard events so this is useful as we'll see for example for analyzing malware that generates synthetic events because we want to be able to sniff and record those activities so I created an open-source project named sniff m'kay and what it does in code is three simple things you specify what events you want to monitor for example keyboard or mouse and then you create what is called a core graphics event tap and you can think of an event tap kind of like when you tap a fiber-optic cable get access to the content so once you have this core graphics event tap you can install it and enable it now any time an operation occurs a mouse event or a keyboard event either a manual one or a synthetic one it will be delivered to your event tap and you can record this action of course also via core graphics
you can post synthetic events which you can do programmatically to click buttons in the UI so for synthetic keyboard events you use the CG post keyboard API while for Mouse events you use the CG post Mouse events more generically you can also use the CG event post which can be used to post either mouse or keyboard events so these are the api's you can
use so here's some example code that utilizes the core graphics API is to send a synthetic key press here we're going to send an Enter key so whenever you send a synthetic event you need to see you need to divide it into two parts first you send the down event and then the up event because again this mimics what a user does when they press and release the key or click the mouse so what an attacker would do would be to perform an event that may trigger an action a UI prompt for example trying to dump the keychain load a kernel extension or access the users location and then synthetically post the event in this case an enter button which would then click the allow button in the prompt which would both dismiss and allow the malicious action so let's look
at some actual malware that used choreographic events to generate both synthetic mouse and keyboard events so fruit fly was a rather prolific piece of Mac malware it was used by the attacker for over a decade to spy on Mac users unfortunately a lot of children so in the D compilation we can see that it calls CG event create create Mouse event and then also the CG event post so this indicates or looks like this malware has the capability for generating synthetic events so what I did was I created a custom command and control server that allowed me to task the malware so for command number eight which was tied to what appeared to be the synthetic Mouse events I could task the malware and observe what it did so this allowed me to map out these synthetic Mouse capabilities of the malware I basically task it with command number eight and then I'd run the mouse and keyboard sniffer and yes I could detect that this Mauer had the ability to generate synthetic events which would allow it to do things like interact with security prompts for example when it wanted to access the keychain
now fruit fly also had the ability to generic to synthetically generate key board events so again reversing its code we can see it invokes the ax UI element post keyboard event method which is just a wrapper over the core graphics keyboard api's again via the custom commanding control server I could task them our and observe its actions so for example I could figure out that command number 16 was the malware synthetic keydown command where the command number 17 was then the synthetic key up again this gives the attacker the remote ability to generate synthetic keyboard events either to type on the system or interact with these UI prompts another
example of malware that uses the core graphic events API is to synthetically interact with the system is G neo which is probably the most prolific most annoying adware sample or family on Mac OS so we can use J tool to dump its binary and we can look at its objective C classes now Objective C is a very verbose programming language so a lot of you can actually figure out the names of the methods and the classes so we can see a class name Safari extension installer and it has methods such as click on install button it's like okay wonder what that does right so on Mac OS turns out that Safari extensions are stored in the keychain this means if adware wants to programmatically install a malicious browser extension they will have to interact with the keychain access prompts so what the malware does is it is attempts to install this malicious browser extension and then once the keychain access prompt is displayed it will detect the location of this popup move the mouse to the allow button click mouse down and then click mouse up allowing itself to be fully programmatically installed as a malicious browser extension without any user interaction finally in terms of
using core graphics to generate and post synthetic events we have the unsecure proof-of-concept project on github and what it is is it's designed to target third party firewall and antivirus products again what it does pretty simply is just looks for the alert windows gets the coordinates of the allow buttons and then sends a synthetic mouse click event to both dismiss and allow the action next we've also seen malware and attackers trying to avoid these UI prompts all together you know synthetic events are really cool but if you can avoid a displaying of alert in the first place that's even better so here's kind of a conceptual example imagine an attacker or piece of malware wants to connect out from a system that's protected with a firewall perhaps to exfiltrate some data now it could perhaps try to synthetically interact with the firewalls rule window to manually add itself via a mouse click but this might be protected by another access problem because there are ways to secure the UI so what the malware could do though is if it detects that the firewall has a list of trusted processes stored in some property list or some rules database on the file system if it can directly manipulate that database instead it can add itself to the list of trusted processes and then connect out without having to interact with any firewall alerts all together so let's look at
