├── 2022 ├── PDFs │ ├── 01:01 The Mac Malware of 2021 - Patrick Wardle.pdf │ ├── 01:04 A Threat Hunter’s Guide to the Mac’s Most Prevalent Adware Infections 2022 - Phil Stokes.pdf │ ├── 01:10 New macOS vulnerability, “powerdir,” could lead to unauthorized user data access - Microsoft Security.pdf │ ├── 01:11 New SysJoker Backdoor Targets Windows, Linux, and macOS Avigayil Mechtinger.pdf │ ├── 01:11 SysJoker - Patrick Wardle.pdf │ ├── 01:25 Analyzing OSX.DazzleSpy - Patrick Wardle.pdf │ ├── 01:25 DazzleSpy Mac Malware Used in Targeted Attacks - Josh Long.pdf │ ├── 01:25 Hiding malware in Docker Desktop's virtual machine - Alex Hope.pdf │ ├── 01:25 Watering hole deploys new macOS malware, DazzleSpy, in Asia - ESET.pdf │ ├── 02:02 The evolution of a Mac trojan: UpdateAgent’s progression - Microsoft Security Blog.pdf │ ├── 02:19 Querying Spotlight APIs With JXA. TL;DR This blog post takes a brief look… | by Cedric Owens | Medium.pdf │ ├── 02:26 Give Me Some (macOS) Context…. This blog post will dive into what I… | by Cedric Owens | Medium.pdf │ ├── 03:08 Extended Attributes and TCC on macOS | by Justin Bui | Medium.pdf │ ├── 03:10 macOS Red Teaming: Bypass TCC with old apps.pdf │ ├── 03:14 How a macOS bug could have allowed for a serious phishing attack against users | Rambo Codes.pdf │ ├── 03:15 CVE-2022-22616: Simple way to bypass GateKeeper, hidden for years – Mickey's Blogs – Exploring the world with my sword of debugger :).pdf │ ├── 03:15 Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582) – NCC Group Research.pdf │ ├── 03:17 Jamf Threat Labs identifies Safari vulnerability (CVE-2022-22616) allowing for Gatekeeper bypass.pdf │ ├── 03:22 Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS | Volexity.pdf │ ├── 04:02 Remotely Dumping Chrome Cookies…Revisited | by Cedric Owens | Apr, 2022 | Medium.pdf │ ├── 04:04 MacOS SUHelper Root Privilege Escalation Vulnerability A Deep Dive Into CVE-2022-22639.pdf │ ├── 04:12 Understanding and Defending Against Reflective Code Loading on macOS | by Justin Bui | Medium.pdf │ ├── 04:25 Gregory Szorc's Digital Home | Expanding Apple Ecosystem Access with Open Source, Multi Platform Code Signing.pdf │ ├── 05:19 CVE-2022-22675: AppleAVD Overflow in AVC_RBSP:parseHRD | 0-days In-the-Wild.pdf │ ├── 05:19 Exploiting an Unbounded memcpy in Parallels Desktop | RET2 Systems Blog.pdf │ ├── 05:25 Taking ESF For A(nother) Spin. 2+ years ago from the date of this blog… | by Cedric Owens | Medium.pdf │ ├── 06:02 How CrowdStrike Uncovered a New MacOS Browser Hijacking Campaign.pdf │ ├── 06:14 AMFI Launch Constraints - First Quick Look · theevilbit blog.pdf │ ├── 06:29 Exploiting Intel Graphics Kernel Extensions on macOS | RET2 Systems Blog.pdf │ └── 09:12 New Security and Privacy Features in macOS Ventura, iOS 16, and iPadOS 16 - The Mac Security Blog.pdf └── README.md ├── 2023 ├── PDFs │ ├── 01:01 The Mac Malware of 2022 - Patrick Wardle.pdf │ ├── 01:03 Can you rely on macOS Ventura for malware protection? – The Eclectic Light Company.pdf │ ├── 01:04 How do you know when macOS detects and remediates malware? – The Eclectic Light Company.pdf │ ├── 01:09 7 Ways Threat Actors Deliver macOS Malware in the Enterprise - Phil Stokes.pdf │ ├── 01:12 DER Entitlements The (Brief) Return of the Psychic Paper - Ivan Fratric.pdf │ ├── 01:13 Bad things come in large packages- .pkg signature verification bypass on macOS · Sector 7.pdf │ ├── 01:14 Restoring Dyld Memory Loading - Adam Chester.pdf │ ├── 01:19 CVE-2022-42864 - Diabolical Cookies.pdf │ └── 02:04 Building a Custom Mach-O Memory Loader for macOS - Part 1 - Adam Chester.pdf └── README.md ├── 2024 └── PDFs │ ├── 01: 01 The Mac Malware of 2023.pdf │ ├── 01:02 Protecting macOS 7 Strategies for Enterprise Security in 2024.pdf │ ├── 01:04 Analyzing DPRK's SpectralBlur.pdf │ ├── 01:11 Hi, My Name is Keyboard.md │ ├── 01:15 The Many Faces of Undetected macOS InfoStealers KeySteal, Atomic & CherryPie Continue to Adapt.pdf │ ├── 01:15 Why Join The Navy If You Can Be A Pirate?.pdf │ ├── 01:16 macOS Malware 2023 A Deep Dive into Emerging Trends and Evolving Techniques.pdf │ ├── 01:17 Atomic Stealer for macOS has been updated to bypass detection.pdf │ ├── 01:18 CVE-2023-44077: ShareBrowser Privilege Escalation.pdf │ ├── 01:18 Jamf Threat Labs Discovers Pirated macOS Apps Similar to ZuRu Malware.pdf │ └── 01:23 Playing with Libmalloc in 2024.pdf ├── LICENSE └── README.md /2022/PDFs/01:01 The Mac Malware of 2021 - Patrick Wardle.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/01:01 The Mac Malware of 2021 - Patrick Wardle.pdf -------------------------------------------------------------------------------- /2022/PDFs/01:04 A Threat Hunter’s Guide to the Mac’s Most Prevalent Adware Infections 2022 - Phil Stokes.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/01:04 A Threat Hunter’s Guide to the Mac’s Most Prevalent Adware Infections 2022 - Phil Stokes.pdf -------------------------------------------------------------------------------- /2022/PDFs/01:10 New macOS vulnerability, “powerdir,” could lead to unauthorized user data access - Microsoft Security.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/01:10 New macOS vulnerability, “powerdir,” could lead to unauthorized user data access - Microsoft Security.pdf -------------------------------------------------------------------------------- /2022/PDFs/01:11 New SysJoker Backdoor Targets Windows, Linux, and macOS Avigayil Mechtinger.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/01:11 New SysJoker Backdoor Targets Windows, Linux, and macOS Avigayil Mechtinger.pdf -------------------------------------------------------------------------------- /2022/PDFs/01:11 SysJoker - Patrick Wardle.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/01:11 SysJoker - Patrick Wardle.pdf -------------------------------------------------------------------------------- /2022/PDFs/01:25 Analyzing OSX.DazzleSpy - Patrick Wardle.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/01:25 Analyzing OSX.DazzleSpy - Patrick Wardle.pdf -------------------------------------------------------------------------------- /2022/PDFs/01:25 DazzleSpy Mac Malware Used in Targeted Attacks - Josh Long.