This blog is the second in a series from CrowdStrike’s RSA 2019 keynote, “Hacking Exposed: Hacking Macs,” where I joined CrowdStrike co-founders, CEO George Kurtz and CTO Dmitri Alperovitch, as we demonstrated real-world attacks against MacOS machines and networks. In this video, I demonstrate the second stage of an attack, “Privilege Escalation.” In my previous blog, I focused on the first attack stage, “Delivery.”
Becoming a Root on a System
Once the delivery stage has been successful and the attackers have gained access to the machine, they must escalate their privileges — this means becoming the root user on the system for the purpose of performing privileged actions, such as accessing password data and other restricted files and folders.
To conduct this demonstration, I leveraged a vulnerability commonly found in applications with insecure update practices. In this case, we are working with the vendors to fix these vulnerabilities, so I won’t name the applications. For demo purposes, we’ve written our own application that shares the same update vulnerabilities as the ones we’ve found in the wild.
Root Access Aided by Poor Update Practices
Often, applications running with basic user permissions require a user to enter his or her password when it’s time to install an update. This leaves a small time gap for the attackers to replace the update with their own code. This is a relatively “old school” technique that is still proving successful today on all platforms.
Using the demo application we’ve built, here is how this privilege escalation unfolds, as demonstrated in the video:
- First, the demo shows you how the attacker gains root access by taking advantage of a file race condition in the vulnerable app’s update process.
- The race condition is performed by placing the update file where the application expects it. The immutable flag is used to keep the attacker update from being overwritten by the vulnerable application’s legitimate update.
- Then the attacker simply waits for the app to ask for an update — this step can be time-consuming, though depending on permissions, some apps can be manipulated into thinking they are ready for an update.
- In the final stage, the vulnerable app goes to update and the user enters his or her password. At this point, privileges are escalated and the attacker’s update is executed.
The video concludes by discussing countermeasures that can help keep attackers from escalating privileges.
First, it’s important to note that Apple has a number of enforced requirements for applications they offer in the App Store — one of them is the sandbox. Apps that are sandboxed are considered safer, in general, because if the attacker manages to exploit them, he must then find a way to escape the sandbox to access the rest of the system. The sandbox also provides developers with a number of ways to perform privilege separation, which can lead to a far more secure update process.
While Apple provides proactive updates, it is also incumbent on the user to be cautious about popups and prompts. For many years, there has been a strong focus on warning users about phishing attacks and the dangers of clicking on links in emails. However, there has been less focus on the prompts that crop up asking for your password. Users need to practice vigilance and question these prompts when they occur to determine whether they are legitimate or not.
- Watch the video that demonstrates a “Privilege Escalation” stage attack against MacOS
- Watch Part 1 of this series demonstrating a “Delivery: stage of a MacOS attack.
- Learn about a new Mac forensics tool in this blog: “AutoMacTC: Automating Mac Forensic Triage.”
- Download the 2019 Global Threat Report: “Adversary Tradecraft and the Importance of Speed.”
- Learn more about the CrowdStrike Falcon platform by visiting the web page.
- Get a full-featured free trial of CrowdStrike Falcon Prevent™ and learn how true next-gen AV performs against today’s most sophisticated threats.