The Mouse is Mightier than the Sword
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39725 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Enterprise architectureProxy serverInformation securityEnterprise architectureEvent horizonLocal ringSpeech synthesisProxy serverCybersexRoundness (object)Mechanism designObject (grammar)Suite (music)Transport Layer SecurityConnectivity (graph theory)MalwareQuicksortKeyboard shortcutSoftware bugCASE <Informatik>Moving averageHacker (term)
02:06
Group actionGroup actionInformation securityMultiplication signRevision controlMechanism designFirewall (computing)Physical systemEvent horizonLevel (video gaming)Variety (linguistics)CybersexMalwareEmailExtension (kinesiology)Point (geometry)Proxy serverKernel (computing)Single-precision floating-point formatTrojanisches Pferd <Informatik>Phase transitionTheoryStatement (computer science)CASE <Informatik>RootkitKey (cryptography)Computer animation
03:53
Query languageLogicCodeProxy serverCodeGame theoryInteractive televisionMalwarePublic-key cryptographyEvent horizonOperating systemKey (cryptography)Computer-assisted translationComputer animation
04:46
Public key certificateKey (cryptography)Token ringPasswordMalwareSensitivity analysisContent (media)PasswordInformationPublic key certificateEvent horizonCartesian coordinate systemLatent heatPublic-key cryptographyComputer animation
05:42
Maxima and minimaQueue (abstract data type)Information privacyInformation securityExecution unitSlide rulePhysical systemConnectivity (graph theory)Cartesian coordinate systemInformation privacyEvent horizonMotion captureProcess (computing)Information securityRight angleLevel (video gaming)InjektivitätComputer animation
06:18
Event horizonOvalLocal ringInformation privacyExtension (kinesiology)Kernel (computing)Telephone number mappingRootMenu (computing)DialectInformation securityFirewall (computing)Block (periodic table)Uniform resource locatorExtension (kinesiology)Context awarenessSlide ruleTheoryInformation securityGroup actionInterface (computing)MalwareComputer wormGeneric programmingRevision controlHacker (term)Kernel (computing)CodeEvent horizonInteractive televisionBuffer overflowMechanism designElectronic visual displayVulnerability (computing)Block (periodic table)Product (business)User interfaceFirewall (computing)1 (number)Operating systemAntivirus softwareVector spaceProcess (computing)RootPhysical systemInformation privacyExploit (computer security)Memory managementStructural loadComputer animation
09:26
Hacker (term)Proxy serverCore dumpCodeVector graphicsCASE <Informatik>Core dumpProof theoryConnectivity (graph theory)MalwareScripting languageSoftware frameworkComputer animationProgram flowchart
10:08
Process (computing)Physical systemControl flowProxy serverUniform resource locatorContext awarenessGroup actionMaschinenbau KielConvex hullProxy serverCodeFirewall (computing)Web browserProcess (computing)Task (computing)Context awarenessGroup actionLine (geometry)Term (mathematics)AuthenticationScripting languageParameter (computer programming)Clique problemConnected spaceComputer animation
11:15
Core dumpProxy serverPhysical systemEvent horizonPasswordNormed vector spaceProcess (computing)Local GroupRevision controlContext awarenessCodeScripting languageInformation securityEvent horizonRootSlide ruleContent (media)Complex (psychology)Utility softwareExploit (computer security)MalwareComputer animation
12:09
Twin primeScripting languageCore dumpUtility softwareInformation securityPublic-key cryptography2 (number)Content (media)MalwareComputer fileComputer animation
12:55
MaizeComputer hardwareElectronic visual displayPhysical systemoutputCorrelation and dependenceKey (cryptography)Core dumpEvent horizonSoftware frameworkEvent horizonCore dumpGroup actionKeyboard shortcutCodeProjective planeMalwareContent (media)Multiplication signOperator (mathematics)outputOpen sourceTap (transformer)Computer animation
14:07
Core dumpEvent horizonKeyboard shortcutGroup actionLatent class modelEvent horizonKeyboard shortcutUniform resource locatorStructural loadGroup actionMereologyCore dumpExtension (kinesiology)CodeCASE <Informatik>Kernel (computing)Key (cryptography)MalwareComputer animation
15:20
Core dumpEvent horizonDualismMalwareInteractive televisionTask (computing)Server (computing)Keyboard shortcutEvent horizonGame controllerNumberInformation securityCompilation albumChainCore dumpComputer animation
16:33
Core dumpEvent horizonKeyboard shortcutInflection pointElectric generatorKeyboard shortcutCore dumpEvent horizonTask (computing)Interactive televisionNumberGroup actionMalwareGame controllerPhysical systemCodeElement (mathematics)Wrapper (data mining)Key (cryptography)Server (computing)Type theoryComputer animation
17:20
Core dumpEvent horizonExtension (kinesiology)Event horizonExtension (kinesiology)Object (grammar)Social classWeb browserProgramming languagePhysical systemMalwareUniform resource locatorCore dumpSampling (statistics)Interactive televisionFamilyInstallation artMultiplication signComputer programmingChainKey (cryptography)Term (mathematics)Computer animation
18:35
Flock (web browser)Product (business)Firewall (computing)Core dumpEvent horizonWeb browserClient (computing)Interface (computing)Hacker (term)Proxy serverOnline chatDirected setoutputFirewall (computing)Event horizonPhysical systemMalwareFile systemRule of inferenceElectronic mailing listProcess (computing)Projective planeWindowAntivirus softwareGroup actionProduct (business)DatabaseCategory of beingCore dumpComputer fileComputer animation
20:04
RootSystem programmingMotion captureTouchscreenGastropod shellProxy serverRootMalwareVulnerability (computing)Computer animation
20:45
Menu (computing)AuthorizationAttribute grammarProxy serverInformation securityComputerControl flowStokes' theoremComputer fileRootFile systemRevision controlCartesian coordinate systemElectronic mailing listOperating systemRight angleInstallation artMalwareSystem administratorSoftware bugRoutingExploit (computer security)Computer animation
