ELECTRONizing macOS privacy - a new weapon in your red teaming armory

Presented at DEF CON 31 (2023), Aug. 12, 2023, 9 a.m. (20 minutes)

MacOS is known for an additional layer of privacy controls called TCC - Transparency, Consent, and Control (TCC) that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent. Despite many vulnerabilities in that mechanism found in the past, using 0-days during red teaming engagements is impractical. Apple fixes TCC vulnerabilities but red teams still have to get access to files saved on the victim’s desktop or be able take a screenshot. What if I tell you that there are many open doors to resolve all the TCC problems that are already installed on your target machines?! Electron apps are everywhere. And you probably heard the joke that: ‘S’ in Electron stands for security. In this talk I will share a new tool that, by abusing Electron default configuration, allows executing code in the context of those Electron apps and thus inherit their TCC permissions. The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. The part of the audience interested in macOS red teaming will also get to know my new, free and open source tool. Blue teams on the stage will also see some ideas regarding detections.

Presenters:

• Wojciech Reguła - Principal Security Consultant at SecuRing
  Wojciech is a Principal Security Specialist working at SecuRing. He specializes in application security on Apple devices. Wojciech created the iOS Security Suite - an opensource anti-tampering framework. Bugcrowd MVP, found vulnerabilities in Apple, Facebook, Malwarebytes, Slack, Atlassian, and others. In free time he runs an infosec blog - https://wojciechregula.blog. Shared research on among others Black Hat (Las Vegas, USA), Objective by the Sea (Hawaii, USA), AppSec Global (Tel Aviv, Israel), AppSec EU (London, United Kingdom), CONFidence (Cracow, Poland), BSides (Warsaw, Poland).

Links:

• https://forum.defcon.org/node/245758

Similar Presentations:

• Objective by the Sea version 5.0 (2022) / What Happens on your mac, Stays on Apple's iCloud?! Bypassing mac Privacy Mechanisms
• Black Hat USA 2021 / 20+ Ways to Bypass Your macOS Privacy Mechanisms
• Objective by the Sea version 4.0 (2021) / Apple's Envy: Root once, bypass TCC