Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

MacOS has two many things going on for its own good. It has way too many things to analyze statically. So, the author creates a tool to pick up FDA entitled apps and run a syscall trace on them. When looking for items reading files and env variables, he noticed some scary hits. The article is about a scan that led into a bug.

The ENV variable MTL_DUMP_PIPELINES_TO_JSON_FILE is a Metal framework variable used by various MacOS programs. It opens a file on the current application and writes data to it. Pretty simple!

How does this work? Courtesy of the fs_usage command:

1. A file will be opened using the open() syscall on a temporary file.
2. write() is called to write to this file.
3. rename() is called on the temporary file to name it back to the path we control.

rename() in place is not a safe function. But why? There's a race condition that occurs between the open and copying of data. There is a classic time of check vs. time of use (TOCTOU) bug on this call. By changing the file to a symlink to something else at the right time, we can cause major havoc!

Even better, we can control the log data being written by catching the tempfile creation when it occurs. So, when the renaming occurs, we control the data being written in the file. Between the data controlling and the renaming TOCTOU issue, we can write to an arbitrary location with arbitrary data. Pretty neat!

How does the author go about exploiting this?

1. Create a symlink that points to the Apple TCC directory.
2. Create a directory at an attacker controlled location.
3. Set the vulnerable ENV var to a file in our temporary directory with the vulnerable app running.
4. Catch the open() of the temporary file in the directory and write our malicious TCC database to it.
5. Switch the information in the symlink over and over again until the execution occurs.
6. Wait and see if we successfully won the race.

With some luck, the TCC.db file was overwritten with our own! It's a pretty slick bug that exploits complexity within the rename syscall. Apple fixed this by removing most of the Metal ENV variables.