{"id":28709,"date":"2020-04-20T16:43:26","date_gmt":"2020-04-20T20:43:26","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=28709"},"modified":"2021-06-13T18:14:09","modified_gmt":"2021-06-13T22:14:09","slug":"privileged-operations-on-macos","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2020\/04\/20\/privileged-operations-on-macos\/","title":{"rendered":"Privileged Operations on macOS"},"content":{"rendered":"<p><a href=\"https:\/\/objectivebythesea.com\/v3\/content.html\">Objective by the Sea<\/a> has posted <a href=\"https:\/\/objectivebythesea.com\/v3\/talks\/OBTS_v3_jVashchenko.pdf\">slides<\/a> from <a href=\"https:\/\/twitter.com\/iaronskaya\">Julia Vashchenko<\/a>&rsquo;s talk on <code>SMJobBless()<\/code> and XPC:<\/p>\n<blockquote cite=\"https:\/\/objectivebythesea.com\/v3\/content.html\">\n<p>Operation system&rsquo;s security depends a lot on the way developers handle privileged operations. Is it easy to make a mistake? Is the recommended way actually better than a deprecated API?<\/p>\n<p>Recently, we gained insight into these questions during our company&rsquo;s bug bounty program, which led to some surprising conclusions, which we&rsquo;ll share today.<\/p>\n<\/blockquote>\n<p>This stuff is under-documented, and the sample code is buggy.<\/p>\n<p>See also: <a href=\"https:\/\/theevilbit.github.io\/posts\/secure_coding_privilegedhelpertools_part1\/\">Csaba<\/a> <a href=\"https:\/\/theevilbit.github.io\/posts\/secure_coding_privilegedhelpertools_part2\/\">Fitzl<\/a> (<a href=\"https:\/\/twitter.com\/theevilbit\/status\/1216300428813578240\">tweet<\/a>).<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/09\/02\/privilegedhelpertools-and-checking-xpc-peers\/\">PrivilegedHelperTools and Checking XPC Peers<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/02\/11\/sandboxed-macos-x-login-item-with-xpc\/\">Sandboxed macOS X Login Item With XPC<\/a><\/li>\n<\/ul>\n\n<p id=\"privileged-operations-on-macos-update-2020-08-28\">Update (2020-08-28): <a href=\"https:\/\/twitter.com\/Kentzo\/status\/1265019201401610241\">Ilya Kulakov<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/Kentzo\/status\/1265019201401610241\"><p>A refined advice was published <a href=\"https:\/\/developer.apple.com\/forums\/thread\/72881\">by \n@justkwin<\/a> regarding XPC peer validation. There is an interesting detail regarding &ldquo;the second message&rdquo;. I&rsquo;m still confused how this solves peer validation though.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/theevilbit.github.io\/posts\/secure_coding_privilegedhelpertools_part3\/\">Csaba Fitzl<\/a>:<\/p>\n<blockquote cite=\"https:\/\/theevilbit.github.io\/posts\/secure_coding_privilegedhelpertools_part3\/\"><p>This is the third post in my series which is trying to help Apple developers to avoid typical insecure coding practices. This one will highlight why XPC client hardening and proper verification is extremely important when we use XPC messaging on macOS between clients that run as a normal user and services that run as root. If this validation is not right, it opens up the possibility for an attacker to run privileged commands or worse case, achieve full privilege escalation on the system.<\/p>\n<\/blockquote>\n\n<p id=\"privileged-operations-on-macos-update-2021-01-22\">Update (2021-01-22): <a href=\"https:\/\/www.woodys-findings.com\/posts\/cocoa-implement-privileged-helper\">Alexis Bridoux<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.woodys-findings.com\/posts\/cocoa-implement-privileged-helper\"><p>I will make some research to better understand the possible exploits to know what is the best thing to do. Meanwhile, here are some advices:<\/p><ul><li>The Helper should be removed when the application is removed. A Helper left behind has no use and it&rsquo;s a risk that can be avoided. This <a href=\"https:\/\/erikberglund.github.io\/2016\/No_Privileged_Helper_Tool_Left_Behind\/\">post<\/a> explains that.<\/li><li>The current preferred solution to prevent a malicious attack is to check the calling code identity. This <a href=\"https:\/\/blog.obdev.at\/what-we-have-learned-from-a-vulnerability\/\">post<\/a> is great to understand the problem and applies this solution.<\/li><li>This <a href=\"https:\/\/github.com\/securing\/SimpleXPCApp\">repository<\/a> also offers a ready-to-use solution in Swift.<\/li><\/ul><\/blockquote>\n\n<p id=\"privileged-operations-on-macos-update-2021-06-13\">Update (2021-06-13): <a href=\"https:\/\/twitter.com\/tclementdev\/status\/1402021767540088837\">Thomas Clement<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/tclementdev\/status\/1402021767540088837\">\n<p>lo and behold, seems like finally Apple is adding a <a href=\"https:\/\/developer.apple.com\/documentation\/xpc\/3755524-xpc_connection_set_peer_code_sig\/\">public API<\/a> to validate xpc connections.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/06\/08\/macos-12-monterey-announced\/\">macOS 12 Monterey Announced<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Objective by the Sea has posted slides from Julia Vashchenko&rsquo;s talk on SMJobBless() and XPC: Operation system&rsquo;s security depends a lot on the way developers handle privileged operations. Is it easy to make a mistake? Is the recommended way actually better than a deprecated API? Recently, we gained insight into these questions during our company&rsquo;s [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2020-04-20T20:43:29Z","apple_news_api_id":"8d92e8c9-70e5-4b62-9a44-f7c76c5af38d","apple_news_api_modified_at":"2021-06-13T22:14:13Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAABA==","apple_news_api_share_url":"https:\/\/apple.news\/AjZLoyXDlS2KaRPfHbFrzjQ","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[4],"tags":[1829,466,164,30,1609,1666,71,1466,1473],"class_list":["post-28709","post","type-post","status-publish","format-standard","hentry","category-programming-category","tag-cleanmymac","tag-codesigning","tag-documentation","tag-mac","tag-macos-10-14","tag-macos-10-15","tag-programming","tag-setapp","tag-xpc"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/28709","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=28709"}],"version-history":[{"count":6,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/28709\/revisions"}],"predecessor-version":[{"id":32826,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/28709\/revisions\/32826"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=28709"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=28709"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=28709"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}