some malware that kind of did the same thing to bypass the UI and all alerts to capture key strokes so XSL CMD was a piece of Chinese malware that had some pretty standard capabilities although it had the ability to capture all keystrokes without any UI prompts which is rather odd because normally you have to interact with the UI in some manner to approve this capability so about a year after the malware was discovered OSX vulnerability was independently discovered and reported called root pipe and another researcher went back and noticed that the malware was actually exploiting this same of vulnerability a year before
so for system-wide keylogging as I mentioned you either have to be root or your application has to have accessibility rights so on older versions of Mac OS you gain these accessibility rights by going into the system prompt and clicking on a button that says enable accessibility rights now when you click this button the operating system will display a prompt and require user or admin credentials so what this malware does though is exploit this route pipe bug again as a zero-day to basically click this same file let's click the same button by simply creating a file underneath it so what happens in the background when a user clicks this file it creates a file on the file system to indicate basically that that button was checked so the malware just bypasses the UI and creates this file directly using this exploit so once it does that it can access all key presses and install a system-wide key logger again without having to actually interact with DUI ok so now it's it's also not just malware though that is interacting with or bypassing rather the UI to do kind of shady stuff so previous versions of Dropbox actually did something rather sneaky so if you ran the Dropbox installer it would ask for root credentials and then continue its installation however if you look at the list of applications that were given access to excessive rights Dropbox would magically show up which is odd because on recent versions of Mac OS even if you have root privileges there's supposed to be a secondary access prompt to allow applications to have these rights so
Phil Stokes did some interesting research and kind of found why or exactly what was going on so if we want run strings on one of the Dropbox binaries we can see some interesting strings we can see reference to something called TCC dB and we can also see lots of SQL related strings so it basically looks like Dropbox is interacting directly with this system database so what is this TCC DB file
well if we run the file command on it we can see it's an SQLite database and if we google around we can see that it's Mac OS is privacy database which among other things keeps the list of applications that are afforded these powerful accessibility rights so we can confirm this by running FS usage which is a file Mon utility opening the System Preferences and seeing that the application generates file IO events to go read this database so what Dropbox is doing rather suspiciously is directly modifying this TCC DB file to give itself accessibility rights and avoiding this second UI alert altogether which is I think kind of shady now I wanted to
see if other applications or perhaps malware was using this same kind of trick so I hopped onto virustotal and just did a search for TCC dot DB and there's a few items that had detected a few game hacks which kind of makes sense because it might need to move the mouse or keyboard but there was one application in particular that was kind of suspicious and it caught my attention because it claimed to be an apple binary but it was unsigned it was a pact and it attempted to modify this SQL database directly so again clearly very suspicious so I took a closer look at
this and it turned out to be a new cross-platform backdoor which is now called cold root so when it's run cold root would execute something called run me SH and we can dump this script and we can see that what it is it's directly manipulating this TCC DB file to insert the malicious component of the malware into this database so that it can do system-wide key logging so on the right of the slide we can see
that when I log into my bank account now the malware is able to capture these keystrokes because it has directly manipulated the accessibility database again this is an example of bypassing the UI no need for synthetic events ok
so that was a fairly comprehensive history of attacks against the UI both that generated synthetic events - for example click allow buttons and also those that sidestep the UI altogether now obviously this is not something that Apple is stoked about right they design these these alerts and they expect that only the user will be able to interact with them because if malware can it kind of completely in my opinion defeats the purpose of these alerts so let's look now at what Apple has done to mitigate
these synthetic attacks so first on Mac OS modern version Apple script is blocked from interacting with certain security prompts specifically if we now use Apple script to send a click event the OS will detect that this is a synthetically generated event and will display a warning a security prompt which cannot be generated or interacted with synthetic send synthetically so now for example if the piece of malware tries to dump the keychain and use Apple script to send and allow click to that allow button the operating system will detect that this is a synthetically generated click and will block it analog an error message saying this is not allowed so let's look at this a little