22:23
Information securityHacker (term)Proxy serverString (computer science)String (computer science)DatabaseBinary codePhysical systemComputer fileCartesian coordinate systemInformation privacyUtility softwareoutputRight angleEvent horizonElectronic mailing listPower (physics)2 (number)Computer animation
23:32
Library (computing)Device driverClient (computing)Proxy serverTotal S.A.Maxima and minimaPasswordDatabaseMalwareCartesian coordinate systemDirection (geometry)Game theoryCheat <Computerspiel>Binary codeKeyboard shortcutComputer animation
24:07
Proxy serverTotal S.A.Connectivity (graph theory)Computer fileMalwareRight angleSlide ruleDatabaseScripting languageCross-platformRootBackdoor (computing)Event horizonXMLProgram flowchart
24:53
Local ringConvex hullMessage passingProcess (computing)Lemma (mathematics)MalwareEvent horizonScripting languageAnalogyRevision controlInformation securityError messageOperating systemXMLComputer animation
26:12
DemonDatabaseInformation privacyInformation securityElectronic signatureRadical (chemistry)Cartesian coordinate systemRight angleDatabaseInformation privacyScripting languageEvent horizonDemonComputer animation
26:56
PasswordCore dumpEvent horizonNormed vector spacePlane (geometry)Event horizonCore dumpPasswordRevision controlVideoconferencingAuthenticationBinary code
27:50
Kernel (computing)Asynchronous Transfer ModeEvent horizonCore dumpInclusion mapEvent horizonKernel (computing)Asynchronous Transfer ModeCore dumpLibrary (computing)Operating systemReverse engineeringProcess (computing)Physical systemError messageFile systemGame controllerInformation privacySystem callString (computer science)Electric generatorTerm (mathematics)AuthenticationSoftware development kitComputer animation
28:54
Session Initiation ProtocolRootAkkumulator <Informatik>Control flowLogarithmInformation securitySlide ruleGreatest elementComputer fileSystems integratorSession Initiation ProtocolMalwareDatabaseRootLogicKeyboard shortcutComputer animationProgram flowchart
29:52
Information privacyDigital filterCore dumpInformation securityProduct (business)Event horizonCartesian coordinate systemProxy serverEvent horizonInformation securityWindowTerm (mathematics)Software developerOpen setAntivirus softwareFirewall (computing)Ocean currentDatabaseUser interfaceScripting languageSystems integratorInformation privacyPasswordCore dumpRight angleComputer animation
30:46
Block (periodic table)RootConvex hullEvent horizonAuthorizationBlock (periodic table)Installation artMalwareProcess (computing)Electronic visual displayRight angleUser interfaceSoftware developerGroup actionDemonComputer animation
32:01
Firewall (computing)Thomas KuhnConvex hullSimulationFluidEvent horizonVideoconferencingoutputProduct (business)Firewall (computing)MalwareDemo (music)Event horizonError messageReverse engineeringComputer simulationState of matterSource codeRadio-frequency identificationConnectivity (graph theory)Block (periodic table)TouchscreenServer (computing)Proxy serverException handlingProcess (computing)SoftwareComputer animation
33:15
Proxy serverProcess (computing)RootNormal (geometry)Keyboard shortcutControl flowPointer (computer programming)Key (cryptography)Execution unitCodePhysical systemCurvatureHill differential equationConvex hullEvent horizonRight angleMobile appKernel (computing)Core dumpPhysical systemOperating systemNormal (geometry)Key (cryptography)Keyboard shortcutInformationGroup actionElectric generatorNumberConnectivity (graph theory)QuicksortMappingScripting languageExtension (kinesiology)Interactive televisionComputer animation
35:04
FingerprintMaxima and minimaCodeOvalEvent horizonBlock (periodic table)Interior (topology)CodeLine (geometry)Key (cryptography)VideoconferencingGroup actionPhysical systemCartesian coordinate systemSet (mathematics)NumberGraphics tabletKeyboard shortcutEvent horizonSinc functionScripting languageElectric generatorJSONXMLComputer animation
36:09
Key (cryptography)Token ringPasswordConvex hullSoftware bugFunctional (mathematics)Event horizonHand fanOperating systemInformation securityKey (cryptography)ChainUtility softwareProof theoryComputer animation
36:53
Convex hullHill differential equationThumbnailBootingInformation privacyInformation securityExtension (kinesiology)Kernel (computing)PasswordKey (cryptography)Public-key cryptographyProof theoryProxy serverKernel (computing)Extension (kinesiology)Information securityOperating systemCASE <Informatik>Point cloudVideoconferencingGroup action
37:45
Kernel (computing)CodeStatisticsProxy serverKey (cryptography)Extension (kinesiology)Physical systemSystems integratorVulnerability (computing)Group actionEvent horizonStructural loadVideoconferencing
38:28
Event horizonProcess (computing)Electronic visual displayTouchscreenKey (cryptography)CodeExtension (kinesiology)TouchscreenWindowSystem callMalwareNeuroinformatikKey (cryptography)2 (number)Loop (music)Kernel (computing)NumberOptical disc driveFirewall (computing)outputLevel (video gaming)Physical systemSoftware development kitFacebookBuffer overflowStack (abstract data type)Computer animation
40:12
TouchscreenElectronic visual displayIntrusion detection systemOvalContext awarenessTouchscreenGroup actionElectronic visual displayMessage passingPower (physics)MalwareOperating system2 (number)Right angleComputer animation
40:55
Key (cryptography)Event horizonMenu (computing)Session Initiation ProtocolPasswordMathematicsInformation privacyProxy serverGoodness of fitVulnerability (computing)Key (cryptography)PasswordPatch (Unix)Proxy serverMultiplication signBlock (periodic table)MalwareKernel (computing)Event horizonInformation privacyExtension (kinesiology)Revision controlUniform resource locatorOrder (biology)Point (geometry)Software testingComputer animation
42:16
