mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-12 21:28:55 +00:00
104 lines
7 KiB
Markdown
104 lines
7 KiB
Markdown
# macOS XPC Connecting Process Check
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
||
</details>
|
||
|
||
## XPC Connecting Process Check
|
||
|
||
When a connection is stablished to an XPC service, the server will check if the connection is allowed. These are the checks it would usually perform:
|
||
|
||
1. Check if the connecting **process is signed with an Apple-signed** certificate (only given out by Apple).
|
||
* If this **isn't verified**, an attacker could can create a **fake certificate** to match any other check.
|
||
2. Check if the connecting process is signed with the **organization’s certificate**, (team ID verification).
|
||
* If this **isn't verified**, **any developer certificate** from Apple can be used for signing, and connect to the service.
|
||
3. Check if the connecting process **contains a proper bundle ID**.
|
||
4. Check if the connecting process has a **proper software version number**.
|
||
* If this **isn't verified,** an old, insecure clients, vulnerable to process injection could be used to connect to the XPC service even with the other checks in place.
|
||
5. Check if the connecting process has an **entitlement** that allows it to connect to the service. This is applicable for Apple binaries.
|
||
6. The **verification** must be **based** on the connecting **client’s audit token** **instead** of its process ID (**PID**) since the former prevents PID reuse attacks.
|
||
* Developers rarely use the audit token API call since it’s **private**, so Apple could **change** at any time. Additionally, private API usage is not allowed in Mac App Store apps.
|
||
|
||
For more information about the PID reuse attack check:
|
||
|
||
{% content-ref url="macos-pid-reuse.md" %}
|
||
[macos-pid-reuse.md](macos-pid-reuse.md)
|
||
{% endcontent-ref %}
|
||
|
||
### Trustcache - Downgrade Attacks Prevention
|
||
|
||
Trustcache is a defensive method introduced in Apple Silicon machines that stores a database of CDHSAH of Apple binaries so only allowed non modified binaries can be executed. Which prevent the execution of downgrade versions.
|
||
|
||
### Code Examples
|
||
|
||
The server will implement this **verification** in a function called **`shouldAcceptNewConnection`**.
|
||
|
||
{% code overflow="wrap" %}
|
||
```objectivec
|
||
- (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection {
|
||
//Check connection
|
||
return YES;
|
||
}
|
||
```
|
||
{% endcode %}
|
||
|
||
The object NSXPCConnection has a **private** property **`auditToken`** (the one that should be used but could change) and a the **public** property **`processIdentifier`** (the one that shouldn't be used).
|
||
|
||
The connecting process could be verified with something like:
|
||
|
||
{% code overflow="wrap" %}
|
||
```objectivec
|
||
[...]
|
||
SecRequirementRef requirementRef = NULL;
|
||
NSString requirementString = @"anchor apple generic and identifier \"xyz.hacktricks.service\" and certificate leaf [subject.CN] = \"TEAMID\" and info [CFBundleShortVersionString] >= \"1.0\"";
|
||
/* Check:
|
||
- Signed by a cert signed by Apple
|
||
- Check the bundle ID
|
||
- Check the TEAMID of the signing cert
|
||
- Check the version used
|
||
*/
|
||
|
||
// Check the requirements
|
||
SecRequirementCreateWithString(requirementString, kSecCSDefaultFlags, &requirementRef);
|
||
SecCodeCheckValidity(code, kSecCSDefaultFlags, requirementRef);
|
||
```
|
||
{% endcode %}
|
||
|
||
If a developer doesn't want to check the version of the client, he could check that the client is not vulnerable to process injection at least:
|
||
|
||
{% code overflow="wrap" %}
|
||
```objectivec
|
||
[...]
|
||
CFDictionaryRef csInfo = NULL;
|
||
SecCodeCopySigningInformation(code, kSecCSDynamicInformation, &csInfo);
|
||
uint32_t csFlags = [((__bridge NSDictionary *)csInfo)[(__bridge NSString *)kSecCodeInfoStatus] intValue];
|
||
const uint32_t cs_hard = 0x100; // don't load invalid page.
|
||
const uint32_t cs_kill = 0x200; // Kill process if page is invalid
|
||
const uint32_t cs_restrict = 0x800; // Prevent debugging
|
||
const uint32_t cs_require_lv = 0x2000; // Library Validation
|
||
const uint32_t cs_runtime = 0x10000; // hardened runtime
|
||
if ((csFlags & (cs_hard | cs_require_lv)) {
|
||
return Yes; // Accept connection
|
||
}
|
||
```
|
||
{% endcode %}
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
||
</details>
|