closer to see kind of how Apple is implementing this so if we execute some Apple script from the terminal to attempt to generate and submit a synthetic event we can see that the TC CD which is the privacy daemon will check the signature of the application and again we'll check if that application is in the TCC DB which again is that privacy database and if it's not found it's going to display an alert to the user basically saying hey this application has not been given accessibility rights I am NOT going to allow it unless you explicitly approve it and this secondary security alert cannot be interacted with synthetically either now let's look at
what Apple has done to block synthetic events that are generated via the core graphics api's so in short on recent versions of Mac OS Apple will now display a secondary secure authentication prompt requesting user credentials when it detects that something is generating synthetic events via the core graphic api's so here's a brief video I wrote a simple binary that tries to generate a synthetic event and if we watch it we're basically going to see that as soon as I click the event Apple detects this and shows a secondary prompt which basically says I have detected that this is a synthetic event before I am going to allow this synthetic event to occur you have to put in your username and password so again it looks like Apple has successfully mitigated against synthetic events that are generated by core graphic api's so
let's briefly dig into this a little deeper to see how they are implementing this protection so first in the system log we can see an error message that is logged when we try to generate in synthetic event via the core graphic api's so we can grep the filesystem for this for this string and we can find the library that implements this check so what we do is we reverse engineer this library we see it makes some calls into kernel mode so if we hop into kernel mode we can see this check is likely implemented in the MPO iokit check check hid control check so reading apples comets for this we can see it says it determines whether the process can post synthetic events so basically what it's doing is checking the entitlements of this process to say hey is this a process that is allowed to generate synthetic events and if it's not it returns an error mode to user mode and then the operating system will display that secondary authentication prompt which basically says hey you have to provide your credential before I'm going to process that synthetic event in terms of the privacy
database Apple now protects this via system integrity protection or sip so on the bottom of the slide we can see that if we do an LS to look at the file permissions we can see there's a new permission that is set to restricted this means this file is now protected with sip or system integrity protection which means even if the attacker or the Mauer has root privileges they will not be able to modify this file so going back to the cold root malware we can see that the cold room hour will actually check if it's modifications to the database were successful and if it fails it will not implement its keyboard key logger logic because it won't work so this basically means because of these new security mitigations that Apple has allowed or implemented even though the malware will still run the key logging will not be successful so kudos to Apple for fixing that okay so to briefly
summarize apples current protection against synthetic and UI bypasses for Apple script the application must have accessibility rights which the user must explicitly grant and tour of core graphics apple now detects and filters those and we'll ignore synthetic events unless the user puts in their username and password and then in terms of bypassing the UI altogether they have protected the privacy database with system integrity protection now there's one important thing to note is that these protections are not applied globally they are only applied specifically by Apple to certain security prompts so we'll see this leaves a window open for other attacks but also it means third-party developers for example firewall and antivirus developers they have to implement protections of their UI's individually
so let's briefly look at how third-party developers can protect their you eyes from synthetic events so I'm an author of a tool called block block as I mentioned block block basically tries to detect and prevent persistent events so for example when malware tries to in all itself persistently block block will detect that display alert to the user and it basically asked the user to confirm or deny clearly this alert could be a target for a synthetic attack right a malware installer could run detect that block block has detected and displayed and then tried to send a synthetic event to dismiss and allow the action so what I do to detect and prevent this is basically subclass the UI button and this allows me to analyze the events that are coming in for example the mouse event that is clicking the allow button what I can do then is I can examine the event and see who is sending it both the processes ID and UUID so then I can ignore events for example that aren't coming from an apple signed process or don't belong to the human interface device daemon so again if the malware now tries to send a synthetic click to click allow on the block block alert I will detect and ignore this little snitch which is very
popular Mac firewall product for Mac OS similarly ignores synthetic events in this video demo we're gonna see that I am basically trying to synthetically click on the allow button on the firewall alert obviously this is something that malware would try to do to bypass the firewall if it was detected well hard to see on the video but Little Snitch has detected this and displayed an error message saying simulated input ignored so we can
reverse engineer their binary to see how they implement the detection and ignoring of synthetic events they take a similar approach to block block they subclass a UI component and they have a method called is simulated and again they monitor for certain events for example mouse clicks and what they do is they get the source state of that click now the source State will be set to one if it is a non simulated event so they check that and they also check the pit of the process to identify who is trying to send the event interestingly the they also have exceptions for apples screen sharing and VNC servers because those events may come in and appear to be simulated because they're coming in over the network but Little Snitch probably wants to allow those ok so that wraps up the
