https://feed.craftedsignal.io/products/macos-mojave/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 09 Jan 2024 18:15:00 +0000https://feed.craftedsignal.io/briefs/2024-01-macos-mojave-webcam-bypass/Tue, 09 Jan 2024 18:15:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-macos-mojave-webcam-bypass/macOS Mojave beta's new privacy controls can be bypassed by exploiting the entitlements of trusted applications like QuickTime Player via AppleScript to access the webcam and microphone without user consent.In June 2018, a bypass was discovered in the macOS Mojave (10.14) beta (18A293u) that allowed unauthorized access to the microphone and webcam, despite Apple’s claims of new data protections requiring user permission. The bypass leverages applications with existing entitlements to access the microphone and camera, such as QuickTime Player and FaceTime. By utilizing AppleScript to control these applications, malicious actors can record audio and video without triggering the expected permission prompts. This circumvents the intended security enhancements designed to prevent surreptitious access to sensitive user devices. While Apple stated that the final version of macOS Mojave would mitigate this attack, the initial beta release was vulnerable.

Attack Chain

1. An attacker crafts an AppleScript designed to interact with QuickTime Player.
2. The AppleScript uses QuickTime Player’s built-in recording capabilities.
3. The AppleScript initiates a new movie recording via QuickTime Player.
4. The AppleScript sets a delay to record audio and video for a specified duration.
5. The AppleScript pauses and saves the movie recording to a file.
6. The attacker executes the AppleScript using osascript.
7. QuickTime Player, due to its existing entitlements, accesses the webcam and microphone without prompting the user for permission.
8. The attacker retrieves the saved recording containing audio and video captured without user consent, potentially exfiltrating this data.

Impact

The vulnerability in macOS Mojave beta allowed unauthorized access to a user’s webcam and microphone, potentially enabling surveillance without their knowledge or consent. While the number of affected users during the beta phase is unknown, the potential for privacy violations was significant. Successful exploitation could result in the compromise of sensitive information, including personal conversations and visual data. This can lead to reputational damage, blackmail, or other malicious activities targeting the victim.

Recommendation

• Deploy the “osascript Execution Spawning QuickTime” Sigma rule to detect the execution of osascript to run AppleScripts that control QuickTime Player.
• Monitor process execution for osascript with arguments that point to suspicious .scpt files using the “Suspicious AppleScript Execution via osascript” Sigma rule.
• Enable process creation logging and file creation events to facilitate the detection of malicious AppleScripts and their execution.

]]>mediumadvisorymacoswebcammicrophoneapplescripttcchttps://feed.craftedsignal.io/briefs/2024-01-vmmap-mojave-lockup/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-vmmap-mojave-lockup/A bug in macOS Mojave causes a system lockup when the vmmap utility is executed against process ID 1 (launchd), due to a deadlock triggered by XPC calls during symbolication.A critical bug exists in macOS Mojave (10.14) where executing the vmmap utility against process ID 1, which is always launchd, causes a complete system lockup. This issue was discovered when users reported that the TaskExplorer utility, which uses vmmap to enumerate loaded dynamic libraries in remote processes, would freeze the system when run. The root cause is that vmmap suspends the target process before enumerating memory regions. When launchd (PID 1) is targeted, this suspension prevents vmmap from completing its symbolication process, which relies on XPC communication facilitated by launchd. The blocked XPC call results in a deadlock, requiring a hard reboot of the affected macOS Mojave system.

Attack Chain

1. An attacker (or a system utility like TaskExplorer) attempts to enumerate loaded libraries of a process.
2. TaskExplorer executes the vmmap command, targeting a specific process ID (PID).
3. The vmmap utility starts and is given PID 1 as a command-line argument.
4. vmmap invokes task_suspend to suspend the target process (launchd) before taking a memory snapshot.
5. vmmap attempts to symbolicate the memory regions of the suspended process via the CoreSymbolication framework, calling CoreSymbolication'mmap_storage_daemon.
6. The CoreSymbolication framework makes XPC calls, including xpc_connection_resume, which are routed to launchd.
7. Because launchd is suspended, the XPC requests are never serviced, specifically a call to libxpc’s _xpc_look_up_endpoint for com.apple.coresymbolicationd.
8. This blocked XPC call deadlocks the system, as vmmap waits for a response from launchd, but launchd cannot respond because it is suspended by vmmap. The entire system becomes unresponsive, requiring a hard reboot.

Impact

Successful exploitation of this bug results in a complete system lockup on macOS Mojave. The user loses any unsaved data and must perform a hard reboot to restore functionality. While the bug does not directly lead to data theft or code execution, it causes significant disruption and data loss. This affects any user running macOS Mojave who attempts to run vmmap against PID 1, either directly or indirectly through a utility like TaskExplorer.

Recommendation

• Deploy the Sigma rule Detect vmmap Execution Against PID 1 to detect direct attempts to exploit this bug via command-line execution.
• Investigate any system lockups on macOS Mojave systems and correlate them with vmmap executions, using the macOS Mojave System Lockup via vmmap rule as a starting point.
• Consider blocking execution of vmmap with PID 1 as an argument via endpoint detection and response (EDR) tools, preventing the vulnerability from being triggered.

]]>highadvisorymacoslockupvmmappid1