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/01:25 DazzleSpy Mac Malware Used in Targeted Attacks - Josh Long.pdf -------------------------------------------------------------------------------- /2022/PDFs/01:25 Hiding malware in Docker Desktop's virtual machine - Alex Hope.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/01:25 Hiding malware in Docker Desktop's virtual machine - Alex Hope.pdf -------------------------------------------------------------------------------- /2022/PDFs/01:25 Watering hole deploys new macOS malware, DazzleSpy, in Asia - ESET.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/01:25 Watering hole deploys new macOS malware, DazzleSpy, in Asia - ESET.pdf -------------------------------------------------------------------------------- /2022/PDFs/02:02 The evolution of a Mac trojan: UpdateAgent’s progression - Microsoft Security Blog.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/02:02 The evolution of a Mac trojan: UpdateAgent’s progression - Microsoft Security Blog.pdf -------------------------------------------------------------------------------- /2022/PDFs/02:19 Querying Spotlight APIs With JXA. TL;DR This blog post takes a brief look… | by Cedric Owens | Medium.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/02:19 Querying Spotlight APIs With JXA. TL;DR This blog post takes a brief look… | by Cedric Owens | Medium.pdf -------------------------------------------------------------------------------- /2022/PDFs/02:26 Give Me Some (macOS) Context…. This blog post will dive into what I… | by Cedric Owens | Medium.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/02:26 Give Me Some (macOS) Context…. This blog post will dive into what I… | by Cedric Owens | Medium.pdf -------------------------------------------------------------------------------- /2022/PDFs/03:08 Extended Attributes and TCC on macOS | by Justin Bui | Medium.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/03:08 Extended Attributes and TCC on macOS | by Justin Bui | Medium.pdf -------------------------------------------------------------------------------- /2022/PDFs/03:10 macOS Red Teaming: Bypass TCC with old apps.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/03:10 macOS Red Teaming: Bypass TCC with old apps.pdf -------------------------------------------------------------------------------- /2022/PDFs/03:14 How a macOS bug could have allowed for a serious phishing attack against users | Rambo Codes.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/03:14 How a macOS bug could have allowed for a serious phishing attack against users | Rambo Codes.pdf -------------------------------------------------------------------------------- /2022/PDFs/03:15 CVE-2022-22616: Simple way to bypass GateKeeper, hidden for years – Mickey's Blogs – Exploring the world with my sword of debugger :).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/03:15 CVE-2022-22616: Simple way to bypass GateKeeper, hidden for years – Mickey's Blogs – Exploring the world with my sword of debugger :).pdf -------------------------------------------------------------------------------- /2022/PDFs/03:15 Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582) – NCC Group Research.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/03:15 Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582) – NCC Group Research.pdf -------------------------------------------------------------------------------- /2022/PDFs/03:17 Jamf Threat Labs identifies Safari vulnerability (CVE-2022-22616) allowing for Gatekeeper bypass.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/03:17 Jamf Threat Labs identifies Safari vulnerability (CVE-2022-22616) allowing for Gatekeeper bypass.pdf -------------------------------------------------------------------------------- /2022/PDFs/03:22 Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS | Volexity.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/03:22 Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS | Volexity.pdf -------------------------------------------------------------------------------- /2022/PDFs/04:02 Remotely Dumping Chrome Cookies…Revisited | by Cedric Owens | Apr, 2022 | Medium.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/04:02 Remotely Dumping Chrome Cookies…Revisited | by Cedric Owens | Apr, 2022 | Medium.pdf -------------------------------------------------------------------------------- /2022/PDFs/04:04 MacOS SUHelper Root Privilege Escalation Vulnerability A Deep Dive Into CVE-2022-22639.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/04:04 MacOS SUHelper Root Privilege Escalation Vulnerability A Deep Dive Into CVE-2022-22639.pdf -------------------------------------------------------------------------------- /2022/PDFs/04:12 Understanding and Defending Against Reflective Code Loading on macOS | by Justin Bui | Medium.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/04:12 Understanding and Defending Against Reflective Code Loading on macOS | by Justin Bui | Medium.pdf -------------------------------------------------------------------------------- /2022/PDFs/04:25 Gregory Szorc's Digital Home | Expanding Apple Ecosystem Access with Open Source, Multi Platform Code Signing.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/04:25 Gregory Szorc's Digital Home | Expanding Apple Ecosystem Access with Open Source, Multi Platform Code Signing.pdf -------------------------------------------------------------------------------- /2022/PDFs/05:19 CVE-2022-22675: AppleAVD Overflow in AVC_RBSP:parseHRD | 0-days In-the-Wild.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/05:19 CVE-2022-22675: AppleAVD Overflow in AVC_RBSP:parseHRD | 0-days In-the-Wild.pdf -------------------------------------------------------------------------------- /2022/PDFs/05:19 Exploiting an Unbounded memcpy in Parallels Desktop | RET2 Systems Blog.