Event horizonProxy serverEvent horizonExtension (kinesiology)Line (geometry)Structural loadFlagKernel (computing)Physical systemCodeMechanism design2 (number)CASE <Informatik>Information securityVariety (linguistics)Group actionSoftware bugKey (cryptography)Parameter (computer programming)Process (computing)Computer animation
43:49
Infinite conjugacy class propertyGraphical user interfaceCore dumpMotion captureChainEvent horizonScripting languageProxy serverGame theoryBlock (periodic table)Data integrityInformation securityMechanism designGroup actionWordQuicksortEvent horizonProxy serverGoodness of fitPatch (Unix)Cartesian coordinate systemPoint (geometry)CASE <Informatik>Game theoryCore dumpComputer-assisted translationView (database)Key (cryptography)Computer animation
44:39
Information securityFreewareDigital signalEnterprise architectureInformation securityLevel (video gaming)Multiplication signMusical ensembleFeedbackCASE <Informatik>Object (grammar)InformationNegative numberComputer animation
Transcript: English(auto-generated)
00:00
So, this is one of the most highly coveted speaking slots, first thing on Sunday morning at any HackerCon. I have done this slot before, and I know how much fun it is. So, let's give Patrick a big round of applause and thanks for taking this highly coveted first
00:21
thing in the morning Sunday slot. Alright, aloha and welcome to my talk, the mouse is mightier than the sword. So, my name is Patrick, I work at Digita Security and very briefly we are working on creating cyber security tools for the Mac enterprise. I'm also the creator of the Mac security
00:44
website and tool suite Objective C. Okay, so today we're going to talk about synthetic events on Mac OS, and by synthetic I mean those that are programmatically generated, think mouse and keyboard events. So, we're going to start by looking at components
01:02
or local security mechanisms of Mac OS that can be attacked via synthetic events. We're then going to look at the fairly long history of attacks that utilize synthetic events, for example, to bypass local security mechanisms. Now, of course, Apple has responded to these attacks, so we'll now look at how they implement security
01:25
mechanisms to detect, filter, and in some cases attempt to block these synthetic events. We'll then talk about a recent bug I discovered that allowed me to interact with any component of the OS synthetically, for example, to click on security prompts. And then we're
01:43
going to end with describing how to weaponize this bug, for example, to bypass security prompts and do all sorts of nefarious things in an invisible manner. Okay, so let's start by looking at user interfaces, UI components of Mac OS that attackers
02:01
or malware may seek to interact with via synthetic events. So, first, here's the attacker's conundrum. So, let's assume an attacker or piece of malware has somehow gotten onto an end system, a Mac computer, perhaps via a malicious email attachment, a Trojan, a zero day, or even an evil maid attack. Now, it wants to do something. Unfortunately,
02:25
at least for the attackers and malware, on modern versions of Mac OS, many useful actions will now be blocked and generate an alert until, at least in theory, the user interacts with the alert, clicking allow or deny. So, this phase, this stage of a cyber
02:42
attack is kind of where this talk fits in, specifically how to interact or bypass such alerts so that the malicious actions can continue. Now, we'll take a closer look at a variety of these UI alerts, but we're talking about things like accessing the keychain, prompts
03:00
that protect the loading of kernel extensions, or even installing a system wide key logger. And then we'll also talk about some third party security tools, for example, firewalls and their alerts, and show how malware perhaps could synthetically interact with those as well. Now, this is a good time to kind of make the point, the generalized statement
03:20
about synthetic events, and really kind of mention how much of a powerful capability they really are. Because if you have a way to programmatically interact with these alerts, you can generically bypass a ton of security mechanisms. It's really a tool agnostic attack. It's really, in these cases, the UI is the single point of failure.
03:42
So even if the security mechanisms are all implemented in different ways, they all share, for example, the UI. So if you can programmatically interact and just click allow, you can bypass a ton of these mechanisms. All right, so the goal for the attacker then is to either avoid all these alerts in the first place, and we'll show some examples of how to do this,
04:02
or if an alert is shown, how to programmatically interact with it, to dismiss it via code. So, for example, here's a piece of malware, and we'll talk about this a little more in detail later, but it allows the attacker to interact with the operating system remotely. Here,
04:20
for example, we see an alert that is displayed when the malware tries to dump the keychain. So what a remote attacker can do is send a synthetic mouse event to click, for example, the allow key here to dump an RSA private key. Now, of course, Apple tries to prevent these synthetic interactions, but it's really a cat and mouse game, and we'll talk more about
04:41
Apple's defenses, but it's surely come as no surprise that Apple keeps losing. Okay, so what are attackers or malware targeting via these synthetic events? Well, we briefly already mentioned the keychain, so let's take a closer look at this now, because it's actually a very common target for both malware and attackers, for obvious reasons.
05:04
It really stores a ton of sensitive information, for example, private keys, passwords, certificates, autofill data, and also even sensitive application-specific data. So until recently, you didn't need any special privileges to dump the unencrypted contents of the keychain.
