Make sure it's not just me who's seeing it weird

They should see the three of us Yeah, I see us. You see us? Yeah, I just went to the Twitch stream. Oh, excellent. Which Twitch stream?

I hear myself now, too Okay, it's fantastic. We are a professional organization here on Friday night We're gonna call that one my fault, okay Welcome To Q&A with Patrick Wardle We are going to be talking about some Mac OS stuff and some stuff kind of adjacent to Microsoft Office

I am Jurist and the other goon that you see here is fallible and We're gonna be helping ask Patrick some questions this evening and it's good to see you all in the chat Patrick Why don't you? Take a minute to introduce yourself to everybody because I knew that in your talk you kind of dove right in

Into into your content. So take a minute. Say hello to everybody. Tell us a little bit about yourself Sure. Aloha. My name is Patrick Wardle. I am a principal security researcher at Jamf I'm also the creator of the Mac security website and tool suites

I have been fortunate enough to talk at a few DEFCONs in the past. It's always my favorite events the talk nerdy at This year virtual, you know, well bummed we didn't all get to hang out together in Vegas but it's important we're all staying safe and healthy and

Actually connecting online is kind of super hackerish So I'm stoked you're all here to chat a little bit more about my talk open Q&A Again welcome. Well, thank you for being here we really appreciate it and it's nice to get to some folks who want to come and present this way, so

sneaker net gave us what they're considering to be a softball question is SYLK the old file format you've come across is there a way to programmatically scan Mac OS Apps for what kind of files they handle entitlements particular API usage

Yeah, so that's a great question the first place I would look at is in something called the launch services database And you can enumerate this with the LS register command and what it will basically do is it will dump All the file type and application associations on your Mac OS system

So for example, you can see what applications have registered for HTML files What applications have registered to handle documents in this case what type of applications perhaps support these SYLK files, so that's kind of where I would start gives you a global overview of that

So if you just google LS register again, it's a Mac OS command You run it with the dash dump flag and it'll dump this database You can also look at an applications info.plist file Which is something that all applications have and in there they can have a set Actually array a dictionary of key value pairs that kind of tell the operating system. What type of

Applications sorry, what kind of files they support and this is actually how that database gets popular So for example Office list doc files and file formats. It supports obviously a browser will have a large list including HTML files PDFs etc. That's a great place to start because then you can see the file formats and

Then I would look at the more esoteric or unrecognized ones and start fuzzing or playing with that because it's kind of mentioned in my talk The reason that this vulnerability existed specifically the automatic execution of macros Was that Microsoft actually has two separate code paths for handling macros based on these file types

You know, obviously the main one for documents and then a whole separate Archaic code path that probably no one ever looked at for these older file formats. It's always a good idea to look for these More esoteric ancient file formats because there's a lot of security bugs there because they were created in a time when security wasn't really

Anytime an afterthought gets pulled forward into what's happening now is probably an interest in space Exactly Cool next question coming in also from a sneaker nets. Is there a way to programmatically scan Mac apps? Oh, we did them already

Let's see here If you consider trying to do something similar to this kind of research with iPad OS or any other kind of non non Windows OS or mobile OS

That's a great question. I predominantly focus on Mac for two reasons First my personal opinion is really good to get really niche in whatever area that interests That's just something that I've found to kind of have a lot of success in my pro sec security career The other fact and guess I will admit this is hacking Mac is far simpler than hacking an iOS

Operating system or iPad OS no, or she this is just because of how it walked down that operating system So, I think there has been some research done in the past based on you know custom URL handling which is largely how applications and certain file formats are kind of connected in a way on iOS

But you know Even if you found some interesting issues there You would have to break out of the sandbox and then deal with a lot of the extra constraints that iOS and iPad OS Kind of stack on top that with Mac OS and then you really don't have to worry about too much You did have to find a new sandbox escape

But you showed that was pretty trivial to do and there's been kind of history of that So, you know the TLDR iOS is just really a hard target So I'll probably just stick to Macs for now So that's an interesting statement though that you found that getting really niche is the thing that helps you continue to find new interesting

Vulnerabilities, so you're keeping your target list really small Can you talk about that anymore and some of the? What are some of the strengths that that's bringing you and can you think of anything that you're missing that? Maybe if there was one more thing you wanted to add

Yeah, I know and that's something that you know as I grow older and wiser it's something that resonates really well with me So, you know long time ago you used to work at the NSA National Security Agency Everyone's favorite US government spy agency. I remember when I got there I was an intern and The intro program you kind of bounced around from different office kind of sampling different

