Turning a MacBook into a Touchscreen Using the Webcam
> Our idea was to retrofit a small mirror in front of a MacBook’s built-in webcam, so that the webcam would be looking down at the computer screen at a sharp angle. The camera would be able to see fingers hovering over or touching the screen, and we’d be able to translate the video feed into touch events using computer vision.
Memory Unsafety in Apple's Operating Systems
> Rather than just talking about a single release, what if we aggregated the total memory unsafety-related vulnerability statistics in Apple’s two flagship operating systems: iOS and macOS?
> Across the entirety of iOS 12 Apple has fixed 261 CVEs, 173 of which were memory unsafety. That’s 66.3% of all vulnerabilities.
Bad UI: MacOS 10.14’s Software Update Release Notes
> The release notes for the 10.14.4 update are quite long, as you can see from the relative size of the scroll. That’s good — there’s a lot new in this update and the release notes should mention everything new or different. But the sheet containing the release notes can’t be resized. You see about 9 lines of text at a time, and there’s nothing you can do about it.
> Worse, the text can’t be selected, so you can’t even copy and paste it into TextEdit or some other app to read it comfortably. They even have URLs at the bottom of the note, pointing to support pages on apple.com which contain even more details about the update — but the URLs aren’t clickable. Can’t copy them, can’t click them — the only way to actually open these URLs is to retype them manually.
Death by vmmap
> In this blog post, we dug into why (on macOS Mojave) executing vmmap against launchd (pid 1), deadlocks the entire system. In short, after vmmap has suspended launchd it (indirectly) attempts to ‘call’ into launchd via XPC. As launchd has been suspended (by vmmap), everything grinds to a halt.
Deciphering the Messages of Apple’s T2 Coprocessor
> To discover and communicate with advertised services, the T2 exposes itself to macOS as a network interface, assigned as en6 on our lab machines. This macOS interface is configured for IPv6 with a universally static local address of fe80::aede:48ff:fe00:1122. The T2 exposes itself at a fixed IPv6 address of fe80::aede:48ff:fe33:4455.
> MacOS and the T2 communicate over a typical network stack, with a few notable exceptions. Ethernet frames are encapsulated within Mobile Broadband Interface Model (MBIM) packets for transmission over what we can therefore infer is a USB-based interface. For simple application-level messages, one MBIM frame will typically contain a single message, but for larger data transfers, multiple Ethernet frames will be encapsulated within each packet. This is somewhat ironic, as often a data transfer segment will be split into MTU-sized chunks at the TCP layer, only to be combined into a single packet at the MBIM layer.
> Above the TCP/IP layer, macOS and the T2 use the HTTP/2 protocol to open, and often maintain, persistent connections between different applications
Advanced Mac Substitute
> Advanced Mac Substitute is an API-level reimplementation of classic Mac OS. It runs 68K Mac applications in an emulator without an Apple ROM or system software.
> Unlike traditional emulators, Advanced Mac Substitute doesn’t emulate the hardware on which an operating system runs (except for the 680x0 processor), but actually replaces the OS — so it launches directly into an application, without a startup phase.
The design flaw behind MacBook Pro’s “stage light” effect
> Apple opted for thin, fragile flex cables as opposed to the beefier wire cables used in previous designs that could be routed through the hinge instead of wrapped around it, helping mitigate the stress of repeated openings and closings. But the bigger problem is that, in an apparent effort to make the display as thin as possible, Apple designed the cables as part of the display, so they cannot be replaced. This means that when (not if) those cables start to fail, the entire display unit needs to be replaced, as opposed to one or two little cables—effectively turning a $6 problem into a $600 disaster.
Secure Boot in the Era of the T2
> Today, we are continuing our series on Apple’s new T2 platform and examining the role it plays in Apple’s vision of Secure Boot. The T2 was first introduced with the release of the iMac Pro and has now found its way into every new 2018 Macbook Pro. This article covers the security properties and technical implementation details of what makes this platform unique.