05:22
There was just a single access prompt that was displayed. So that was all that was standing between all your passwords and goodies and full unencrypted access for a local attacker or a piece of malware. So again, if the attacker has the ability to synthetically interact with this keychain prompt, all your secrets are essentially theirs. Another target that Apple
05:45
seeks to protect from synthetic events is the security and privacy accessibility pane, which is found in the system preferences application. And the reason that this is protected is once an application has gained accessibility rights, they can control other
06:02
processes like it says on the slide. For example, it can inject events or do things like capture keystrokes at the system level. Of course, these are very powerful capabilities that malware or an attacker would love to have, thus this UI component is protected. Another aspect of the
06:21
OS that a malware or a local attacker may seek to interact with synthetically are privacy alerts that are displayed, for example, when you try to access the user's location, their contacts, or the calendar events. So for example, here we can see on the slide if you execute this code to try to figure out the geolocation of the infected system, the operating system will block
06:45
this action and display an alert and in theory only continue when the user clicks allow. A newer target for synthetic events is the interface for approving the loading of kernel extensions. So in High Sierra, Apple introduced something called user-approved kernel extension
07:05
loading, which basically says a user has to manually approve the loading of a kernel extension. So on recent versions of macOS, kernel extensions have to be signed, but one attack vector is an attacker or malware could bring a legitimate third-party kernel extension that is signed but
07:24
has a vulnerability in it and then load and exploit that. So I talked about this previously at Defcon, found a exploitable heap overflow in the little snitch kernel extension and it was buggy and yes it was patched, but since I had an old copy of the kernel extension, I could still
07:41
load and exploit that. So Apple, as I mentioned, tries to thwart this attack with this user-approved kernel extension loading. Now obviously what an attacker would try to do is synthetically interact with the allow button that Apple has put up to block the kernel extension from loading and again if the hacker can just send a synthetic mouse a click
08:03
event to click this button, it would completely bypass this new security mechanism. Finally, we've got the user interfaces of third-party tools. You can think of ones like firewalls or antivirus products and again these tools may detect and block
08:20
an attacker or malware's activity and so this is obviously something that again attackers or malware would like to interact with. So some examples are the macOS firewall, a generic ransomware detector I wrote, and another tool called BlockBlock which will detect and prevent persistence. So if these tools detect an attacker or the payload,
08:42
what they will do is again block the attack and display in a prompt to the to the user asking to allow the action or to deny it. So what a savvy attacker could do is try to synthetically interact with these alerts. Another thing to point out, most of these security tools run with root privileges. So an unprivileged piece of malware or an attacker couldn't do things like
09:05
disable the process or interact with them. However, the UI, if you want to interact with it, that runs in the context of the user session and mostly you don't need special privileges. So again an unprivileged attacker, if they have a way to synthetically interact with these alerts,
09:21
can completely bypass generically all these tools without even needing any special privileges. All right, so now let's talk about some past attacks. So over the years there's been a myriad of attacks that sought to interact with the UI in a synthetic manner and we've seen proof of concepts but also actual malware specimens that implemented these attacks. So
09:44
let's take a look at these now. Now we'll dig into these but there are several ways to synthetically interact with UI components that Apple has tried to mitigate but that attackers have also used. So we'll look at some of these closer, some include AppleScript,
10:01
the core graphics framework, and even in some cases simply sidestepping the alerts all together. So first up is AppleScript. You might be familiar with this. It's a kind of a basic capability normally used for the automating, automation of mundane tasks but it's actually
10:20
rather powerful because it can allow you to interact with other processes. For example, generating clicks or actions that then will actually appear to originate from the context of the target process. So in terms of AppleScript actions, for example, you can very easily in a few lines of code display an authentication prompt. For example, to locally fish for the
10:43
user's password. The user might be tricked into believing this is legitimate and provide their credentials. You can also do things like bypass firewalls. For example, assuming that the firewall trusts the browser via a few lines of AppleScript, you can kindly ask the browser to browse to an attacker-controlled URL and append any data you want to exfiltrate in a get
11:06
parameter. And again, you can do this invisibly. Now the firewall will likely see this connection, but as it's originating from the context of the browser, it will be allowed. So AppleScript is very powerful. Now in the context of this talk, though, we're most interested in utilizing
11:21
JavaScript to generate synthetic events. So here, for example, we have an attacker who is trying to dump the contents of a keychain, either via the API or using the built-in security utility. As mentioned, this will generate an access prompt that Apple wants the user and only the user to interact with. Now using AppleScript, though, on older versions of Mac OS,
11:45
you could synthetically send a click event to this prompt clicking allow on this button. So on the slide, we have the code to do this. And basically, you can see we're telling the security agent to click the allow button. You don't need any crazy exploit. You
12:00
don't need any complex code, root privileges. All you need to do is click this button with AppleScript. You could dump everything in the keychain. So let's look at some malware that did this all the way back in 2011. So Devil Robber was a cryptocurrency miner, and it contains a file called kc underscore dump dot sh. Kc, obviously, for keychain. And if we look at the
12:25
script, we can see it executes two other scripts. The first one, kd dot sh, just invokes Apple's security utility to dump the keychain. And again, this will generate a keychain access prompt. The second script, kcd, just continually clicks the allow always button
12:43
in the keychain access. So again, using this AppleScript, it can synthetically click the allow button and dump the unencrypted contents of the keychain, which are password, private keys, et cetera, et cetera. Now, probably the most common way that attackers seek to interact with these UI prompts programmatically is using Apple's core graphics framework. And Apple
13:06
notes you can use this core graphics framework to do things like low-level user input events. So yes, you can legitimately generate synthetic events. But you can also use this framework to do things like sniff or capture mouse and keyboard events. So this is useful, as we'll
13:22
see, for example, for analyzing malware that generates synthetic events, because we want to be able to sniff and record those activities. So I created an open source project named sniff mk. And what it does in code is three simple things. You specify what events you want to monitor, for example, keyboard or mouse. And then you create what is called