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/05:19 Exploiting an Unbounded memcpy in Parallels Desktop | RET2 Systems Blog.pdf -------------------------------------------------------------------------------- /2022/PDFs/05:25 Taking ESF For A(nother) Spin. 2+ years ago from the date of this blog… | by Cedric Owens | Medium.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/05:25 Taking ESF For A(nother) Spin. 2+ years ago from the date of this blog… | by Cedric Owens | Medium.pdf -------------------------------------------------------------------------------- /2022/PDFs/06:02 How CrowdStrike Uncovered a New MacOS Browser Hijacking Campaign.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/06:02 How CrowdStrike Uncovered a New MacOS Browser Hijacking Campaign.pdf -------------------------------------------------------------------------------- /2022/PDFs/06:14 AMFI Launch Constraints - First Quick Look · theevilbit blog.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/06:14 AMFI Launch Constraints - First Quick Look · theevilbit blog.pdf -------------------------------------------------------------------------------- /2022/PDFs/06:29 Exploiting Intel Graphics Kernel Extensions on macOS | RET2 Systems Blog.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/06:29 Exploiting Intel Graphics Kernel Extensions on macOS | RET2 Systems Blog.pdf -------------------------------------------------------------------------------- /2022/PDFs/09:12 New Security and Privacy Features in macOS Ventura, iOS 16, and iPadOS 16 - The Mac Security Blog.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2022/PDFs/09:12 New Security and Privacy Features in macOS Ventura, iOS 16, and iPadOS 16 - The Mac Security Blog.pdf -------------------------------------------------------------------------------- /2022/README.md: -------------------------------------------------------------------------------- 1 | # macOS Security Research 2022 2 | 3 | # Janaury 4 | 5 | ## Blog Posts 6 | * [A Threat Hunter’s Guide to the Mac’s Most Prevalent Adware Infections 2022](https://www.sentinelone.com/labs/a-threat-hunters-guide-to-the-macs-most-prevalent-adware-infections-2022/) - Phil Stokes 7 | * [DazzleSpy Mac Malware Used in Targeted Attacks](https://www.intego.com/mac-security-blog/dazzlespy-mac-malware-used-in-targeted-attacks/) - Josh Long (Intego) 8 | * Summary based on others analysis, contains IoCs 9 | * [Hiding malware in Docker Desktop's virtual machine](https://community.atlassian.com/t5/Trust-Security-articles/Hiding-malware-in-Docker-Desktop-s-virtual-machine/ba-p/1924743) 10 | 11 | ## Malware 12 | * [The Mac Malware of 2021](https://objective-see.org/blog/blog_0x6B.html) - Patrick Wardle 13 | * SysJoker 14 | * [SysJoker](https://objective-see.com/blog/blog_0x6C.html) - Patrick Wardle 15 | * [New SysJoker Backdoor Targets Windows, Linux, and macOS](https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/) - Intezer 16 | * DazzleSpy (osxrk) 17 | * [Watering hole deploys new macOS malware, DazzleSpy, in Asia](https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/) - ESET 18 | * ESET [Tweet Thread](https://twitter.com/ESETresearch/status/1485923814332637190) 19 | * [Analyzing OSX.DazzleSpy](https://objective-see.com/blog/blog_0x6D.html) - Patrick Wardle 20 | * DazzleSpy (osxrk) is related to the malware Google TAG discovered in November 2021 which they, and Sentinel One, named MACMA/ macOS.Macma 21 | * [Analyzing a watering hole campaign using macOS exploits](https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/) by Erye Hernandez 22 | * [Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma](https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/) by Phil Stokes 23 | 24 | ## Vulnerabilities & Exploits 25 | * [Microsoft OneDrive for macOS Local Privilege Escalation](https://www.offensive-security.com/offsec/microsoft-onedrive-macos-local-privesc/) - Csaba Fitzl 26 | * [New macOS vulnerability, “powerdir,” could lead to unauthorized user data access](https://www.microsoft.com/security/blog/2022/01/10/new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access/) - Microsoft Security 27 | 28 | 29 | --- 30 | 31 | 32 | # February 33 | 34 | ## Malware 35 | * [The evolution of a Mac trojan: UpdateAgent’s progression](https://www.microsoft.com/en-us/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/) - Microsoft Defender Threat Intelligence 36 | 37 | ## Offensive 38 | * [Querying Spotlight APIs With JXA](https://cedowens.medium.com/querying-spotlight-apis-with-jxa-3ae4bb9af3b4) - Cedric Owens 39 | * [Give Me Some (macOS) Context…](https://cedowens.medium.com/give-me-some-macos-context-c13aecbd4c5b) - Cedric Owens 40 | 41 | 42 | --- 43 | 44 | 45 | # March 46 | 47 | ## Blog Posts 48 | * [Beyond the good ol' LaunchAgents - 29 - amstoold](https://theevilbit.github.io/beyond/beyond_0029/) - Csaba Fitzl 49 | * [How a macOS bug could have allowed for a serious phishing attack against users](https://rambo.codes/posts/2022-03-15-how-a-macos-bug-could-have-allowed-for-a-serious-phishing-attack-against-users) - Guilherme Rambo 50 | 51 | ## Malware 52 | * [Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS](https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/) - Damien Cash, Steven Adair & Thomas Lancaster (Volexity) 53 | 54 | ## Offensive 55 | * [Extended Attributes and TCC on macOS](https://medium.com/@slyd0g/extended-attributes-and-tcc-on-macos-a535878f2c8d) - Justin Bui 56 | * [macOS Red Teaming: Bypass TCC with old apps](https://wojciechregula.blog/post/macos-red-teaming-bypass-tcc-with-old-apps/) - Wojciech Reguła 57 | 58 | ## Vulnerabilities & Exploits 59 | * [Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)](https://research.nccgroup.com/2022/03/15/technical-advisory-apple-macos-xar-arbitrary-file-write-cve-2022-22582/) - Rich Warren 60 | * CVE-2022-22616 61 | * [Jamf Threat Labs identifies Safari vulnerability allowing for Gatekeeper bypass](https://www.jamf.com/blog/jamf-threat-labs-safari-vuln-gatekeeper-bypass/) - Jamf 62 | * [CVE-2022-22616: Simple way to bypass GateKeeper, hidden for years](https://jhftss.github.io/CVE-2022-22616-Gatekeeper-Bypass/) - Mickey