 Make sure it's not just me who's seeing it we're They should see the three of us. Oh, yeah, I see us you see us. Yeah, I just went to the twitch. Oh, excellent. Which twitch tree I Hear myself now, too Okay, it's fantastic. We're a we are a professional organization here on Friday night We're gonna call that with my fault, okay Yeah Welcome to Q&A with Patrick Wardle We are going to be talking about some macOS stuff and some stuff kind of Jason to Microsoft office I Am jurist and the other gun that you see here is fallible and We're gonna be helping ask Patrick some questions this evening and it's good to see you all in the chat Patrick, why don't you? Take a minute to introduce yourself to everybody because I knew that in your talk you kind of dove right in Into into your content. So take a minute say hello to everybody. Tell us a little bit about yourself Sure. Well, how my name is Patrick Wardle. I am a principal security researcher Jamf but also the creator of the Mac security website and cool sweets Check your seat. I have been forced enough to talk a few deaf tons in the past. It's always my favorites events the talk and nerdy at This year virtual, you know full bomb we didn't all get to hang out together in Vegas, but it's important. We're all saying it's safe and healthy and Actually connecting online is kind of super hackerish So I'm stoked you're all here to chat a little bit more about my talk open Q&A Again, welcome. Well, thank you for being here. We really appreciate it And it's nice to get to some folks who want to come and present this way. So Sneaker net gave us what they're considering to be a softball question is SYLK the old file format you've come across Is there a way to programmatically scan Mac OS apps for what kind of files they handle? entitlements particular API usage Yeah, so that's a great question. The first place I would look at is in something called the launch services database And you can enumerate this with the LS register command and what it will basically do is it will dump All the file type and application Associations on your macOS system. So for example, you can see what applications have registered for HTML What applications have registered to handle documents? In this case, what type of applications perhaps support these? That's quite okay. So that's kind of where I would start gives you a global overview of that So if you just Google LS register against Mac OS command, you run it with a dash dump flag And it'll dump the state base. You can also look at an applications info.plist file Which is something that all applications have and in there they can have a set Actually array a dictionary of key value pairs that kind of tell the operating system What type of applications? Sorry, what kind of files they support and this is actually how that database gets popular So for example our shop office lists the doc files and file formats it supports Obviously a browser will have a large list including HTML files probably PDFs, etc. That's a great place to start because then you can see the file format and then I would look at the more esoteric or Unrecognized ones and start fuzzing or playing with that because it's kind of mentioned in my talk the reason that this vulnerability existed specifically the automatic execution of macros was that Microsoft actually has two separate code paths for handling macros based on these file types No, obviously the main one for documents and then a whole separate RK at code path that probably no one ever looked at for these older file formats always a good idea that looks for these More esoteric ancient file formats because there's a lot of security bugs there because they were created in a time when security wasn't really Any time an afterthought gets pulled forward into what's happening now is probably an interest in space Exactly Cool next question coming in also from a sneaker net. Is there a way to programmatically scan Mac apps? Oh, we did that already Let's see here if you consider trying to do something similar to this kind of research with iPad OS or any other kind of non non-windows OS or mobile OS That's a great question. I predominantly focus on Mac for two reasons First my personal opinion is really good to get really niche in whatever area that interests That's just something that I found to kind of have a lot of success in my post-second security career The other fact and guess I will admit this is hacking Mac is far simpler than hacking an iOS Operating system or iPad OS. No, largely this is just because of how it walked down that operating system So I think there has been some research done in the past based on, you know, custom You are all handling which is largely how applications and certain file formats are kind of connected in a way on iOS But you know, even if you found some interesting Issues there you would have to break out of the sandbox and then deal with a lot of the extra constraints that iOS and iPad OS Kind of stack on top that with Mac OS And then you really don't have to worry about too much. I mean you did have to find a new sandbox escape But you showed that was pretty trivial to do and there's been kind of history of that So, you know the TLDR iOS is just really a hard target So I'll probably just stick the Macs for now So that's an interesting statement though that you found that getting really niche is the thing that helps you continue to find new interesting Vulnerabilities, so you're keeping your target list really small. Can you talk about that any more and some of the What are some of the strengths that that's bringing you and can you think of anything that you're missing that? Maybe if there was one more thing you wanted to add Yeah, I know and that's something that you know, as I grow older and wiser It's something that resonates really well with me So, you know long time ago you used to work at the NSA national security agency everyone's favorite