13:44
a core graphics event tap. And you can think of an event tap kind of like when you tap a fiber optic cable, get access to the content. So once you have this core graphics event tap, you can install it and enable it. Now, any time an operation occurs, a mouse event or a keyboard event, either a manual one or a synthetic one, it will be delivered
14:05
to your event tap and you can record this action. Of course, also via core graphics, you can post synthetic events, which you can do programmatically to click buttons in the UI. So for synthetic keyboard events, you use the CG post keyboard API, while for mouse events,
14:24
you use the CG post mouse events. More generically, you can also use the CG event post, which can be used to post either mouse or keyboard events. So these are the APIs you can use. So here's some example code that utilizes the core graphics APIs to send a synthetic key
14:42
press. Here, we're going to send an enter key. So whenever you send a synthetic event, you need to divide it into two parts. First, you send the down event and then the up event, because again, this mimics what a user does when they press and release the key or click the mouse. So what an attacker would do would be to perform an event that may trigger an action,
15:02
a UI prompt, for example, trying to dump the key chain, load a kernel extension, or access the user's location, and then synthetically post the event, in this case, an enter button, which would then click the allow button in the prompt, which would both dismiss and allow the malicious action. So let's look at some actual malware that
15:23
used core graphic events to generate both synthetic mouse and keyboard events. So FruitFly was a rather prolific piece of Mac malware. It was used by the attacker for over a decade to spy on Mac users, unfortunately a lot of children. So in the decompilation,
15:42
we can see that it calls CG event create mouse event and then also the CG event post. So this indicates or looks like this malware has the capability for generating synthetic events. So what I did was I created a custom command and control server that allowed me to task the
16:01
malware. So for command number eight, which was tied to what appeared to be the synthetic mouse events, I could task the malware and observe what it did. So this allowed me to map out the synthetic mouse capabilities of the malware. I'd basically task it with command number eight, and then I'd run the mouse and keyboard sniffer. And yes, I could detect that this
16:22
malware had the ability to generate synthetic events, which would allow it to do things like interact with security prompts, for example, when it wanted to access the key chain. Now, FruitFly also had the ability to synthetically generate keyboard events. So again,
16:42
reversing its code, we can see it invokes the AXUI element post keyboard event method, which is just a wrapper over the core graphics keyboard APIs. Again, via the custom command and control server, I could task the malware and observe its actions. So for example, I could figure out that command number 16 was the malware synthetic key down command,
17:05
where the command number 17 was then the synthetic key up. Again, this gives the attacker the remote ability to generate synthetic keyboard events, either to type on the system or interact with these UI prompts. Another example of malware that uses the core graphic events
17:24
APIs to synthetically interact with the system is Genio, which is probably the most prolific, most annoying adware sample or family on macOS. So we can use JTool to dump its binary, and we can look at its Objective-C classes. Now, Objective-C is a very verbose programming language,
17:42
so a lot of times you can actually figure out the names of the methods and the classes. So we can see a class named Safari extension installer, and it has methods such as click on install button. It's like, okay, wonder what that does, right? So on macOS, it turns out that Safari extensions are stored in the key chain. This means if adware wants to programmatically
18:05
install a malicious browser extension, they will have to interact with the key chain access prompts. So what the malware does is it attempts to install this malicious browser extension, and then once the key chain access prompt is displayed, it will detect the location of this
18:22
pop-up, move the mouse to the allow button, click mouse down, and then click mouse up, allowing itself to be fully programmatically installed as a malicious browser extension without any user interaction. Finally, in terms of using core graphics to generate and post synthetic events, we have the unsecure proof-of-concept project on GitHub,
18:45
and what it is is it's designed to target third-party firewall and antivirus products. Again, what it does pretty simply is just looks for the alert windows, gets the coordinates of the allow buttons, and then sends a synthetic mouse click event to both dismiss and allow the action.
19:05
Next, we've also seen malware and attackers trying to avoid these UI prompts altogether. You know, synthetic events are really cool, but if you can avoid a displaying of alert in the first place, that's even better. So here's kind of a conceptual example. Imagine an attacker or piece of malware wants to connect
19:23
out from a system that's protected with a firewall, perhaps to exfiltrate some data. Now, it could perhaps try to synthetically interact with the firewall's rule window to manually add itself via a mouse click, but this might be protected by another access prompt, because there are ways to secure the UI. So what the malware could do, though,
19:44
is if it detects that the firewall has a list of trusted processes stored in some property list or some rules database on the file system, if it can directly manipulate that database instead, it can add itself to the list of trusted processes and then connect out without
20:01
having to interact with any firewall alerts altogether. So let's look at some malware that kind of did the same thing to bypass the UI and all alerts to capture keystrokes. So XSL-CMD was a piece of Chinese malware that had some pretty standard capabilities, although it had the ability to capture all keystrokes without any UI prompts,
20:24
which is rather odd because normally you have to interact with the UI in some manner to approve this capability. So about a year after the malware was discovered, OS X vulnerability was independently discovered and reported called RootPipe, and another researcher went back and noticed that the malware was actually exploiting this same vulnerability a year before.
20:46
So for system-wide keylogging, as I mentioned, you either have to be root or your application has to have accessibility rights. So on older versions of macOS, you gain these accessibility rights by going into the system prompt and clicking on a button that says enable accessibility
21:02
rights. Now when you click this button, the operating system will display a prompt and require user or admin credentials. So what this malware does, though, is exploit this RootPipe bug, again as a zero-day, to basically click this same file, click the same button by simply creating a file underneath it. So what happens in the background when a user clicks this file,
21:24
it creates a file on the file system to indicate basically that that button was checked. So the malware just bypasses the UI and creates this file directly using this exploit. So once it does that, it can access all key presses and install a system-wide keylogger, again without having to actually interact with the UI. Okay, so now it's also not just
21:47
malware, though, that is interacting with or bypassing rather the UI to do kind of shady stuff. So previous versions of Dropbox actually did something rather sneaky. So if you ran the Dropbox installer, it would ask for root credentials and then continue its installation.