An introduction to exploiting userspace race conditions on iOS
> Let’s walk through the discovery and exploitation of CVE-2018-4331, a race condition in the com.apple.GSSCred XPC service that could be used to execute arbitrary code inside the GSSCred process, which runs as root on macOS and iOS. The exploit, gsscred-race, targets iOS 11.2, although versions up through iOS 11.4.1 are vulnerable. This post will show how I discovered the bug, how I analyzed its exploitability, and how I developed a JOP program that allowed me to take control of the process.
Although in practice it’s maybe more interesting on macos?
> On macOS, GSSCred runs outside of any sandbox, meaning once we get the task port we have unsandboxed arbitrary code execution as root.
Getting the iPad to Pro
> I have a near endless bag of these nits to share. For the last year I’ve kept a text file of all the walls I’ve run into using an iPad Pro as a pro machine. Is this all too pedantic? Maybe. But it’s also kind of fun. When’s the last time we’ve been able to watch a company really figure out a new OS in public?
Apple T2 Security Chip - Security Overview
Where the crypto happens.
Intel ME Manufacturing Mode: obscured dangers and their relationship to Apple MacBook vulnerability CVE-2018-4251
> Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users.
> This mode allows configuring critical platform settings stored in one-time-programmable memory (FUSEs). These settings include those for BootGuard (the mode, policy, and hash for the digital signing key for the ACM and UEFI modules). Some of them are referred to as FPFs (Field Programmable Fuses).
> We analyzed several platforms from a number of manufacturers, including Lenovo and Apple MacBook Prо laptops. The Yoga and ThinkPad computers we examined did NOT have any issues related to Manufacturing Mode. But we found that Apple laptops on Intel chipsets are running in Manufacturing Mode. After this information was reported to Apple, the vulnerability (CVE-2018-4251) was patched in macOS High Sierra update 10.13.5.
Remote Mac Exploitation Via Custom URL Schemes
> Which also means custom URL scheme handlers:
> ■ are registered automatically by macOS as soon as application (that “advertises” support for such handlers) hits the file-system
> ■ will trigger the execution of the (automatically registered) handler application, when the custom url scheme is invoked
Kind of obvious in hindsight, making things too easy leads to runaway.
Apple’s Trillion-Dollar Fairy Tale, Warts and All
> Having had a front-row seat for what is surely the most ridiculous comeback in business history — I began covering the company when it couldn’t find a buyer willing to spend even $10 billion — I’d add two more key reasons for its success.
How I gained commit access to Homebrew in 30 minutes
> On Jun 31st, I went in with the intention of seeing if I could gain access to Homebrew’s GitHub repositories. About 30 minutes later, I made my first commit to Homebrew/homebrew-core.
Return of revenge of son of the cloud credentials.
How to Help Someone Confront their Prejudices
It’s true, but you can’t make me admit it.
> In this post, we shed some light on the process of weaponizing a vulnerability (CVE-2018-4192) in the Safari Web Browser to achieve arbitrary code execution from a single click of an unsuspecting victim. This is the most frequently discussed topic of the exploit development lifecycle, and the fourth post in our Pwn2Own 2018 series.
Apple iMac Pro and Secure Storage
> Given all of these changes, we wanted to explore how the T2 coprocessor was being used by Apple and how it currently fits into the larger system security model, as well as how this may evolve in the future. What follows is the first part of this exploration where we describe how the T2 coprocessor is used to implement Secure Boot on the iMac Pro, as well as comparing and contrasting this Secure Boot approach to those that have been present in Apple’s iDevices for a number of years.
MacOS monitoring the open source way
> Let’s say a machine in your corporate fleet gets infected with malware. How would you detect it? How could you find out what happened on the machine? What did the malware do? Did it steal your browser’s passwords? What network connections did the malware make? Was it looking for crypto currency? By having good telemetry and a good host monitoring solution for your machines you can collect the context necessary to answer these important questions.
Heap overflow in the necp_client_action syscall
> The following is a write-up of a heap overflow vulnerability found while Fuzzing the macOS necp_client_action syscall. The necp_client_action syscall is part of the Network Extension Control Policy (NECP) kernel subsystem. This bug was first found in the XNU kernel version 4570.1.46 and was patched in the 10.13.4 kernel update (version 4570.51.1). Exercising the bug results in a heap overflow which can be turned into an information leak and eventually arbitrary code execution in the kernel.