![]() “The codesign command is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system.” The man page for codesign, codesign(1), explains it concisely: It all starts with a single binary however, aptly named codesign. jar files.īefore we break down the vulnerability, here’s the proof of concept:Īs stated before, codesigning is handled by a myriad of systems in the operating system – from the kernel, to AMFI, to taskgated, and the greater amework. A bit more of an issue than Gatekeeper, as people will care more about their network monitor than Gatekeeper and its incessant warning on Java. Little Snitch, however, catches the binary as not being signed. Second, a binary with no entitlements blob in its code signature will be allowed to execute regardless. There’s two caveats: a binary with -task-allow, when resigned with restricted entitlements (thusfar only -task-ports and task_for_pid-allow have been tested) the binary will be able to execute with those restricted entitlements within a grace period of around 40 minutes. Obviously AMFI isn’t enforcing anything at this point. While writing this article, lightning has struck twice. You can, however, still perform it with dd and otool. macOS codesigning translocation cannot be performed on “fat” (Universal) Mach-O or AArch64 binaries due to Apple’s additions to the ISA and the library (LIEF) being used to perform this.A binary with a LC_CODE_SIGNATURE LoadCommand with entitlements marked as tainted will be killed by taskgated, barring a few exceptions.If deployed to a foreign computer via a web download, it is still subject to the normal xattrs applied during download (), and thus the annoying prompt that almost everyone ignores.The operating system will recognize the code signature blob as tainted and therefore invalid, thus entitlements (should not) work.macOS codesigning translocation cannot (normally) use any entitlements associated with task ports.dyld enforces this, and will kill the process. macOS codesigning translocation cannot be used to bypass the hardened runtime.There are many other restrictions to this as well, including: But let’s get this straight: even though the machine will be aware that the LC_CODE_SIGNATURE LoadCommand is tainted, it will still execute. ![]() It is far easier, however, to break the codesigning system and sign your binary as an Apple binary. (A possible root cause may have been discovered, but that’s explained below.) From trustd experiencing undefined behavior to taskgated (seemingly) ignoring its job, there has been yet to be an identifiable root cause that can pin down why we were able to sign a binary with restricted entitlements and have it execute. I do know that my Mac was having trouble connecting to, but that’s not the only variable involved. What you see in the above screenshot happened once, and only once, and has proven thus far to be impossible to replicate. alongside AppleMobileFileIntegrity.kext and amfid. The framework for codesigning and that which enforces it resides mainly within the loader, dyld, and is scattered around amework. PrefaceĬodesigning is an important part of the macOS security model, in combination with a myriad of other systems, such as TCC (Transparency, Control, and Consent), AMFI, SIP, and the mosaic of controls that is amework. This is the story of how I “broke” macOS’ codesigning system, top to bottom. And it continues to work for a good 40-or so minutes, before the application suddenly starts dying when I try to execute it. I figure, “What the hell, I’ll give it another shot.” Several months later, as I was performing a source code audit of Apple’s amework, the codesigning “vulnerability” pops into my head again. I move on to a different project and the macOS codesigning translocation “vulnerability” is left on my hard drive, to be revisited sometime later. A few more days of toying around and I can’t get it to work. The process is killed by taskgated, the enforcer for anything to do with the task_for_pid() syscall. I put together a quick script in Python 3 using LIEF to translocate the code signature from Apple’s ps to Apple’s lldb. All of a sudden, a thought buds in my mind: “What if I can translocate one code signature blob from another, entitlements blob and all?” It’s a breezy autumn night and I’m doing some research on my Mac while lazily flipping through volume one of “*OS Internals” by Johnathan Levin, specifically the chapter on the Mach-O file format.
0 Comments
Leave a Reply. |