22:05
However, if you look at the list of applications that were given access to accessibility rights, Dropbox would magically show up, which is odd because on recent versions of macOS, even if you have root privileges, there's supposed to be a secondary access prompt to allow
22:21
applications to have these rights. So Phil Stokes did some interesting research and kind of found why exactly what was going on. So if we run strings on one of the Dropbox binaries, we can see some interesting strings. We can see reference to something called tcc.db and we can
22:40
also see lots of SQL-related strings. So it basically looks like Dropbox is interacting directly with this system database. So what is this tcc.db file? Well, if we run the file command on it, we can see it's an SQL-like database, and if we Google around, we can see that it's macOS's privacy database, which among other things keeps the list of applications
23:04
that are afforded these powerful accessibility rights. So we can confirm this by running fsusage, which is a file mon utility, opening the system preferences, and seeing that the application generates FileIO events to go read this database. So what Dropbox is doing rather
23:22
suspiciously is directly modifying this tcc.db file to give itself accessibility rights and avoiding this second UI alert altogether, which is, I think, kind of shady. Now, I wanted to see if other applications or perhaps malware was using this same kind of trick, so I hopped onto VirusTotal and just did a search for tcc.db. And there was a few items
23:46
that it detected, a few game hacks, which kind of makes sense because it might need to move the mouse or keyboard, but there was one application in particular that was kind of suspicious. And it caught my attention because it claimed to be an Apple binary, but it was unsigned, it
24:01
was packed, and it attempted to modify this SQL database directly. So again, clearly very suspicious. So I took a closer look at this, and it turned out to be a new cross-platform backdoor, which is now called coldroot. So when it's run, coldroot would execute something called runme.sh. And we can dump this script, and we can see that what it is doing is it's directly
24:25
manipulating this tcc.db file to insert the malicious component of the malware into this database so that it can do system-wide keylogging. So on the right of the slide, we can see that when I log into my bank account now, the malware is able to capture
24:43
these keystrokes because it has directly manipulated the accessibility database. Again, this is an example of bypassing the UI, no need for synthetic events. Okay, so that was a fairly comprehensive history of attacks against the UI, both that generated synthetic events to, for example, click allow buttons, and also those
25:04
that sidestep the UI altogether. Now, obviously, this is not something that Apple is stoked about, right? They designed these alerts, and they expect that only the user will be able to interact with them, because if malware can, it kind of completely, in my opinion,
25:20
defeats the purpose of these alerts. So let's look now at what Apple has done to mitigate these synthetic attacks. So first, on Mac OS, modern version, AppleScript is blocked from interacting with certain security prompts. Specifically, if we now use AppleScript to send a click event, the OS will detect that this is a
25:42
synthetically generated event and will display a warning, a security prompt, which cannot be generated or interacted with synthetically. So now, for example, if the piece of malware tries to dump the keychain and use AppleScript to send an allow click to that allow button,
26:03
the operating system will detect that this is a synthetically generated click and will block it and log an error message saying this is not allowed. So let's look at this a little closer to see kind of how Apple is implementing this. So if we execute some AppleScript from the terminal to attempt to
26:20
generate and submit a synthetic event, we can see that the TCCD, which is the privacy daemon, will check the signature of the application and again will check if that application is in the TCC.DB, which again is that privacy database. And if it's not found, it's going to display an alert to the user basically saying, hey, this application has not been
26:45
accessibility rights. I am not going to allow it unless you explicitly approve it. And this secondary security alert cannot be interacted with synthetically either. Now let's look at what Apple has done to block synthetic events that are generated via
27:02
the core graphics APIs. So in short, on recent versions of Mac OS, Apple will now display a secondary secure authentication prompt requesting user credentials when it detects that something is generating synthetic events via the core graphic APIs. So here's a brief video. I wrote a simple binary that tries to generate a synthetic event.
27:26
And if we watch it, we're basically going to see that as soon as I click the event, Apple detects this and shows a secondary prompt which basically says I have detected that this is a synthetic event. Before I'm going to allow this synthetic event to occur,
27:41
you have to put in your username and password. So again, it looks like Apple has successfully mitigated against synthetic events that are generated by core graphic APIs. So let's briefly dig into this a little deeper to see how they are implementing this protection. So first in the system log, we can see an error message that is logged when we try to generate a synthetic event via the core graphic APIs.
28:05
So we can grep the file system for this string and we can find the library that implements this check. So what we do is we reverse engineer this library and we see it make some calls into kernel mode. So if we hop into kernel mode, we can see this check is likely
28:21
implemented in the MPO IO kit check, check, hid control check. So reading Apple's comments for this, we can see it says it determines whether the process can post synthetic events. So basically what it's doing is it's checking the entitlements of this process to say, hey, is this a process that is allowed to generate synthetic events? And if it's not,
28:42
it returns an error mode to user mode and then the operating system will display that secondary authentication prompt, which basically says, hey, you have to provide your credentials before I'm going to process that synthetic event. In terms of the privacy database, Apple now protects this via system integrity protection or SIP. So on the bottom of the slide,
29:04
we can see that if we do an LS to look at the file permissions, we can see there's a new permission that is set to restricted. This means this file is now protected with SIP or system integrity protection, which means even if the attacker or the malware has root privileges,
29:21
they will not be able to modify this file. So going back to the cold root malware, we can see that the cold root malware will actually check if its modifications to the database were successful, and if it fails, it will not implement its keyboard keylogger logic because it won't work. So this basically means because of these new security mitigations that Apple has
