Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Microsoft Teams for macOS Local Privilege Escalation
Csaba Fitzl - Offensive SecurityPosted 5 Years Ago- The Microsoft Teams application has a user facing application and a privileged XPC client. Historically, the XPC client on macOS has been a high-valued target, as it has high permissions.
- The first issue is an insure validation of the sender of the requests to the XPC client. Of course, we ONLY want a specific application sending data to the XPC client. This is supposed to use an AuditToken to do. However, the application used the PID instead.
- By using a classic PID reuse attack, an attacker controlled application can get the PID. This allows for arbitrary calling of the XPC daemon by an attacker.
- Another interesting issue was that the application has the
com.apple.security.cs.disable-library-validation. This means that any of the libraries within the application can be replaced with something else, without being validated. Both this and the first issue can be used in order to take control of the daemon. - What do we target within the XPC communication? The target of the attack was the Update mechanism. The update mechanism proper validates the Microsoft signature but does not block older installations with known vulnerabilities. Because of this, install the Auto Updater that is vulnerable to CVE-2020-0984 and exploit this known vulnerability.
- Overall, XPC communication is difficult to do right, look over the entitlements of an application and NEVER forget about downgrade attacks.