Jin 63 | 64 | ## Conference Talks 65 | * [Learning macOS Security by Finding Vulns](https://www.youtube.com/watch?v=jBvE0kciSx8) - Jonathan Bar Or (BlueHat IL) 66 | 67 | 68 | --- 69 | 70 | 71 | # April 72 | 73 | ## Blog Posts 74 | * [Remotely Dumping Chrome Cookies...Revisited](https://web.archive.org/web/20220404224341/https://cedowens.medium.com/remotely-dumping-chrome-cookies-revisited-b25343257209) - Cedric Owens 75 | * [Understanding and Defending Against Reflective Code Loading on macOS](https://slyd0g.medium.com/understanding-and-defending-against-reflective-code-loading-on-macos-e2e83211e48f) - Justin Bui 76 | * [Expanding Apple Ecosystem Access with Open Source, Multi Platform Code Signing](https://gregoryszorc.com/blog/2022/04/25/expanding-apple-ecosystem-access-with-open-source,-multi-platform-code-signing/) - Gregory Szorc 77 | 78 | ## Vulnerabilities & Exploits 79 | * [MacOS SUHelper Root Privilege Escalation Vulnerability: A Deep Dive Into CVE-2022-22639](https://www.trendmicro.com/en_us/research/22/d/macos-suhelper-root-privilege-escalation-vulnerability-a-deep-di.html) - Mickey Jin 80 | * CVE-2022-22639 81 | * [Using Data Memory-Dependent Prefetchers to Leak Data at Rest](https://www.prefetchers.info/) - UIUC, UW, & Tel Aviv University 82 | * “We present a new type of microarchitectural attack that leaks data at rest: data that is never read into the core architecturally. This attack technique, Augury, leverages a novel microarchitectural optimisation present in Apple Silicon: a Data Memory-Dependent Prefetcher (DMP).“ 83 | 84 | ## Tweets 85 | * https://twitter.com/th3_protoCOL/status/1519362330244444160 86 | * ChoziosiLoader targeting macOS users 87 | * https://twitter.com/coolestcatiknow/status/1519375315251961863 88 | * List of contributions to macOS ATT&CK v11 89 | 90 | 91 | --- 92 | 93 | 94 | # May 95 | 96 | ## Blog Posts 97 | * [LIEF - Mach-O Support Enhancements](https://lief-project.github.io/blog/2022-05-08-macho/) - Romain Thomas 98 | * [Taking ESF For A(nother) Spin](https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74) - Cedric Owens 99 | 100 | ## Malware 101 | * [CVE-2022-22675: AppleAVD Overflow in AVC_RBSP::parseHRD](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-22675.html) - Natalie Silvanovich 102 | * [Exploiting an Unbounded memcpy in Parallels Desktop](https://blog.ret2.io/2022/05/19/pwn2own-2021-parallels-desktop-exploit/) - Jack Dates 103 | 104 | ## Conference Talks 105 | * [macOS Vulnerabilities Hiding in Plain Sight](https://www.youtube.com/watch?v=Nvpo-kP6C9s) - Csaba Fitzl (Black Hat Asia) 106 | * [Slides](https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Fitzl-macOS-vulnerabilities-hiding-in-plain-sight.pdf) 107 | * [Whitepaper](https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Fitzl-macOS-vulnerabilities-hiding-in-plain-sight-wp.pdf) 108 | 109 | ## Vulnerabilities & Exploits 110 | * [Analyzing a Pirrit adware installer](https://forensicitguy.github.io/analyzing-pirrit-adware-installer/) - Tony Lambert 111 | * [From The DPRK With Love](https://objective-see.org/blog/blog_0x6E.html) - Patrick Wardle 112 | * [From the Front Lines | Unsigned macOS oRAT Malware Gambles For The Win](https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/) - Phil Stokes 113 | * [UpdateAgent Adapts Again](https://www.jamf.com/blog/updateagent-adapts-again/) - Jaron Bradley, Stuart Ashenbrenner & Matt Benyo 114 | * Updated notes/ IOCs from June 2nd [UpdateAgent - GolangVersion](https://gist.github.com/sysopfb/19abb48672e940e778ec591c5028230c) 115 | 116 | 117 | --- 118 | 119 | 120 | # June 121 | 122 | ## Blog Posts 123 | * [AMFI Launch Constraints - First Quick Look](https://theevilbit.github.io/posts/amfi_launch_constraints/) - Csaba Fitzl 124 | * [Apple’s macOS Ventura | 7 New Security Changes to Be Aware Of](https://www.sentinelone.com/blog/apples-macos-ventura-7-new-security-changes-to-be-aware-of/) - Phil Stokes 125 | * [CrowdStrike Uncovers New MacOS Browser Hijacking Campaign](https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/) - CrowdStrike 126 | * [Exploiting Intel Graphics Kernel Extensions on macOS](https://blog.ret2.io/2022/06/29/pwn2own-2021-safari-sandbox-intel-graphics-exploit/) - Jack Dates 127 | 128 | ## Conference Talks 129 | * [10 macOS persistence techniques](https://youtu.be/nSykVNZLeOc?t=8343) - Csaba Fitzl (Security Fest) 130 | * [Slides](https://www.slideshare.net/CsabaFitzl/securityfest22fitzlbeyondpdf) 131 | * [10 macOS Persistence Techniques](https://www.youtube.com/watch?v=qySBuk7Ww7Q) - Csaba Fitzl (MacDevOpsYVR) 132 | * [macOS Vulnerabilities Hiding in Plain Sight](https://www.slideshare.net/CsabaFitzl/macos-vulnerabilities-hiding-in-plain-sight) - Csaba Fitzl (TROOPERS2022) (Slides) 133 | 134 | ## Vulnerabilities & Exploits 135 | * [PACMAN](https://pacmanattack.com) 136 | * [The PACMAN Attack: Breaking PAC on Apple M1 with Hardware Attacks](https://www.youtube.com/watch?v=WRNZhP4CVgE) 137 | ## Other 138 | * [macOS Ventura and OpenCore Legacy Patcher Support](https://github.com/dortania/OpenCore-Legacy-Patcher/issues/998) 139 | 140 | 141 | --- 142 | 143 | 144 | # July 145 | 146 | ## Blog Posts 147 | * [iBoot: A New Era](https://tjkr0wn.github.io//new_era_writeup/PART1) - tjkr0wn 148 | 149 | ## Malware 150 | * [New macOS ‘covid’ Malware Masquerades as Apple, Wears Face of APT](https://www.sentinelone.com/blog/from-the-front-lines-new-macos-covid-malware-masquerades-as-apple-wears-face-of-apt/) - Phil Stokes 151 | * [ChromeLoader: New Stubborn Malware Campaign](https://unit42.paloaltonetworks.com/chromeloader-malware/) - Palo Alto Networks Unit 42 152 | * [macOS section](https://unit42.paloaltonetworks.com/chromeloader-malware/#post-123828-_mpyacggxtibk) 153 | * [I see what you did there: A look at the CloudMensis macOS spyware](https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/) - Marc-Etienne M.Léveillé 154 | * [ESET Tweet Thread](https://twitter.com/ESETresearch/status/1549329017853067264) 155 | ## Vulerabilities 156 | * [Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706](https://www.microsoft.com/security/blog/2022/07/13/uncovering-a-macos-app-sandbox-escape-vulnerability-a-deep-dive-into-cve-2022-26706/) - Defender Research Team 157 | * CVE-2022-26706 158 | 159 | ## Offesnsive 160 | * [macOS Red Teaming: Apple Dev-ID signed Java environment](https://wojciechregula.blog/post/macos-red-teaming-apple-signed-java/) - Wojciech Regua 161 | 162 | ## Tweets 163 | * https://twitter.com/philofishal/status/1543562218985472001 164 | * Adload Go variants 165 | * https://twitter.com/patrickwardle/status/1547967373264560131 166 | * NSCreateObjectFileImageFromMemory now writes binary to disk before exec 167 | * https://twitter.com/esetresearch/status/1547943014860894210 168 | * “fake Salesforce update as a lure to deploy the Sliver malware for macOS“ 169 | * Related to the above SentinelOne “From the Front Lines“ post 170 | * https://twitter.com/zhuowei/status/1550324794830344195 171 | * macOS 12.5 App Store Sandbox LC_DYLD_ENVIRONMENT check -------------------------------------------------------------------------------- /2023/PDFs/01:01 The Mac Malware of 2022 - Patrick Wardle.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2023/PDFs/01:01 The Mac Malware of 2022 - Patrick Wardle.pdf -------------------------------------------------------------------------------- /2023/PDFs/01:03 Can you rely on macOS Ventura for malware protection? – The Eclectic Light Company.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2023/PDFs/01:03 Can you rely on macOS Ventura for malware protection? – The Eclectic Light Company.pdf -------------------------------------------------------------------------------- /2023/PDFs/01:04 How do you know when macOS detects and remediates malware? – The Eclectic Light Company.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2023/PDFs/01:04 How do you know when macOS detects and remediates malware? – The Eclectic Light Company.pdf -------------------------------------------------------------------------------- /2023/PDFs/01:09 7 Ways Threat Actors Deliver macOS Malware in the Enterprise - Phil Stokes.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2023/PDFs/01:09 7 Ways Threat Actors Deliver macOS Malware in the Enterprise - Phil Stokes.pdf -------------------------------------------------------------------------------- /2023/PDFs/01:12 DER Entitlements The (Brief) Return of the Psychic Paper - Ivan Fratric.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2023/PDFs/01:12 DER Entitlements The (Brief) Return of the Psychic Paper - Ivan Fratric.pdf -------------------------------------------------------------------------------- /2023/PDFs/01:13 Bad things come in large packages- .pkg signature verification bypass on macOS · Sector 7.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2023/PDFs/01:13 Bad things come in large packages- .pkg signature verification bypass on macOS · Sector 7.pdf -------------------------------------------------------------------------------- /2023/PDFs/01:14 Restoring Dyld Memory Loading - Adam Chester.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2023/PDFs/01:14 Restoring Dyld Memory Loading - Adam Chester.pdf -------------------------------------------------------------------------------- /2023/PDFs/01:19 CVE-2022-42864 - Diabolical Cookies.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2023/PDFs/01:19 CVE-2022-42864 - Diabolical Cookies.pdf -------------------------------------------------------------------------------- /2023/PDFs/02:04 Building a Custom Mach-O Memory Loader for macOS - Part 1 - Adam Chester.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2023/PDFs/02:04 Building a Custom Mach-O Memory Loader for macOS - Part 1 - Adam Chester.pdf -------------------------------------------------------------------------------- /2023/README.md: -------------------------------------------------------------------------------- 1 | # macOS Security Research 2023 2 | 3 | # January 4 | 5 | ## Blog Posts 6 | * [Restoring Dyld Memory Loading](https://blog.xpnsec.com/restoring-dyld-memory-loading/) - Adam Chester 7 | * https://github.com/100DaysofYARA/2023/blob/main/glesnewich/SUSP_MacOS_Injection_APIs.yar - Greg Lesnewich 8 | * Yara rule to detect Adam’s reimplementation 9 | * [7 Ways Threat Actors Deliver macOS Malware in the Enterprise](https://www.sentinelone.com/blog/7-ways-threat-actors-deliver-macos-malware-in-the-enterprise/) - Phil Stokes 10 | 11 | ## Malware 12 | * [The Mac Malware of 2022](https://objective-see.org/blog/blog_0x71.html) - Patrick Wardle 13 | 14 | ## Vulnerabilities & Exploits 15 | * [Bad things come in large packages: .pkg signature verification bypass on macOS](https://sector7.computest.nl/post/2023-01-xar/) - Sektor7 16 | * CVE-2022-42841 17 | * [XNU race condition in vm_map_copy_overwrite_unaligned allows writing to read-only mappings](https://bugs.chromium.org/p/project-zero/issues/detail?id=2361) - Ian Beer 18 | * CVE-2022-46689 19 | * This is an improved PoC from the previous PoC by Zhuowei Zhang in December 2022 20 | * [Get root on macOS 13.0.1 with CVE-2022-46689, the macOS Dirty Cow bug](https://worthdoingbadly.com/macdirtycow/) 21 | * Tweet from Zhuowei Zhang explaining the improvements 22 | * https://twitter.com/zhuowei/status/1614070658308231169 23 | * [DER Entitlements: The (Brief) Return of the Psychic Paper](https://googleprojectzero.blogspot.com/2023/01/der-entitlements-brief-return-of.html) - Ivan Fratric 24 | * CVE-2022-42855 25 | * [CVE-2022-42864 - Diabolical Cookies](https://muirey03.blogspot.com/2023/01/cve-2022-42864-diabolical-cookies.html) - Muirey03 26 | * CVE-2022-42864 27 | * [CVE-2023-23504: XNU Heap Underwrite in dlil.c](https://adamdoupe.com/blog/2023/01/23/cve-2023-23504-xnu-heap-underwrite-in-dlil-dot-c/) - Adam Doupé 28 | * CVE-2023-23504 29 | 30 | ## Eclectic Light Company (Howard Oakley) 31 | * [Can you rely on macOS Ventura for malware protection?](https://eclecticlight.co/2023/01/03/can-you-rely-on-macos-ventura-for-malware-protection/) 32 | * [How do you know when macOS detects and remediates malware?](https://eclecticlight.co/2023/01/04/how-do-you-know-when-macos-detects-and-remediates-malware/) 33 | 34 | ## Tweets 35 | 36 | 37 | --- 38 | 39 | 40 | # February 41 | 42 | ## Blog Posts 43 | * [Building a Custom Mach-O Memory Loader for macOS - Part 1](https://blog.xpnsec.com/building-a-mach-o-memory-loader-part-1/) - Adam Chester 44 | 45 | ## Malware 46 | * 47 | 48 | ## Vulnerabilities & Exploits 49 | * 50 | 51 | ## Eclectic Light Company (Howard Oakley) 52 | * 53 | 54 | ## Tweets 55 | * -------------------------------------------------------------------------------- /2024/PDFs/01: 01 The Mac Malware of 2023.