exploit the possibilities

Apple OS X Sandbox Predefined Profiles Bypass

Apple OS X Sandbox Predefined Profiles Bypass
Posted Nov 11, 2011
Authored by Core Security Technologies, Anibal Sacco, Matias Eissler | Site coresecurity.com

Core Security Technologies Advisory - Apple OS X suffered from a sandbox predefined profiles bypass vulnerability. Several of the default pre-defined sandbox profiles do not properly limit all the available mechanisms and therefore allow exercising part of the restricted functionality. Namely, sending Apple events is possible within the no-network sandbox (kSBXProfileNoNetwork). A compromised application hypothetically restricted by the use of the no-network profile may have access to network resources through the use of Apple events to invoke the execution of other applications not directly restricted by the sandbox.

tags | exploit, bypass
systems | apple, osx
advisories | CVE-2011-1516
MD5 | 7f924d516a3c7831471b90fc7629fbac

Apple OS X Sandbox Predefined Profiles Bypass

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Apple OS X Sandbox Predefined Profiles Bypass


1. *Advisory Information*

Title: Apple OS X Sandbox Predefined Profiles Bypass
Advisory ID: CORE-2011-0919
Advisory URL: http://www.coresecurity.com/content/apple-osx-sandbox-bypass
Date published: 2011-11-10
Date of last update: 2011-11-10
Vendors contacted: Apple
Release mode: User release


2. *Vulnerability Information*

Class: Access control failure [CWE-264]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1516


3. *Vulnerability Description*

Several of the default pre-defined sandbox profiles don't properly
limit all the available mechanisms and therefore allow exercising part
of the restricted functionality. Namely, sending Apple events is
possible within the no-network sandbox (kSBXProfileNoNetwork). A
compromised application hypothetically restricted by the use of the
no-network profile may have access to network resources through the
use of Apple events to invoke the execution of other applications not
directly restricted by the sandbox.

It is worth mentioning that a similar issue was reported by Charlie
Miller in his talk at Black Hat Japan 2008 [2]. He mentioned a few
processes sandboxed by default as well as a method to circumvent the
protection. Sometime after the talk, Apple modified the mentioned
profiles by restricting the use of Apple events but did not modify the
generic profiles.


4. *Vulnerable packages*

. Apple Mac OS X 10.7.x
. Apple Mac OS X 10.6.x
. Apple Mac OS X 10.5.x


5. *Non-vulnerable packages*

. Apple Mac OS X 10.4


6. *Vendor Information, Solutions and Workarounds*

Contact the vendor for more information.


7. *Credits*

This vulnerability was discovered and researched by Anibal Sacco and
Matias Eissler from Core Security Technologies. The publication of
this advisory was coordinated by Carlos Sarraute.


8. *Technical Description / Proof of Concept Code*

The use of Apple events is possible within the several default
profiles as no-network, no-internet (kSBXProfileNoNetwork,
kSBXProfileNoInternet) and others. A compromised application
hypothetically restricted by the use of the no-network profile may
have access to network resources through the use of Apple events to
invoke the execution of other applications not directly restricted by
the sandbox.

As Apple's "App Sandbox Design Guide" document points out,
applications that require sending Apple events to other arbitrary
applications are not suitable for sandboxing, because some developer
tools restrict Apple events by default while defining the sandbox. The
reason for this is that, as we show here, by dispatching Apple events
a process can escape the sandbox [1].

The method used by Charlie Miller involves dropping a script to the
disk and getting it executed by launchd via launchctl. Our approach is
technically the same without the need to drop a file. In our PoC we
used "osascript" to send the required Apple events to launchd in order
to execute the new process. As the new process is not a 'child' of the
sandboxed process, it is created without the sandbox restrictions.

An additional risk with these profiles is that they are supposed to
provide an example of how a process should be restricted in different
scenarios. If the no-network profile allows Apple-script events, this
may result in new applications using the same restriction rules,
therefore offering a false sense of security.

The following PoC illustrates this vulnerability:

/-----
import os
import sys
import socket

if len(sys.argv) != 2:
print "[-] Usage: sandbox-exec -n no-network python %s hostname" %
sys.argv[0]

try:
targetIP = sys.argv[1]
s = socket.socket()
s.connect((targetIP, 80))
s.send('GET /\r\n\r\n')
print(s.recv(1024))
print "\n\n\n[+] Sandbox escaped"

except Exception, e:
if "Operation not permitted" in str(e): #print repr(e)
print "[-] Blocked by seatbelt"
print "[ ] Escaping..."
os.system("""/usr/bin/osascript -e 'tell application
"Terminal" to do script "python %s %s"'""" % (sys.argv[0], targetIP))

- -----/


9. *Report Timeline*

. 2011-09-20:
Core Security Technologies notifies Apple Product Security of the
vulnerability, including technical details. Preliminary publication
date is set to November 7, 2011.

. 2010-09-20:
Vendor acknowledges the receipt of the information.

. 2010-10-05:
Vendor informs that it does not see any actual security implications.
The kSBXProfileNoNetwork sandbox profile does not promise that Apple
Events will be blocked in the documentation. (Specifically, all it
guarantees is "all sockets-based networking is prohibited".)

. 2011-10-13:
Core responds that the kSBXProfileNoNetwork sandbox profile should
guarantee that "all sockets-based networking is prohibited". The PoC
sent to Apple shows that through the use of Apple events (osascript is
used in the PoC just to keep it simple) an attacker could circumvent
the restriction. So, at the end, sockets-based networking is used.

. 2010-10-18:
Vendor responds that it is currently considering modifying its
documentation to explicitly point out what Core described; namely,
that the restrictions that these particular sandbox profiles provide
are limited to the process in which the sandbox is applied.

. 2011-11-10:
The advisory CORE-2011-0919 is published as user release.


10. *References*

[1] App Sandbox Design Guide -- Designing for App Sandbox
http://developer.apple.com/library/mac/#documentation/Security/Conceptual/AppSandboxDesignGuide/DesigningYourSandbox/DesigningYourSandbox.html

[2] Charlie Miller, "Hacking OS X", Black Hat Japan 2008
https://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Miller/BlackHat-Japan-08-Miller-Hacking-OSX.pdf


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is
charged with anticipating the future needs and requirements for
information security technologies. We conduct our research in several
important areas of computer security including system vulnerabilities,
cyber attack planning and simulation, source code auditing, and
cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for
new technologies. CoreLabs regularly publishes security advisories,
technical papers, project information and shared software tools for
public use at: http://corelabs.coresecurity.com.


12. *About Core Security Technologies*

Core Security Technologies enables organizations to get ahead of
threats with security test and measurement solutions that continuously
identify and demonstrate real-world exposures to their most critical
assets. Our customers can gain real visibility into their security
standing, real validation of their security controls, and real metrics
to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iEYEARECAAYFAk68OxMACgkQyNibggitWa0YWgCfYbGm9R0+YJw6CxP6TNwdhEWr
9ZMAn16nqBqNbO582D5QpejeuTEV5RAj
=HruN
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    13 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close