{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/macos-mojave/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS Mojave","QuickTime Player","FaceTime"],"_cs_severities":["medium"],"_cs_tags":["macos","webcam","microphone","applescript","tcc"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eIn June 2018, a bypass was discovered in the macOS Mojave (10.14) beta (18A293u) that allowed unauthorized access to the microphone and webcam, despite Apple\u0026rsquo;s claims of new data protections requiring user permission. The bypass leverages applications with existing entitlements to access the microphone and camera, such as QuickTime Player and FaceTime. By utilizing AppleScript to control these applications, malicious actors can record audio and video without triggering the expected permission prompts. This circumvents the intended security enhancements designed to prevent surreptitious access to sensitive user devices. While Apple stated that the final version of macOS Mojave would mitigate this attack, the initial beta release was vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts an AppleScript designed to interact with QuickTime Player.\u003c/li\u003e\n\u003cli\u003eThe AppleScript uses QuickTime Player\u0026rsquo;s built-in recording capabilities.\u003c/li\u003e\n\u003cli\u003eThe AppleScript initiates a new movie recording via QuickTime Player.\u003c/li\u003e\n\u003cli\u003eThe AppleScript sets a delay to record audio and video for a specified duration.\u003c/li\u003e\n\u003cli\u003eThe AppleScript pauses and saves the movie recording to a file.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the AppleScript using \u003ccode\u003eosascript\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eQuickTime Player, due to its existing entitlements, accesses the webcam and microphone without prompting the user for permission.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the saved recording containing audio and video captured without user consent, potentially exfiltrating this data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability in macOS Mojave beta allowed unauthorized access to a user\u0026rsquo;s webcam and microphone, potentially enabling surveillance without their knowledge or consent. While the number of affected users during the beta phase is unknown, the potential for privacy violations was significant. Successful exploitation could result in the compromise of sensitive information, including personal conversations and visual data. This can lead to reputational damage, blackmail, or other malicious activities targeting the victim.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;osascript Execution Spawning QuickTime\u0026rdquo; Sigma rule to detect the execution of osascript to run AppleScripts that control QuickTime Player.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003eosascript\u003c/code\u003e with arguments that point to suspicious \u003ccode\u003e.scpt\u003c/code\u003e files using the \u0026ldquo;Suspicious AppleScript Execution via osascript\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging and file creation events to facilitate the detection of malicious AppleScripts and their execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:15:00Z","date_published":"2024-01-09T18:15:00Z","id":"/briefs/2024-01-macos-mojave-webcam-bypass/","summary":"macOS Mojave beta's new privacy controls can be bypassed by exploiting the entitlements of trusted applications like QuickTime Player via AppleScript to access the webcam and microphone without user consent.","title":"macOS Mojave Beta Webcam and Microphone Access Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-macos-mojave-webcam-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS Mojave"],"_cs_severities":["high"],"_cs_tags":["macos","lockup","vmmap","pid1"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eA critical bug exists in macOS Mojave (10.14) where executing the \u003ccode\u003evmmap\u003c/code\u003e utility against process ID 1, which is always \u003ccode\u003elaunchd\u003c/code\u003e, causes a complete system lockup. This issue was discovered when users reported that the TaskExplorer utility, which uses \u003ccode\u003evmmap\u003c/code\u003e to enumerate loaded dynamic libraries in remote processes, would freeze the system when run. The root cause is that \u003ccode\u003evmmap\u003c/code\u003e suspends the target process before enumerating memory regions. When \u003ccode\u003elaunchd\u003c/code\u003e (PID 1) is targeted, this suspension prevents \u003ccode\u003evmmap\u003c/code\u003e from completing its symbolication process, which relies on XPC communication facilitated by \u003ccode\u003elaunchd\u003c/code\u003e. The blocked XPC call results in a deadlock, requiring a hard reboot of the affected macOS Mojave system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker (or a system utility like TaskExplorer) attempts to enumerate loaded libraries of a process.\u003c/li\u003e\n\u003cli\u003eTaskExplorer executes the \u003ccode\u003evmmap\u003c/code\u003e command, targeting a specific process ID (PID).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evmmap\u003c/code\u003e utility starts and is given PID 1 as a command-line argument.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003evmmap\u003c/code\u003e invokes \u003ccode\u003etask_suspend\u003c/code\u003e to suspend the target process (launchd) before taking a memory snapshot.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003evmmap\u003c/code\u003e attempts to symbolicate the memory regions of the suspended process via the CoreSymbolication framework, calling \u003ccode\u003eCoreSymbolication'mmap_storage_daemon\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe CoreSymbolication framework makes XPC calls, including \u003ccode\u003expc_connection_resume\u003c/code\u003e, which are routed to launchd.\u003c/li\u003e\n\u003cli\u003eBecause launchd is suspended, the XPC requests are never serviced, specifically a call to \u003ccode\u003elibxpc\u003c/code\u003e’s \u003ccode\u003e_xpc_look_up_endpoint\u003c/code\u003e for \u003ccode\u003ecom.apple.coresymbolicationd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis blocked XPC call deadlocks the system, as \u003ccode\u003evmmap\u003c/code\u003e waits for a response from \u003ccode\u003elaunchd\u003c/code\u003e, but \u003ccode\u003elaunchd\u003c/code\u003e cannot respond because it is suspended by \u003ccode\u003evmmap\u003c/code\u003e. The entire system becomes unresponsive, requiring a hard reboot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this bug results in a complete system lockup on macOS Mojave. The user loses any unsaved data and must perform a hard reboot to restore functionality. While the bug does not directly lead to data theft or code execution, it causes significant disruption and data loss. This affects any user running macOS Mojave who attempts to run \u003ccode\u003evmmap\u003c/code\u003e against PID 1, either directly or indirectly through a utility like TaskExplorer.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect vmmap Execution Against PID 1\u003c/code\u003e to detect direct attempts to exploit this bug via command-line execution.\u003c/li\u003e\n\u003cli\u003eInvestigate any system lockups on macOS Mojave systems and correlate them with \u003ccode\u003evmmap\u003c/code\u003e executions, using the \u003ccode\u003emacOS Mojave System Lockup via vmmap\u003c/code\u003e rule as a starting point.\u003c/li\u003e\n\u003cli\u003eConsider blocking execution of \u003ccode\u003evmmap\u003c/code\u003e with PID 1 as an argument via endpoint detection and response (EDR) tools, preventing the vulnerability from being triggered.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-vmmap-mojave-lockup/","summary":"A bug in macOS Mojave causes a system lockup when the vmmap utility is executed against process ID 1 (launchd), due to a deadlock triggered by XPC calls during symbolication.","title":"macOS Mojave System Lockup via vmmap Utility Targeting PID 1","url":"https://feed.craftedsignal.io/briefs/2024-01-vmmap-mojave-lockup/"}],"language":"en","title":"CraftedSignal Threat Feed — MacOS Mojave","version":"https://jsonfeed.org/version/1.1"}