{"id":26451,"date":"2019-09-02T16:20:35","date_gmt":"2019-09-02T20:20:35","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=26451"},"modified":"2019-09-02T16:20:35","modified_gmt":"2019-09-02T20:20:35","slug":"privilegedhelpertools-and-checking-xpc-peers","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/09\/02\/privilegedhelpertools-and-checking-xpc-peers\/","title":{"rendered":"PrivilegedHelperTools and Checking XPC Peers"},"content":{"rendered":"

Objective Development<\/a>:<\/p>\n

\n

It all began with a security improvement by Apple in macOS High Sierra (10.13). Apple had revoked access to the folder \/Library\/Logs\/DiagnosticReports<\/code> for non-admin users. The protection goes so far that even a root process spawned by AuthorizationExecuteWithPrivileges()<\/code> cannot access the folder.<\/p>\n

[…]<\/p>\n

Every installer application which needs root permissions is now urged to install a system-wide daemon for this purpose. This system-wide daemon is usually left behind, because Apple provides no API for removing it.<\/p>\n

[…]<\/p>\n

In an internal code review, another developer looked over the code and verified all assumptions. He did not find a proof for the assumption that XPC connections are authorized by the system. Since there was little information available, he made a test project and could exploit our privileged helper tool!<\/p>\n

[…]<\/p>\n

The helper (and the app using the helper) should check the identity of the peer before performing any operations. Even if an AuthorizationExternalForm<\/code> is already used. The most secure way for such a check is the code signature.<\/p>\n

[…]<\/p>\n

Note that this example uses the private NSXPCConnection.auditToken<\/code> property. If we want to avoid using a private property, we need to use the Unix process ID. But this is inherently insecure (see Don’t trust the PID!<\/a> by Samuel Groß). We therefore decided to use auditToken<\/code> anyway.<\/p>\n<\/blockquote>\n

So, because Apple decided to protect the logs folder, and the documentation is not very good, the Little Snitch developers ended up introducing a privilege escalation vulnerability, and even now they can’t make it fully secure without using private API. These are smart developers with a long history building a highly regarded security-focused product. Of course it sounds like a good idea to make the logs secure, but I think we can ask whether it was worth the cost in collateral security and engineering time. And why should it be so difficult and error-prone for an app to facilitate the customer sending in a diagnostic report?<\/p>\n\n

See also: CVE-2019-13013<\/a>.<\/p>\n\n

Joe Auricchio<\/a> (in 2016, via Jeff Johnson<\/a>):<\/p>\n

It’s better to keep using the deprecated SM functions than to run launchctl. Sorry, but replacements are not yet available.<\/p>\n

There isn’t presently API for a system-wide LaunchDaemon to open a Mach IPC or XPC connection to a LaunchAgent, which I’d guess is closer to what you’d really like to do? This would be a good enhancement request, please file one!<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"

Objective Development: It all began with a security improvement by Apple in macOS High Sierra (10.13). Apple had revoked access to the folder \/Library\/Logs\/DiagnosticReports for non-admin users. The protection goes so far that even a root process spawned by AuthorizationExecuteWithPrivileges() cannot access the folder. […] Every installer application which needs root permissions is now urged […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2019-09-02T20:20:38Z","apple_news_api_id":"54a66ef0-b2d0-456a-8e89-3386a8be9721","apple_news_api_modified_at":"2019-09-02T20:20:39Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AVKZu8LLQRWqOiTOGqL6XIQ","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[4],"tags":[466,164,500,139,30,32,1609,54,74,1013,71,48,1473],"class_list":["post-26451","post","type-post","status-publish","format-standard","hentry","category-programming-category","tag-codesigning","tag-documentation","tag-launchd","tag-littlesnitch","tag-mac","tag-macapp","tag-macos-10-14","tag-objective-c","tag-opensource","tag-private-api","tag-programming","tag-security","tag-xpc"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/26451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=26451"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/26451\/revisions"}],"predecessor-version":[{"id":26452,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/26451\/revisions\/26452"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=26451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=26451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=26451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}