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2024/PDFs/01: 01 The Mac Malware of 2023.pdf -------------------------------------------------------------------------------- /2024/PDFs/01:02 Protecting macOS 7 Strategies for Enterprise Security in 2024.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2024/PDFs/01:02 Protecting macOS 7 Strategies for Enterprise Security in 2024.pdf -------------------------------------------------------------------------------- /2024/PDFs/01:04 Analyzing DPRK's SpectralBlur.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2024/PDFs/01:04 Analyzing DPRK's SpectralBlur.pdf -------------------------------------------------------------------------------- /2024/PDFs/01:11 Hi, My Name is Keyboard.md: -------------------------------------------------------------------------------- 1 | # Hi, My Name is Keyboard 2 | 3 | Bluetooth vulnerabilities in Android, Linux, macOS, iOS and Windows can be exploited to pair an emulated Bluetooth keyboard and inject keystrokes without user confirmation. 4 | 5 | Vulnerabilities in the Magic Keyboard can be exploited to extract the Bluetooth link key via the Lightning port or unauthenticated Bluetooth. 6 | 7 | (Proof-of-concept scripts will be released following my [ShmooCon talk](https://www.shmoocon.org/speakers/#hikeyboard) at ~3pm ET on January 13th.) 8 | 9 | ### CVE-2024-0230 10 | 11 | The Magic Keyboard <-> Mac pairing process can be exploited to extract the Bluetooth link key from a Magic Keyboard via unauthenticated Bluetooth or the Lightning port. If Lockdown Mode is not enabled, the link key can also be read from the paired Mac over USB. 12 | 13 | The Magic Keyboard link key can be read: 14 | 15 | - via the Lightning port if the keyboard has not been powered off since the last time it was plugged into the Mac 16 | 17 | - via unauthenticated Bluetooth when the keyboard gets unplugged from its Mac 18 | 19 | - via the USB port on the paired Mac (if Lockdown Mode is not enabled) 20 | 21 | #### Known Affected Versions 22 | 23 | *NOTE: Firmware updates for the Magic Keyboard were observed rolling out on 2023-01-09. A cursory evaluation was performed, and it appears that Apple has mitigated the CVE-2024-0230 attacks which exploit the Magic Keyboard over Lightning and Bluetooth. This section will be updated when more details are available.* 24 | 25 | Apple security release: [Magic Keyboard Firmware Update 2.0.6](https://support.apple.com/en-us/HT214050) 26 | 27 | | | | | | | 28 | |-|-|-|-|-| 29 | | macOS | 12, 13, 14 | CVE-2024-0230 | USB | (fix details pending) | 30 | | Magic Keyboard | A2449 | CVE-2024-0230 | Lightning, Bluetooth | (fix details pending) | 31 | | Magic Keyboard | A2450 | CVE-2024-0230 | Lightning, Bluetooth | (fix details pending) | 32 | | Magic Keyboard | A2520 | CVE-2024-0230 | Lightning, Bluetooth | (fix details pending) | 33 | | Magic Keyboard | A1843 | CVE-2024-0230 | Lightning, Bluetooth | (fix details pending) | 34 | | Magic Mouse | A1657 | CVE-2024-0230 | Lightning, Bluetooth | (fix details pending) | 35 | 36 | 37 | ### CVE-2023-45866 and CVE-2024-21306 38 | 39 | The Bluetooth stacks in multiple operating systems allow an attacker to pair a virtual Bluetooth keyboard without authentication or user confirmation. The attacker can then inject keystrokes to perform actions as the user, so long as those actions do not require password or biometric authentication. 40 | 41 | - **Android** is vulnerable when Bluetooth is enabled 42 | - **Linux/BlueZ** is vulnerable when Bluetooth is discoverable and connectable (typically when a 'Bluetooth settings' dialog is open) 43 | - **macOS** and **iOS** are vulnerable when the host is connecting to a paired Magic Keyboard 44 | - **Windows** is vulnerable when a Bluetooth keyboard has been paired with the computer, and the keyboard is powered off or out of range. 45 | 46 | The Andriod vulnerability is zero-click, and unpatched devices can be exploited whenever Bluetooth is enabled. 47 | 48 | The Linux vulnerability is zero-click, and unpatched hosts hosts can be exploited when they are discoverable and connectable over Bluetooth. Typically this occurs when the Bluetooth settings panel is open. 49 | 50 | The macOS and iOS vulnerabilities are zero-click, but can only be exploited when the Mac or iPhone is attempting to connect to a paired Magic Keyboard. In practice, a Mac is exploitable when the user unplugs their Magic Keyboard after pairing or charging, and an iPhone is exploitable when the user is connecting to their paired Magic Keyboard. 51 | 52 | The Windows vulnerability can be exploited if the user interacts with a malicious pairing request in any way (clicking accept, reject or close). 53 | 54 | #### Known Affected Versions 55 | 56 | | | | | | | 57 | |-|-|-|-|-| 58 | | Android | 4.2, 5, 6, 7, 8, 9, 10 | CVE-2023-45866 | no fix available | Android 3 and earlier were not tested | 59 | | Android | 11, 12, 13, 14 | CVE-2023-45866 | [fixed in 2023-12-05 security patch level](https://source.android.com/docs/security/bulletin/2023-12-01#2023-12-05-security-patch-level-vulnerability-details) | | 60 | | Linux (BlueZ) | [Affected Distros](#linux-distributions) | CVE-2023-45866 | [BlueZ patch available](https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675) | | 61 | | macOS | 12, 13 | CVE-2023-45866 | no fix available | macOS 11 and earlier were not tested | 62 | | macOS | 14 | CVE-2023-45866 | [fixed in macOS 14.2](https://support.apple.com/en-us/HT214036) | | 63 | | iOS | 16 | CVE-2023-45866 | no fix available | iOS 15 and earlier were not tested | 64 | | iOS | 17 | CVE-2023-45866 | [fixed in iOS 17.2](https://support.apple.com/en-us/HT214035) | | 65 | | Windows | 10, 11, Server 2022 | CVE-2024-21306 | [fixed in January 2024 Patch Tuesday](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21306) | earlier versions of Windows were not tested | 66 | 67 | ## Crash Course in Bluetooth HID 68 | 69 | This section provides a brief introduction to the some relevant Bluetooth HID concepts. 