US government spy agency and I remember when I got there I was an intern and The intro program you kind of bounce around from different office kind of sampling different Activities, let's say I remember thinking how I want to be good at all of this like crypto and like We're sitting here in malware and writing Windows exploits and hacking satellites like a really cool stuff The NSA does and I got the point where I was like, you know It's just impossible to have depth in so much breath So I said look I'm gonna kind of focus on one specific thing And actually it was only when I left the NSA was what I really started focusing on max the reason for that was at the NSA I did predominantly Windows Stuff and so when I left I wanted to still use my foundational skills of reverse engineering Vulnerability discovery exploit development, but I didn't want to do it on the same platform I was kind of poking around with the NSA just it's good not to cross any lines and you know You don't want to piss off the NSA. Hey look, let me focus on Mac. I can use my same skill sets, but it's a separate platform so I will step on close and Moving forward with that I really kind of doubled down on that and it really allowed me to get a lot of depth in the topic and I've noticed for You know finding new vulnerabilities Giving conference talks, right at least for me having that depth has really allowed me to come You know, so what an expert in the space I would say And allowed me to really dig more into maybe the more esoteric parts of the operating system where a lot of Vulnerability fly whereas if I was trying to do that across maybe multiple operating systems and multiple platforms It's just I think a possible game at much depth So that's something that's just really worked for me I would say the one downside is sometimes you might miss Attacks that work on one platform that might have a conceptually similar Vulnerability on Mac OS one great example. I can think of is DLL or dilate hijacked it was a very common kind of attack scenario on Windows and I you know when I was still kind of coming into the Mac space. I decided to see if macOS was Vulnerable at least conceptually to the idea of hijacking Dynamic libraries based on search pattern turned out it was and I just happened to be the first person that kind of dug Into that and talked about it So I still think it's good to keep your eyes and ears open and see what other research other people are doing Just to be inspired and then kind of say hey, it's just something I can bring into my platform But again, I've had a lot of success really focusing just on one platform You know Mac OS not even iOS as much so again to me, that's worked really well. I think it's Yeah, thank you for talking about that a bit because it's nice to hear somebody who's gotten a lot of success With a pattern like that because there's there's many different patterns that I've been Hearing about even this weekend. So it's it's nice to nice to get that reinforcement Yeah, I would agree with that because I do a lot of digital forensics, right? And you know, so I see a lot of Windows stuff come across and I see a lot of iOS stuff And it's kind of difficult to know a you know, if I'm gonna dedicate some time to build up some skills You know, so the broad base should be targeted and I'm Digging what you're throwing down there Next question, okay, so you showed how putting a zip file into the login items They can turn the intern contains a P list with a launch agent, right? So does Mac OS really register launch agents on the creation of the file in this case creating it via an unzip? Also, actually what it does is it automatically processes it on the next login So it doesn't trigger it right away on creation But on the next login Mac OS will automatically just enumerate all the property lists that are created in the launch agent Directory does the same thing with launch daemons and any property list it finds it just runs it So that's really kind of a neat thing that we were able to leverage as a mechanism to get this kind of code execution outside Sandbox the only downside is we then have to kind of wait until the user re logs in But you know, I like to say, you know humans are impatient, but our exploits are malware You know don't have to be right. We drop this launch agent and we have to wait two or three days Or even a week until the user re logs in and then we get a call back like so be it, right? Generally, we're not in that much of a rush But it is interesting that Mac OS kind of automatically runs those and something that we can in this scenario Leveraged to our own benefit Sure follow up from the same person they asked question did any P list to confined on the file system No, it actually has to be in the launch agent directory, which is either in Tilda user slash library launch agent or slash library slash launch agents So Mac OS will look in those specific directories. It looks for other Items in other directories for example, there are other launch daemon directories Which it looks for for other property lists, but again those have to be in those specific directories Cool So, you know a lot of this starts by you talking about macro attacks and macro attacks have been popular on Windows for a long time in fact using Macros inside of office documents, and you and I roughly the same age That's that that's how you would get out of like the net nanny kind of stuff or Get away that you get around the stuff that they put on the stuff at high school or middle school So you couldn't get on the right, you know, yeah sexual invitations is good. Well, it's it's fine now So it is bananas to me that this stuff kind of persists now Do you? Do you think that this is kind of a trend towards macro based attacks towards Mac OS or Is this just kind of a situation where you know the guys there are you know, if you've got a hammer in your hand Everything looks like a nail