29:44
allowed or implemented, even though the malware will still run, the keylogging will not be successful. So kudos to Apple for fixing that. Okay, so to briefly summarize Apple's current protection against synthetic and UI bypasses. For AppleScript, the application
30:02
must have accessibility rights, which the user must explicitly grant. In terms of core graphics, Apple now detects and filters those and will ignore synthetic events unless the user puts in their username and password. And then in terms of bypassing the UI all together, they have protected the privacy database with system integrity protection. Now there's one important thing to
30:24
note is that these protections are not applied globally. They are only applied specifically by Apple to certain security prompts. So we'll see this leaves a window open for other attacks, but also it means third-party developers, for example firewall and antivirus developers,
30:41
they have to implement protections of their UIs individually. So let's briefly look at how third-party developers can protect their UIs from synthetic events. So I'm an author of a tool called BlockBlock. As I mentioned, BlockBlock basically tries to detect and prevent
31:01
persistence events. So for example, when malware tries to install itself persistently, BlockBlock will detect that, display alert to the user, and basically ask the user to confirm or deny. Clearly this alert could be a target for a synthetic attack, right? A malware installer could run, detect that BlockBlock has detected and displayed an alert, and then
31:23
try to send a synthetic event to dismiss and allow the action. So what I do to detect and prevent this is basically subclass the UI button, and this allows me to analyze the events that are coming in. For example, the mouse event that is clicking the allow button. What I can do then is I can examine the event and see who is sending it, both the process's
31:44
ID and UUID. So then I can ignore events, for example, that aren't coming from an Apple signed process or don't belong to the human interface device daemon. So again, if the malware now tries to send a synthetic click to click allow on the BlockBlock alert, I will detect and ignore this. A little snitch, which is a very popular
32:04
Mac firewall product for macOS, similarly ignores synthetic events. In this video demo, we're going to see that I am basically trying to synthetically click on the allow button on the firewall alert. Obviously, this is something that malware would try to do to bypass the firewall if it was detected. A little hard to see on the video, but little snitch has detected this
32:24
and displayed an error message saying, simulated input ignored. So we can reverse engineer their binary to see how they implement the detection and ignoring of synthetic events. They take a similar approach to BlockBlock, they subclass a UI component, and they have a method called
32:42
is simulated. And again, they monitor for certain events, for example, mouse clicks. And what they do is they get the source state of that click. Now the source state will be set to one if it is a non simulated event. So they check that and they also check the pit of the process to identify who is trying to send the event. Interestingly, they also have
33:04
exceptions for Apple screen sharing and VNC servers, because those events may come in and appear to be simulated because they're coming in over the network, but little snitch probably wants to allow those. Okay, so that wraps up the attack and defenses. Apple was happy thinking that they
33:22
were safe, but as we'll see in reality, they were not. So now let's look at an attack I discovered that allowed me to interact synthetically with any OS component and do all sorts of nefarious things. So my goal is simple. I basically just wanted to be able to synthetically or programmatically interact with these alerts and do things as a normal user, like
33:45
dump the keychain or approve the loading of a kernel extension. So I started poking around on Mac OS and after a few minutes, I found a feature of the operating system called mouse keys. Now it's a documented feature, it's Apple documentation, and basically as their documentation
34:02
says, it allows you to use the keyboard as the mouse. So they provide a lot of information, including keyboard to mouse button mappings. So for example, if you want to click, if you press the key I or the letter number 5 on the keyboard, if mouse keys are enabled, this will be
34:22
translated to a mouse click. So of course I wondered, could these allow me to generate synthetic keyboard events that would then be translated to synthetic mouse events, which would then be allowed? So first though, we need to programmatically enable mouse keys, and we can do this in three steps. We first launch the system preferences app, we then open the
34:42
accessibility pane, which is different from the accessibility rights pane, which is protected, and then we send a synthetic click to enable mouse keys. Turns out that this is all doable via AppleScript and core graphic foundation APIs. Apple doesn't consider these interactions sensitive enough so they don't filter or block any synthetic actions.
35:04
So here's a video of this in action. We basically go to open the system preferences application. We're going to go to the mouse settings, and then we're going to click enable mouse keys. So again, a few lines of code. We basically now enabled mouse keys. Really not
35:23
that exciting. But now we can see if we can use these mouse keys to generate synthetic mouse events. So as I mentioned, the number 5 on the number pad when mouse keys are enabled will generate a mouse click. So the key code for this is 87. So now we have mouse keys
35:43
enabled. I utilized some AppleScript, and I basically sent this key code, 87, to a UI prompt. And we can see that if we run our mouse and keyboard sniffer, that yes, the synthetic key down and up event are captured, but then the system, since mouse keys are enabled, will
36:01
translate those to mouse events. And since those are translated by the system, when they are delivered, they will be allowed. So now we have a way to generically generate synthetic events that Apple will allow. Again, it's not some crazy bog, but I'm a huge fan of utilizing legitimate functionality of the operating system to do nefarious things.
36:24
So let's use this to do some evil stuff. First, let's dump the key chain. So step one is we try to execute something like the security utility to start dumping the key chain. As I mentioned, this will open or display an accessibility prompt that Apple requires or expects only the
36:42
user to interact with. However, since we have the ability to do this, we can simply enable mouse keys and then send a click that will be allowed, which will then allow us to dump the key chain. So I wrote a little proof of concept for this. It does three things. Enables mouse keys, dumps the key chain, and then clicks allow on the accessibility prompt.