70 | 71 | **H**uman **I**nterface **D**evices communicate by sending and receiving messages called **reports**. 72 | 73 | - **Input** reports include keypresses and mouse movement/clicks 74 | - **Output** reports include commands and state changes 75 | - **Feature** reports are used by the host to read and write device settings 76 | 77 | HID reports are transport agnostic, and can be received by the host over USB or Bluetooth. 78 | 79 | Bluetooth HID devices communicate using **Bluetooth Classic L2CAP** sockets. 80 | 81 | - L2CAP port 17 is the **HID Control** channel (feature reports, high latency) 82 | - L2CAP port 19 is the **HID Interrupt** channel (input and output reports, low latency) 83 | 84 | A Bluetooth HID link is considered established when both L2CAP ports are connected, so in general, if you can connect to L2CAP 17 and 19 on a host, you can inject keystrokes. 85 | 86 | In order for a Bluetooth keyboard to connect to L2CAP 17 and 19, it needs to pair with the host. 87 | 88 | - **Link Key** is used to encrypt the data sent between two Bluetooth devices 89 | - **Pairing** establishes the link key 90 | - **Bonding** saves the link key to the device 91 | - **Out of Band Pairing** performs pairing and bonding over a non-Bluetooth channel like NFC or USB 92 | - **Pairing Capability** defines the authentication mechanisms supported by a host or peripheral 93 | 94 | ### User Initiated Pairing Flow 95 | 96 | Pairing is normally initiated when the user selects from a list of Bluetooth devices displayed on the host. 97 | 98 | ```mermaid 99 | sequenceDiagram 100 | User->>Host: please pair with this keyboard 101 | Host->>Keyboard: I want to pair 102 | Keyboard-->>Host: okay, I require authentication 103 | Host-->>Keyboard: I also require authentication 104 | Host->>User: please type this passkey on the keyboard 105 | Keyboard-->>Host: here is the passkey 106 | Host-->>Keyboard: looks good, let's establish a link key 107 | Keyboard-->Host: 108 | Keyboard->>Host: here are some keystrokes 109 | ``` 110 | 111 | ### Keyboard Initiated Pairing Flow 112 | 113 | Pairing can also be initiated by the keyboard. 114 | 115 | If the keyboard declares that it does not support authentication, we expect the host to reject the pairing attempt. 116 | 117 | If the host accepted a pairing request without authentication, an attacker could pair a keyboard without the user's consent. 118 | 119 | ```mermaid 120 | sequenceDiagram 121 | Keyboard->>Host: I want to pair 122 | Host-->>Keyboard: okay 123 | Keyboard-->>Host: I don't require authentication 124 | Host-->>Keyboard: I require authentication 125 | Host-->Keyboard: 126 | ``` 127 | 128 | ## Forced Pairing and Keystroke Injection 129 | 130 | This section describes the keystroke-injection vulnerabilities affecting Android, Linux, macOS, iOS and Windows. 131 | 132 | Vulnerable devices support keyboard-initiated pairing and do not require authenticated pairing. As a result, a keyboard (or emulated keyboard) can pair with a vulnerable device without user confirmation. 133 | 134 | Forced pairing and keystroke injection are possible when the following criteria are met: 135 | 136 | - the host is connectable/discoverable 137 | - the host supports pairing without authentication via the `NoInputNoOutput` pairing capability 138 | - the attacker can connect to L2CAP ports 17 and 19 on the host 139 | 140 | On Linux and Android, L2CAP 17 and 19 are available whenever the host is discoverable. 141 | 142 | On macOS, iOS and Windows, L2CAP 17 and 19 are only available to known peripherals (identified by Bluetooth address). 143 | 144 | The Linux and Android attacks can be performed with ~any Bluetooth adapter, while the macOS, iOS and Windows attacks require a Broadcom-based Bluetooth adapter. 145 | 146 | ### Keystroke Injection Pairing Flow 147 | 148 | ```mermaid 149 | sequenceDiagram 150 | Evil Keyboard->>Host: I want to pair 151 | Host-->>Evil Keyboard: okay 152 | Evil Keyboard-->>Host: I don't require authentication 153 | Host-->>Evil Keyboard: I also don't require authentication 154 | Evil Keyboard-->>Host: let's establish a link key 155 | Evil Keyboard-->Host: 156 | Evil Keyboard->>Host: here are some keystrokes 157 | User->>Host: WTF? 158 | ``` 159 | 160 | ## Magic Keyboard Link Key Extraction 161 | 162 | This section describes vulnerabilities which can be exploited to extract the Bluetooth link key from a Magic Keyboard or its paired Mac. 163 | 164 | ### Out-of-Band Pairing 165 | 166 | Out-of-band pairing occurs over USB HID when the Magic Keyboard is plugged into to the Mac (and the connection is accepted if the Mac is in Lockdown Mode). 167 | 168 | 1. The Mac generates a random link key and stores it in the Keychain 169 | 2. The Mac sends the link key to the keyboard over USB, along with the Bluetooth address of the Mac 170 | 3. The keyboard stores the link key and Bluetooth address in memory 171 | 4. When the keyboard is unplugged from the Mac, it uses the address and link key to connect to the Mac over Bluetooth 172 | 173 | ### Unauthenticated Bluetooth HID Services 174 | 175 | An unauthenticated Bluetooth HID service is available on the Magic Keyboard when the Bluetooth radio is powered on, persisting until the keyboard connects to the Mac via Bluetooth or Lightning/USB. 176 | 177 | This occurs when the Magic Keyboard is switched on, and again when it is unplugged from the Mac. 178 | 179 | An unauthenticated attacker can connect to the keyboard and send/receive HID messages as if the they were the paired Mac. This includes receiving keystrokes and reading/writing HID feature reports. 