kind of a situation Yeah, no, it's it's interesting because I think what we see two things happening Macs are definitely becoming more prevalent You know seen this Especially in the consumer space, but now also in the enterprise space, and I think that's one of the reasons This is very anecdotal. I don't have necessarily dated to back this up But you know you go to college campus even three or four or five years ago Everyone has Macs right and now those students have graduated or interned workforce. What do they want? They want Mac computers understandably so right so we're kind of starting to see growth in the enterprise of Macs as well Apple obviously also pushes for Macs In the enterprise, you know, they're great Hardware great software So Hacker hackers are obviously very opportunistic. So as they see an increase in targets, they're obviously going to start So one of the things we see is we see hackers developing Mac specific attacks and we've seen this trend I would say in the last year or two almost taking off the same time in peril the other thing we see the macros is a great example is we see Windows-based attackers or windows-based malware that have had success on the windows platform kind of courting those techniques over So obviously as you mentioned macros on Windows has a very illustrious history a lot of success So those same attacks, you know can work on macros so hackers are kind of like hey We we know how these macro work. We have the infrastructure. We have experience. Why not target Mac users? so macros is probably the best example of traditionally windows Infection vector, let's say being ported over or brought over to macOS I think in a direct response to Macs increasing in the enterprise because these macro-based attacks still require Microsoft products and the average consumer is probably going to be using Apple's office document apps Which aren't susceptible to macro-based attacks, whereas in the enterprise I think that's where we see the uptick in the installation of these Microsoft products on Macs thereby opening the door for these macro-based attacks. However, though, we also see for example Adware, you know, that's been predominantly targeting windows, you know the Chrome on Windows or Edge or Internet Explorer same kind of idea, right? Hackers and malware writers have success on that and say hey we can work these to Mac pretty easily Well, it's kind of cross-platform This these techniques and these malicious extensions we've created So, you know, why don't we start targeting Mac users because they're growing in numbers So we're definitely seeing more and more of these windows these kind of like old school or very well-known windows based Confection vectors and attacks now kind of showing up targeting Macs And it's interesting because I think Mac users maybe are at more risk Because you know, it's like what Mac users thinks that they can get a macro virus on their Mac like zero, right? traditionally Apple's marketing has kind of put out the message that Macs are immune And so a lot of Mac users believe that so whereas someone on a Windows computer might not open a Word document from a random email a Mac user might so hackers may be having better success rate actually like targeting Mac users You know using these kind of well-known techniques that might not fly on Windows anymore, right? Or for that matter not know that the office on the Mac can support some of that stuff that would be also running Over on the windows side, right? Yeah, I wouldn't expect a VPK macro to just go ahead and run. Okay. That's crazy sound We love it There was a little bit of a follow-up from JKBC KR who asked the P list question I'll just pop this out here. Oh, I got it The zip was placed in till the library and extracted folder called launch agents with the P list inside Which is the current or the correct location for launch agents Okay, so a quick follow-up if that's okay Does this only work if there was a no launch agents initially otherwise archive utility would rename that launch agents to right? Yes, and that's actually a really good point So the reason this generally works is because on a default install of Mac OS There's no launch agent directory under users So there is one in the slash library directory We couldn't write to that location from the sandbox So what we could do though is we could write to the users library directory right till the slash library But especially crafted crafted is it file there? And then the archive utility would create the launch agent directly for us because again We could also not create or write a P list to that directory because Microsoft's patch Specifically for beta. So yes, if that launch agent directory is already there this specific attack then you would fail what we could possibly do though is create files and other locations and perhaps create a You know dot bash RC file or some other file that leads to code execution Someone also mentioned perhaps you could do something with sim links. So maybe sim link We put a make a zip file with sim links. I haven't really dug into that But I think the fact that we can outside the sandbox create kind of arbitrary files The launch agent path was really just the first one I tried that worked But there might be other venues that are more globally applicable that for example, for example, wouldn't fail if the launch agent So that's a really good question and an excellent point to make Excellent, okay We'll step back for a second to a sneaker net has another question Are there any Apple specific protocols you found really interesting protocols can be their Interprocessing the same system or between devices. This is an example sidecar between laptop and iPad Yeah, so they're actually the IPC mechanisms in macro ass are are full of Security vulnerabilities or have been in the past So one great example is just the handling of these custom URL schemes So it turns out that