Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Code signing applications is an essential part of the macOS security model. Being able to bypass signing and verification steps would be a major flaw in the system, leading to users being at risk.

Installer packages are the files used to install the actual package, which are typically signed as well. The installer packages are simply xar files. A xar file contains three parts:

1. Header: A header of the fields. Includes a hash and the size of the next section.
2. Table of Contents (TOC): A zlib compressed XML document that lists each file in the archieve.
3. Heap: Holds the information about the package, signing information and a few other things.

When viewing signed packages, two checks need to pass: calculated TOC hash is equal to the one stored on the heap and the signature + certificate belong to the TOC hash. Are the calculations of these the same? Not exactly! We have a C parsing bug!

The checksum value form the XML document is loaded in as a 64-bit integer. For obtaining the TOC hash for validating the signature, a 32 bit integer is used. This difference in the offset value means that we can point the signature check to a different location! For instance, 0x1 0000 0000 would resolve to 0x1 0000 0000 for 64 bit but 0x0 for 32 bit.

How do we actually do this?

1. Take a legit and properly signed xar file.
2. Change the checksum offset to a number larger than the 32-bit int max. Make the changes after this point.
3. Write the TOC back to the file and compute the new TOC hash. This is the first check.
4. Add padding to the heap until it's 32-bit max in sizes
5. Place the new TOC hash at the heap offset of 32-bit max, leaving the original TOC hash at the heap offset.

Why is this useful? First, System Integrity protection can be bypassed using this bug. By signing an Apple signed package with high TCC permissions, it can be bypassed to read sensitive information or modify the kernel. Secondly, the Gatekeeper (check against known malware) verification is broken too. They also found that it was possible to escalate privileges in several popular applications as well.

The fix was to simply change the 32 bit int to a 64 bit int. A similar vulnerability was found in 2010 as well. Overall, a super fun post on the fun of parsing differences.