180 | 181 | ### Extracting the Link Key from the Lightning Port 182 | 183 | After out-of-band pairing is performed, the link key remains in memory until the keyboard is switched off, so an attacker with physical access to the keyboard can extract the link key by connecting to the Lightning port and reading the appropriate HID report. 184 | 185 | ### Extracting the Link Key over Unauthenticated Bluetooth 186 | 187 | When the Magic Keyboard is unplugged from the Mac, an attacker can connect to the unauthenticated Bluetooth HID services and extract the link key by reading the appropriate HID report. 188 | 189 | This attack depends on a race condition where the attacker must connect to the Bluetooth HID services on the Magic Keyboard before the keyboard connects to the Mac. In testing, the attacker wins the race approximately 50% of the time. 190 | 191 | ### Extracting the Link Key from the USB Port on the Mac 192 | 193 | The first time the Magic Keyboard is plugged into the Mac, the Bluetooth daemon generates a random link key and sends it to the keyboard over USB. The next time the keyboard is plugged into the Mac, the Bluetooth daemon recognizes the keyboard using its serial number and Bluetooth address, and resends the original link key. 194 | 195 | If an attacker knows the Bluetooth address and serial number of a Magic Keyboard paired with a Mac, they can spoof the Magic Keyboard and read the link key from the USB port on the Mac (which can be screen locked). 196 | 197 | This attack is mitigated by Lockdown Mode on macOS. 198 | 199 | ### Pairing the Magic Keyboard to a Different Host 200 | 201 | An attacker can pair the Magic Keyboard with a different computer by writing out-of-band pairing data over Lightning/USB or unauthenticated Bluetooth. After the OOB pairing data is written, the Magic Keyboard will connect to the attacker-configured host. 202 | 203 | --- 204 | 205 | ### Linux Distributions 206 | 207 | This table lists patch details published by affected Linux distributions. It is not intended to be a complete list of distributions vulnerable to CVE-2023-45866. 208 | 209 | | Distribution | Patch Information | 210 | |-|-| 211 | | Ubuntu | https://ubuntu.com/security/CVE-2023-45866 | 212 | | Debian | https://security-tracker.debian.org/tracker/CVE-2023-45866 | 213 | | Redhat | https://access.redhat.com/security/cve/cve-2023-45866 | 214 | | Amazon Linux | https://explore.alas.aws.amazon.com/CVE-2023-45866.html | 215 | | Fedora | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/77YQQS5FXPYE6WBBZO3REFIRAUJHERFA/ | 216 | | Gentoo | https://bugs.gentoo.org/919383 | 217 | | Arch | https://gitlab.archlinux.org/archlinux/packaging/packages/bluez/-/commit/47e9592b1b322c54bdb094238f52fa20513c624b | 218 | | OpenEmbedded | https://git.openembedded.org/openembedded-core/commit/?h=kirkstone&id=f03cb448574a730d85ed6d80bb58561674005ede | 219 | | Yocto | https://patchwork.yoctoproject.org/project/oe-core/patch/20231208114435.416415-1-archana.polampalli@windriver.com/ | 220 | | NixOS | https://github.com/NixOS/nixpkgs/blob/3dda6d5ed56af34534dd4cdcdd85627df25aec55/pkgs/os-specific/linux/bluez/default.nix#L45-L50 | 221 | -------------------------------------------------------------------------------- /2024/PDFs/01:15 The Many Faces of Undetected macOS InfoStealers KeySteal, Atomic & CherryPie Continue to Adapt.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2024/PDFs/01:15 The Many Faces of Undetected macOS InfoStealers KeySteal, Atomic & CherryPie Continue to Adapt.pdf -------------------------------------------------------------------------------- /2024/PDFs/01:15 Why Join The Navy If You Can Be A Pirate?.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2024/PDFs/01:15 Why Join The Navy If You Can Be A Pirate?.pdf -------------------------------------------------------------------------------- /2024/PDFs/01:16 macOS Malware 2023 A Deep Dive into Emerging Trends and Evolving Techniques.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2024/PDFs/01:16 macOS Malware 2023 A Deep Dive into Emerging Trends and Evolving Techniques.pdf -------------------------------------------------------------------------------- /2024/PDFs/01:17 Atomic Stealer for macOS has been updated to bypass detection.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2024/PDFs/01:17 Atomic Stealer for macOS has been updated to bypass detection.pdf -------------------------------------------------------------------------------- /2024/PDFs/01:18 CVE-2023-44077: ShareBrowser Privilege Escalation.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2024/PDFs/01:18 CVE-2023-44077: ShareBrowser Privilege Escalation.pdf -------------------------------------------------------------------------------- /2024/PDFs/01:18 Jamf Threat Labs Discovers Pirated macOS Apps Similar to ZuRu Malware.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2024/PDFs/01:18 Jamf Threat Labs Discovers Pirated macOS Apps Similar to ZuRu Malware.pdf -------------------------------------------------------------------------------- /2024/PDFs/01:23 Playing with Libmalloc in 2024.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmachos/macOS-Security-Research/63f0339efad4c1d62b8207ab09840b881ebbe6b1/2024/PDFs/01:23 Playing with Libmalloc in 2024.pdf -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Mikey 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # macOS Security Research 2 | 3 | * [2022](https://github.com/0xmachos/macOS-Security-Research/blob/main/2022/README.md) 4 | * [2023](https://github.com/0xmachos/macOS-Security-Research/blob/main/2023/README.md) 5 | 6 | 7 | # Older Research 8 | * [Abertay Hackers](https://twitter.com/AbertayHackers) [macOS Wiki Page](https://wiki.hacksoc.co.uk/help-guides/software/operating-systems/macos#research) (2015 - 2018) 9 | * [osxreverser](https://twitter.com/osxreverser) [macOS Papers, Slides and Thesis Archive](https://papers.put.as/macosx/macosx/) (2000 - 2020) 10 | 11 | 12 | --------------------------------------------------------------------------------