if an application supports a file format Or supports a custom URL scheme custom URL scheme can be like block colon slash slash anything You know each one example, but applications can also create their own custom URL handlers as a kind of lightweight IPC mechanism, and this is used legitimate An application contains a custom URL handler as soon as it hits the file system Mac OS actually parses that application and registers it as a custom URL The URL can then be launched from the browser Luckily recent versions of browsers now will alert the user basically saying hey a web page is trying to make a custom URL Custom URL request, but in the past that was not the case We actually saw the wingtail APT group abuse this technique to target Mac users specific So their exploit you browse to a website in the background with download an application that handled a custom URL scheme Mac OS would automatically register that Behind the scenes as soon as that application hit the file system Their exploit code would then just make a URL request from the malicious website, which is totally legitimate something you can do Back to us with a book and say hey Yeah, I have an application that can handle that and then blindly and naively launched the malware which had just been downloaded So these custom URL schemes are kind of a max specific protocol or an IPC mechanism where there are some interesting Issues especially in the past. I think my other favorite protocol or IPC mechanism is XPC Ian beer Google has done some great work finding all sorts of vulnerabilities some other Google project zero Brandon researchers have found bugs as well And basically XPC is just the way where a client can talk to a usually a privileged server And so it's really good to kind of enumerate the API endpoints that the server has and The biggest issue is usually it doesn't correctly validate client Which means once you're on the system you perhaps can talk to a trusted service and do all sorts of nasty things This is often applications specific based on the XPC server, but Apple has had all sorts of issues here So for example the well-known root pipe vulnerability was a great example There was a XPC service running on Mac OS as groups and it would think It's create random arbitrary files and run arbitrary commands as root and it didn't validate the client So as soon as you were on the box You could just send this XPC protocol request to this XPC service that was running and it'd be like yeah I'll run whatever you say and so it was like the easiest best for the gestulation vulnerability is there So XPC great protocol Apple specific I always look at what kind of servers and applications if they have an XPC interface and start auditing those because Oftentimes there's security issues That's your big blinking red light, huh? Yeah like poke on that hard Okay, so we have found ourselves in the last five minutes on this if we have any more really good questions You want to drop in here then please do in the meantime? This is when I've taken to asking people if they have a general call to action a Something you would like us to take away from the presentation that you've done something that you'd like us all to consider and move forward with Yeah, I mean I think You know this is probably obvious to anyone listening here But a lot of Mac users think that Macs are infallible And and this actually puts themselves at risk because you know a lot of Windows users will maybe Participate in best cyber safe practices, whatever that means, you know Don't download random apps click random links and emails run random applications or the macOS People are prone to do that a little more. So, you know, just realizing Macs are just as hackable windows It's an operating system that runs code. So kind of Just kind of stick with that the other thing and this is kind of a self-clug, but it's for free content so I don't feel bad in my Presentation I announced free Mac OS book series. I'm working on so if you go to TAOMM.org the arc of Mac malware.org I'm working on a free book about Mac malware analysis So it talks a lot about Infection vectors these property lists this XPC stuff. So if you're interested in, you know, Mac malware vulnerability research Check it out. It's all free. The content I've published the first part of the first volume It's actually commentable on So, you know, if you see an error or you want some input you can just add a little comment And I will add that into the content again free resource Basically trying to help provide more information for the community so that we can combat Kind of the rising tide of Mac malware. That's that's definitely coming Well, that's something I can look forward to as well So thank you if you would be so kind as to Drop the URL for that in the track one and if you are willing to do so with any other Contact information for you or a Twitter profile or something you want people to follow. That'd be a good place for that Yeah, and I'll put my Twitter my DMs are open obviously. I'm very passionate about this I love the nerd out talking about this Any questions shoot me at the end and we'll chat so excellent Thank you. That's we've gotten to the end of the questions in the live Q&A chat. I Think that you've been a fantastic guest here and we really appreciate your willingness to come and build a presentation And then spend some time with us in the QA So, yeah, thank you. It's always an honor to talk at DEF CON I just feel super appreciative to be able to share my research with just the DEF CON community. I mean, they're just The best Well, we're the best because of the people who decided to come out and do this stuff. So thank you all Seems like that's about all we have so Anybody who wants to do any follow-up on this one? You will have some contact information showing up and Thank you all for showing up and we'll we'll do more later. Cool. See you guys later. Thanks for coming