AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
macOS codesigning translocation cannot be used to bypass the hardened runtime.There are many other restrictions to this as well, including: But let’s get this straight: even though the machine will be aware that the LC_CODE_SIGNATURE LoadCommand is tainted, it will still execute. It is far easier, however, to break the codesigning system and sign your binary as an Apple binary. (A possible root cause may have been discovered, but that’s explained below.) From trustd experiencing undefined behavior to taskgated (seemingly) ignoring its job, there has been yet to be an identifiable root cause that can pin down why we were able to sign a binary with restricted entitlements and have it execute. I do know that my Mac was having trouble connecting to, but that’s not the only variable involved. What you see in the above screenshot happened once, and only once, and has proven thus far to be impossible to replicate. alongside AppleMobileFileIntegrity.kext and amfid. The framework for codesigning and that which enforces it resides mainly within the loader, dyld, and is scattered around amework. PrefaceĬodesigning is an important part of the macOS security model, in combination with a myriad of other systems, such as TCC (Transparency, Control, and Consent), AMFI, SIP, and the mosaic of controls that is amework. This is the story of how I “broke” macOS’ codesigning system, top to bottom. And it continues to work for a good 40-or so minutes, before the application suddenly starts dying when I try to execute it. I figure, “What the hell, I’ll give it another shot.” Several months later, as I was performing a source code audit of Apple’s amework, the codesigning “vulnerability” pops into my head again. I move on to a different project and the macOS codesigning translocation “vulnerability” is left on my hard drive, to be revisited sometime later. A few more days of toying around and I can’t get it to work. The process is killed by taskgated, the enforcer for anything to do with the task_for_pid() syscall. I put together a quick script in Python 3 using LIEF to translocate the code signature from Apple’s ps to Apple’s lldb. All of a sudden, a thought buds in my mind: “What if I can translocate one code signature blob from another, entitlements blob and all?” It’s a breezy autumn night and I’m doing some research on my Mac while lazily flipping through volume one of “*OS Internals” by Johnathan Levin, specifically the chapter on the Mach-O file format.
0 Comments
Read More
Leave a Reply. |