Activities, let's say I remember thinking wow I want to be good at all of this like crypto and like worst engineering malware and writing Windows exploits and hacking satellites I hope really cool stuff the NSA does and I got the point where I was like, you know It's just impossible to have depth in so much breath

So I said look I'm gonna kind of focus on one specific thing And actually it was only when I left the NSA was when I really started focusing on max. The reason for that was At the NSA I did predominantly windows Stuff and so when I left I wanted to still use my foundational skills of reverse engineering

Vulnerability discovery export element, but I didn't want to do it on the same platform I was kind of poking around with the NSA just it's good not to cross any lines and you know You don't piss off the NSA. Hey, look, let me focus on Mac. I can use my same skill sets, but it's a separate platform so probably won't step on any

clothes and Moving forward with that I really kind of doubled down on that and it really allowed me to get a lot of depth in the topic and I've Noticed for, you know finding new vulnerabilities Giving conference talks right at least for me having that depth has really allowed me to come You know somewhat of an expert in the space. I would say

And allowed me to really dig more into maybe the more esoteric parts of the operating system where a lot of vulnerability fly Whereas if I was trying to do that across maybe multiple operating systems and multiple platforms It's just I think impossible to gain that much depth. So that's something that's just really worked for me

I would say the one downside is sometimes you might miss attacks that work on one platform that might have a conceptually similar Vulnerability on Mac OS. One great example I can think of is DLL or dialect hijack It was a very common kind of attack scenario on Windows and I you know When I was still kind of coming into the Mac space, I decided to see if Mac OS was

Vulnerable, at least conceptually the idea of hijacking Dynamic libraries based on search path. It turned out it was and I just happened to be the first person that kind of Dug into that and talked about it So I still think it's good to keep your eyes and ears open and see what other research Just to be inspired and then kind of say hey, this is something I can bring into my platform

But again, I've had a lot of success really focusing just on one platform You know Mac OS not even iOS as much so again to me that's worked really well, and I think it's Yeah, thank you for talking about that a bit because everyone it's nice to hear somebody who's gotten a

Success with a pattern like that because there's there's many different patterns that I've been Hearing about that even this weekend. So it's it's nice to nice to get that reinforcement I'd agree with that because I do a lot of digital forensics, right? And you know So I see a lot of Windows stuff come across and I see a lot of iOS stuff and it's it's kind of difficult to

Know hey, you know if I'm gonna dedicate some time to build up some skills, you know So the broad base should be targeted and I'm digging what you what you're throwing down there Next question. Okay, so you showed how putting a zip file into the login items

The concern the intern contains a p-list with a launch agent, right? So does Mac OS really register launch agents on the creation of the file in this case in this case creating it via and unzip Almost so actually what it does is it automatically processes it on the next login

So it doesn't trigger it right away on creation but on the next login Mac OS will Automatically just enumerate all the property lists that are created in the launch agent directory Just the same thing with launch daemons and any property list it finds it just runs it So that's really kind of anything that we were able to leverage as a mechanism to get this kind of code execution outside

sandbox the only downside is you then have to kind of wait until the User relogs in but you know, I like to say, you know humans are impatient, but our exploits are malware, you know Don't have to be right we drop this launch agent and we have to wait two or three days

Or even a week until the user logs in and then we get a call back like so be it right generally We're not in that rush But it is interesting that Mac OS kind of automatically runs those and something that we can in this scenario Leverage to our own benefit sure follow-up from the same person they asked question did any P list to confined on the file system?

No, it actually has to be in the launch agent directory, which is either in tilde user slash library launch agent or slash library slash launch agents

So Mac OS will look in those specific directories. It looks for other Items in other directories, for example, there are other launch daemon directories Which it looks for for other property lists. But again, those have to be in those specific directories Cool So, you know a lot of this starts by you talking about

macro attacks and macro attacks have been popular on Windows for a long time in fact using Macros inside of office documents and you and I roughly the same age That's how you would get out of like the the net nanny kind of stuff or get away You get around the stuff that they put on

Stuff at high school or middle school so you couldn't get on the internet, right? You know, yeah session limitations is good Well, it's it's fun now So it is bananas to me that this stuff kind of persists now Do you? Do you think that this is kind of a trend towards macro based attacks towards Mac OS or?