attack and defenses Apple was happy thinking that they were safe but as we'll see in reality they were not so now let's look an attack I discovered that allowed me to interact synthetically with any OS component and do all sorts of nefarious things so my goal is simple I basically just wanted to be able to synthetically or programmatically interact with these alerts and do things as a normal user like dump the keychain or approve the loading of a kernel extension so I started poking around on Mac OS and after a few minutes I found a feature of the operating system called Mouse keys now it's a documented feature there's Apple documentation and basically as their documentation says it allows you to use the keyboard as the mouse so they provide a lot of information including keyboard to mouse button mappings so for example if you want to click if you press the key I or the letter number five on the keyboard if mouse keys are enabled this will be translated to a mouse click so of course I wondered could these allow me to generate synthetic keyboard events that would then be translated to synthetic Mouse events which would then be allowed so first though we need to programmatically enable mouse keys and we can do this in three steps we first launched the System Preferences app we then open the accessibility pane which is different from the accessibility rights pane which is protected and then we send a synthetic click to enable mouse keys turns out that this is all doable via app Apple script and core graphic foundation api's apple doesn't consider these interactions of sensitive enough so they don't filter or block any synthetic actions so here's a video of
this in action we basically go to open the system preferences application we're going to go to the mouse settings and then we're going to click enable mouse keys so again a few lines of code we basically now enabled Mouse keys it's really not that exciting but now we can
see if we can use these mouse keys to generate synthetic Mouse events so as I mentioned the number five on the number pad when mouse keys are enabled will generate a mouse click so the key code for this is 87 so now we have mouse keys enabled I utilized some Apple script and I basically sent this key code 87 to you I prompt and we can see that if we run our mouse and keyboard sniffer that yes the synthetic key down and up event are captured but then the system since Mouse keys are enabled we'll translate those to Mouse events and since those are translated by the system when they are delivered they will be allowed so now we
have a way to generically generate synthetic events that Apple will allow and it's not some crazy bug but I'm a huge fan of utilizing legitimate functionality of the operating system to do nefarious things so let's use this to
do some evil stuff first let's dump the keychain so step one is we try to execute something like the security utility to start dumping the keychain as I mentioned this will open or display and accessibility prompt that Apple requires or expects only the user to interact with however since we have the ability to do this we can simply enable mouse keys and then send a click that will be allowed which will then allow us to dump the keychain so I wrote a little
proof of concept for this it does three things enables mouse keys dumps the keychain and then clicks allow on the accessibility prompt and this gives us full access to all the users passwords private keys etc again fully unencrypted
next let's use mouse keys to bypass High Sierras user approved kernel extension loading again a few easy steps we enable mouse keys we load the kernel extension which will be blocked until the user or in our case our attack cloud clicks allow so once this button is displayed we simply again enable mouse keys and send this click and this will basically be processed by the operating system and allow the kernel extension to load as I often find is the case bypassing these Apple security mitigations is really not that complicated
so here's a video of this in action we're basically going to load that signed Little Snitch kernel extension that has that exploitable vulnerability in that again this will be blocked by the system because it will want the user to manually approve that encode though what we will do is enable mouse keys and then browse to the prompt that has the allow button and then send a synthetic event to click that so that's the full attack and if we do a keck stat we can now see that the system has allowed the kernel extension to load we can now exploit the vulnerability in this signed kernel extension to do things like bypass system integrity protection and get unsigned code running in the kernel now I'm sure some of you very thought
like okay these these attacks are kind of neat but there's a huge downside to them and that is that they are visible so if you're sitting at your computer and all of a sudden an alert pops up the mouse moves and something gets clicked you will surely know that your computer is hacked like throw it out the window right so as an attacker our question becomes how can we do this invisibly and it turns out that's pretty easy we can basically just dim the screen really not rocket science so with no special privileges anybody including malware can dim the screen and here's the code to do that basically you make a few calls into i/o kit and you basically pass a brightness level which will reduce the screen to zero now the key here is that the screen when dim to zero is still fully interactive that is to say we can still fully interact with the UI for example to load the system preferences enable mouse keys and click on buttons but of course the user won't see it now we still have an issue again if you're sitting in front of your computer you know on Instagram Facebook or you know writing code via Stack Overflow and all of a sudden your your screen dims again that's gonna be super odd so what we should do is be a little more sophisticated about this so the first thing we can do is we can detect user activity and simply wait until the user is not active so there's a nice API you can call that will give you the number of seconds of the last user activity so we can just query this API and a loop and basically say okay let's wait until the user has been inactive for 60 seconds and then dim the screen and perform our synthetic attacks for example loading the kernel extension or bypassing the firewall now even better