37:04
And this gives us full access to all the user's passwords, private keys, et cetera. Again, fully unencrypted. Next, let's use mouse keys to bypass High Sierra's user-approved kernel extension loading. Again, a few easy steps. We enable mouse keys. We load the kernel
37:22
extension, which will be blocked until the user, or in our case, our attack code, clicks allow. So once this button is displayed, we simply, again, enable mouse keys and send this click. And this will basically be processed by the operating system and allow the kernel extension to load. As I often find is the case, bypassing these Apple security mitigations is really not
37:44
that complicated. So here's a video of this in action. We're basically going to load that signed little snitch kernel extension that has that exploitable vulnerability in that. Again, this will be blocked by the system because it will want the user to manually approve that. In code, though, what we will do is enable mouse keys and then browse to the
38:05
prompt that has the allow button and then send a synthetic event to click that. So that's the full attack. And if we do a kext stat, we can now see that the system has allowed the kernel extension to load. We can now exploit the vulnerability in this
38:21
signed kernel extension to do things like bypass system integrity protection and get unsigned code running in the kernel. Now, I'm sure some of you have already thought, like, okay, these attacks are kind of neat, but there's a huge downside to them, and that is that they are visible. So if you're sitting at your computer and all of a sudden
38:40
an alert pops up, the mouse moves, and something gets clicked, you will surely know that your computer is hacked. Like, throw it out the window, right? So as an attacker, our question becomes, how can we do this invisibly? And it turns out that's pretty easy. We can basically just dim the screen. Really, not rocket science. So with no special privileges, anybody, including malware, can dim the screen. And here's the
39:04
code to do that. Basically, you make a few calls into IO kit, and you basically pass a brightness level, which will reduce the screen to zero. Now, the key here is that the screen when dimmed to zero is still fully interactive. That is to say, we can still
39:21
fully interact with the UI, for example, to load the system preferences, enable mouse keys, and click on buttons. But of course, the user won't see it. Now, we still have an issue. Again, if you're sitting in front of your computer, you know, on Instagram, Facebook, or writing code via Stack Overflow, and all of a sudden your screen dims, again, that's going to be super odd. So what we should do is be a little more sophisticated about this.
39:45
So the first thing we can do is we can detect user activity and simply wait until the user is not active. So there's a nice API you can call that will give you the number of seconds of the last user activity. So we can just query this API in a loop and basically say,
40:01
okay, let's wait until the user has been inactive for 60 seconds, and then dim the screen and perform our synthetic attacks. For example, loading the kernel extension or bypassing the firewall. Now, even better though, we can simply wait until the screen is going to sleep on its own. So when a screen sleep action occurs, there are two steps. So the operating system
40:24
first sends a can device power off message and dims the screen to 50%, then waits about three seconds before fully dimming the screen to zero and then turning off the display. So what we can do as malware is we can detect this initial message, and when the screen starts
40:41
to dim to 50%, we can expediate that, dim it to 100%, and then perform our action before the screen is fully put to sleep. So again, a very stealthy way to perform these attacks that the user will not notice. All right, so let's start wrapping this up. I reported this mouse key vulnerability or bypass to Apple. They patched it as CVE-2017-7150,
41:08
and their patch did two things. First, any time the keychain is accessed, even by the user, this will now require a password, which I think is a good idea. Apple also decided to filter mouse keys and now block them, for example, when you send them to a UI prompt.
41:25
Unfortunately, issues still exist even today on the latest fully patched versions of High Sierra. First, the privacy alerts appear to remain unprotected, which is very strange. So as I mentioned, when malware, for example, tries to access your contacts, your events, or your
41:41
location via the location APIs, this will display a privacy alert. However, these alerts are not protected, so you can send any synthetic event to that and just click allow. In my opinion, this is rather problematic. What's the point of displaying an alert if you're not going to protect it? Okay, this is even worse, and I'm almost embarrassed to talk about this, but I'm actually
42:01
more embarrassed for Apple. So there's a zero-day vulnerability or flaw in the way they process or filter synthetic events. So let's take, for example, the allow button that has to be clicked in order for a signed kernel extension to load. So I said, okay, I want to test how Apple has implemented this protection. As I mentioned, you have to send two events for a synthetic
42:24
event. You send a mouse key down and then a mouse key up. So the way you do this is you invoke the same API, but the last parameter to that is a flag. You set it to true if it's a mouse down event, and then you set it to false if it's a mouse up event, which will complete the action. So I wrote the first line of code, and then I was lazy, and I copied and
42:42
pasted the second line, and I forgot to change the flag. I then compiled and ran this code, and I was really surprised when this was allowed. So it turns out that if you send two mouse down events, for some unknown reason, the second mouse down event is translated to a mouse up event
43:00
by the kernel. And since the filtration process allows mouse up events from the kernel, this action is allowed. This means that since its inception, the fundamental secure kernel loading extension security mechanism that Apple talked all about has been completely broken.
43:20
Now people, including myself, sometimes talk smack about Apple security mechanisms, but examples like this I think really prove that in a variety of cases it's really trivial to bypass that. So I'm kind of embarrassed as I meant to discuss this bug because it's so trivial, and I found it completely by accident. But again, it's very powerful. It allows you to
43:41
generate synthetic events, even on a fully patched system, for example to load kernel extensions, which in my opinion is rather a big problem. All right, so a final word about synthetic events, hopefully we've illustrated that they are actually a very powerful capability, especially when performed invisibly. We can do all sorts of actions, bypass a whole
44:01
bunch of security mechanisms, and again in a kind of tool or security agnostic manner. Now, as is often the case with these attacks, it's really a cat and mouse game. So attackers come up with new ways, like mouse keys, Apple releases new patches. Unfortunately,
44:21
Apple kind of has been struggling. Good news though, in Mojave they've kind of taken this more drastic approach and said, okay, we're just going to generically block and disallow a ton of these actions. For example, they block AppleScript and core graphic APIs. This is good from a security point of view, but this will block a lot of legitimate applications.
44:41
Now, I've been told in feedback that some of my talks are a little negative. You know, it's like, Patrick, you always talk about breaking everything and how Apple keeps messing everything up. And yeah, okay, that's a little negative. So I wanted to finish with something that's hopefully a little more positive. So I'm excited to announce a new Mac security conference called Objective by the Sea. We have awesome lineup of Mac security speakers.
45:04
All the talks will be focused about Mac security. It's going to be in an awesome resort in Hawaii. Here's some pictures in case you weren't convinced that you should come. And it will be November 3rd and 4th. And check out objectivebythesea.com for information. So that's a wrap. I want to thank you again for coming bright and early on Sunday. And I
45:25
think we're pretty much out of time, but I will be by the stage if you have any questions. So thanks again. I really appreciate it.