Is this just kind of a situation where you know the guys there are you know? If you've got a hammer in your hand, everything looks like a nail kind of a situation Yeah, I know it's interesting because I think what we see two things happening max are definitely becoming more prevalent You know seen this

Especially in consumer space, but now also in the enterprise space and I think that's one of the reasons this is very anecdotal Back this up, but you know you go to college campus even three or four or five years ago Everyone has max right and now those students have graduated or interned workforce. What do they want? They want Mac computers

Understandably, so right, so we're kind of starting to see growth in the enterprise of max as well Apple Obviously also pushes for max In the enterprise, you know, they're great hardware software So hackers are obviously very opportunistic so as they see an increase in targets, they're obviously going to start

So one of the things we see is we see hackers developing max specific attacks And you've seen this trend I would say in the last year or two almost taking off the same time in parallel The other thing we see and the macro is a great example is we see Windows based attackers or Windows based malware that have had success on the Windows platform

porting those techniques over So obviously as you mentioned macros on Windows has a very illustrious history a lot of success So those same attacks, you know can work on Mac OS so hackers are kind of like hey

We know how these macro work. We have the infrastructure we have experience. Why not target Mac users? So macros is probably the best example of traditionally Windows Infection vector, let's say being ported over or brought over to Mac OS I think in a direct response to max increasing in the enterprise because these macro-based attacks still require

Microsoft products and the average consumer is probably going to be using Apple's office document apps which aren't susceptible to macro-based attacks Whereas in the enterprise, I think that's where we see the uptick in the installation of these Microsoft products on max thereby opening the door for these macro-based attacks

However, though we also see for example Adware, you know, that's been predominantly targeting windows, you know via Chrome on Windows or edge or Internet Explorer same kind of idea, right? Hackers malware writers have success on that and say hey, we can port these to Mac pretty easily

It's kind of cross-platform This these techniques and these malicious extensions we create so, you know, why don't we start targeting Mac users? Because They're growing in numbers. So we're definitely seeing more and more of these windows. He's kind of like old-school or very well-known windows-based infection vectors and attacks now kind of showing up targeting max

And it's interesting because I think Mac users maybe are at more risk Because you know, it's like what Mac users thinks that they can get a macro virus on their Mac like zero, right? Traditionally Apple's marketing has kind of put out the message that Macs are immune

and so a lot of Mac users believe that so whereas someone on a Windows computer might not open a Word document from a random email a Mac user might so hackers may be having better success rate actually by targeting Mac users You know using these kind of well-known techniques that might not fly on Windows anymore Right or for that matter not know that the office on the Mac can support some of that stuff

That would be also running over on the Windows side, right? You know, yeah, I wouldn't I wouldn't expect a PPK macro to just go ahead and run. Okay, that's crazy town We love it. Yeah Um, there was a little bit of a follow-up from jkbc

Kr who asked the plist question. Um, i'll just pop this out here. Oh, I got it The zip was placed in till the library and extracted folder called launch agents with the plist inside Which is the current or the correct location for launch agents Okay, so a quick follow-up if that's okay

Does this only work if there was a no launch agents initially? Otherwise archive utility would rename that launch agents too, right Yes, and that's actually a really good point So the reason this generally works is because on a default install of mac os There is no launch agent directory under users directory

Um, so there is one in the slash library directory you couldn't write to that location from the sandbox So what we could do though is we could write to the users library directory right till the slash library But especially crafted crafted zip file there and then the archive utility would create the launch agent directory for us because again

We could also not create Or write a plist to that directory because Microsoft's patched specifically for beta So yes if that launch agent directory is already there this specific attack menu would fail what we could possibly do though is create files in other locations and perhaps create a

You know dot bash rc file or some other file that leads to code execution someone also mentioned perhaps you could do something with sim links, so maybe sim link the You know put a make a zip file with sim links. I haven't really dug into that But I think the fact that we can outside the sandbox create kind of arbitrary files

The launch agent path was really just the first one I tried that worked but there might be other venues that are more globally applicable that For that for example wouldn't fail if the launch agent directory was already there. So that's a really good question And an excellent point to make

Excellent, okay We'll step back for a second to sneaker net has another question Are there any apple specific protocols you found really interesting protocols can be either in a process on the same system or between devices? This is an example sidecar between laptop and ipad

Yeah, so they're actually The the ipc mechanisms in mac or last are are full of security vulnerabilities or have been in the past So one great example is just the handling of these custom url schemes so it turns out that if an application supports a file format