though we can simply wait until the screen is going to sleep on its own so when a screen sleep action occurs there are two steps so the operating system first sends a can device power off message and dims the screen to 50% then waits about three seconds before fully dimming the screen to zero and then turning off the display so what we can do as malware is we can detect this initial message and when the screams start screen starts to dim to 50% we can expediate that dim it to a hundred percent and then perform our action before the screen is fully put to sleep so we had a very stealthy way to perform these attacks that the user will not notice alright so let's start right
wrapping this up I reported this mouse key vulnerability or bypass to Apple they by patch they patched it as CDE twenty seventeen seventy one five zero and their patch did two things first anytime the keychain is accessed even by the user this will now require a password which I think is a good idea Apple also decided to filter Mouse keys and now block them for example when you send them to a UI prompt
unfortunately issues still exist even today on the latest fully patched versions of High Sierra first the privacy alerts appear to remain unprotected which is very strange so as I mentioned when malware for example tries to access your contacts your events or your location via the location api's this will display a privacy alert how are these alerts are not protected so you can send any synthetic event to that and just click allow my opinion this is rather problematic what's the point of displaying an alert if you're not going to protect it okay this is even worse and I'm almost embarrassed to talk about this but I'm actually more embarrassed for Apple so there's the zero day vulnerability or flaw in the way they process or filter synthetic events so let's take for example the Wow button that has to be clicked in order for a signed kernel extension loading so I said okay I want to test
how Apple has implemented this protection as I mentioned you have to send to events for a synthetic event you send a mouse key down and then a mouse key up so the way you do this is you invoke the same API but the last parameter to that is a flag you set it to true if it's a mouse down event and then you set it to false if it's a mouse up event which will complete the action so I wrote the first line of code and then I was lazy and I copied and pasted the second line and I forgot to change the flag I then compiled and ran this code and I was really surprised when this was allowed so it turns out that if you send two mouse down events for some unknown reason the second mouse down event is translated to a mouse up event by the kernel and since the filtration process allows Mouse up events from the kernel this action is allowed this means that since its inception the fundamental secure kernel loading extension security mechanism that Apple you know talked all about has been completely broken now people including myself sometimes talk smack about Apple security mechanisms but examples like this I think really prove that in a variety of cases it's really trivial to bypass that so you know I'm kind of embarrassed as I meant to discuss this bug because it's so trivial and I found it completely by accident but again it's very powerful allows you to generate synthetic events even on a fully patched system for example to load kernel extensions which in my opinion is rather a big problem
all right so a final word about synthetic events hopefully we've Illustrated that they are actually a very powerful capability especially when performed invisibly we can do all sorts of actions bypass a whole bunch of security mechanisms and again in a kind of tool or security agnostic manner now
as often as you know as off as is often the case with these these attacks it's it's really a cat and mouse game so attackers come up with new ways like mouse keys Apple releases new patches unfortunately Apple kind of has been struggling good news though in Mohave they've kind of taken this more drastic approach and said okay we're just going to generically block and disallow a ton of these actions for example they block AppleScript and core graphic api's this is good from a security point of view but this will block a lot of legitimate applications
now I've been told in feedback that some of my talks are a little negative you know it's like Patrick you always talk about breaking everything and how Apple keeps messing everything up and yeah okay that's a little negative so I wanted to enter I wanted to finish with something that's hopefully a little more positive so I'm excited to announce a new Mac security conference called objective by the sea we have awesome lineup of Mac security speakers all the talks will be focused about Mac security it's going to be in an awesome Resort in Hawaii here's some pictures in case you weren't convinced that you should come and it'll be November 3rd and 4th and check out objective by the sea calm for information so that's a wrap I want to thank you again for coming bright and early on this Sunday and I think we're pretty much out of time but I will be by the stage if you have any questions so thanks again I really appreciate [Music]
Feedback