Or supports a custom url scheme custom url scheme can be like blah colon slash slash anything You know htt would be one example But applications can also create their own custom url handlers as a kind of lightweight ipc mechanism and this is used legitimate If an application contains a custom url handler as soon as it hits the file system

Mac os actually parses that application and registers it as a custom url A url can then be launched from the browser Luckily recent versions of browsers now will alert the user basically saying hey a web page is trying to make a custom url

Custom url request but in the past that was not the case We actually saw the wingtail apt group abuse this technique to target mac users specifically So their exploit you browse through a website in the background would download an application that handled a custom url scheme Mac os would automatically register that

Behind the scenes as soon as that application hit the file system Their exploit code would then just make a url request from the malicious website, which is totally legitimate something you can do Back os would look and say hey Yeah, I have an application that can handle that and then blindly and naively launch the malware which had just been downloaded

So these custom url schemes are kind of a max specific protocol or an ipc mechanism where there are some interesting issues, especially in the past I think my other favorite protocol or ipc mechanism is xpc Ian beer google has done some great work finding all sorts of vulnerabilities some other google project zero

Brandon researchers have found bugs as well And basically xpc is just the way where a client can talk to a usually a privileged server And so it's really good to kind of enumerate the api endpoints That the server has and the biggest issue is usually it doesn't correctly validate the client

Which means once you're on the system you perhaps can talk to a trusted service and do all sorts of nasty things This is often, you know application specific based on the xpc server But apple has had all sorts of issues here. So for example the

Well-known root pipe vulnerability was a great example. There was a xpc service running on mac os as root and it would I think Create random arbitrary files and run arbitrary commands as root and it didn't validate the client So as soon as you were on the box You could just send this xpc protocol request to this xpc service that was running and it'd be like yeah

I'll run whatever you say and so it was like the easiest best privilege escalation vulnerability is there so xpc great protocol apple specific I always look at what kind of servers and applications if they have an xpc interface and start auditing those because Oftentimes there's security issues there

That's your big blinking red light, huh? Yeah like poke on that hard Okay, so we have found ourselves in the last five minutes on this if uh If we have any more really good questions you want to drop in here then please do in the meantime This is when i've taken to asking people if they have a general call to action a

Something you would like us to take away from the presentation that you've done something that you'd like us all to consider and move forward with Yeah, I mean I think um You know, this is probably obvious to anyone listening here, but a lot of mac users think that max are infallible

and and this actually puts themselves at risk because you know a lot of windows users will maybe Participate in best cyber safe practices whatever that means, you know, don't download random apps click random links and emails Run random applications or some mac os people are prone to do that a little more

So, you know just realizing max are just as hackable as windows. It's an operating system. It runs code. So, uh kind of Just kind of stick with that The other thing and this is kind of a self-plug but it's for free content. So I don't feel bad Uh in my presentation I announced

the free Mac os book series i'm working on. So if you go to taomm.org the art of mac malware dot org i'm working on a free book about mac malware analysis, so it talks a lot about Infection vectors these property lists this xpc stuff. So if you're interested in, you know, mac malware vulnerability research

Check it out. It's all free the content i've published the first part of the first volume It's actually commentable on so, you know if you see an error or you want some input you can just add a little comment and I will add that into The content and again, it's free resource

Basically trying to help provide more information for the community so that we can combat Kind of the rising tide of mac malware. That's that's definitely coming Well, that's something I can look forward to as well. So thank you if you would be so kind as to Drop the url for that in the track one and if you are willing to do so with any other

Contact information for you or a twitter profile or something you want people to follow that'd be a good place for that Yeah, and i'll put my twitter my dms are open. Obviously i'm very passionate about this. I love to nerd out talk about this. So Any questions shoot me at the end and we'll chat so excellent

Thank you That's uh, we've gotten to the end of the uh questions in the live q a chat I think that you've been a fantastic guest here and we really appreciate your willingness to come and Build a presentation and and then spend some time with us in the qa

So yeah, thank you. Like I said, it's always an honor to talk at defcon I just feel super appreciative to be able to share my research with just the defcon community. I mean, they're just you know the best Well, we're the best because of the people who decide to come out and do this stuff. So thank you all Seems like that's about all we have so

Um anybody who wants to do any follow-up on this one? You will have some contact information showing up and thank you all for showing up and we'll we'll do more later. Cool See you guys later. Thanks for coming