dothanthitiendiettiende

Sarah Edwards (@iamevltwin)
Unified Log
- Howard Oakley @howardnoakley
  - Unified log: 1 why, what and how
  - Unified log: 2 content and extraction
Unified log: 3 finding your way

StreamLabs OBS macOS TCC bypass

The Streamlabs macOS thick client does have hardened runtime enabled, but specifically allows DYLD environment variables and also disables library validation, which kills the purpose of hardened runtime. Having these settings on the executable enables an attacker to inject custom DYLIB libraries into the application. This would allow an attacker to access data inside the app, and possibly gain persistence on a machine, beyond that, as StreamLabs has access to the microphone and camera a user would gain access to that once exploited.

We can see the wrong permissions with running the codesign utility:

csaby@bigsur ~ % codesign -dv --entitlements :- /Applications/Streamlabs\ OBS.app 
Executable=/Applications/Streamlabs OBS.app/Contents/MacOS/Streamlabs OBS
Identifier=com.streamlabs.slobs
Format=app bundle with Mach-O thin (x86_64)

	#!/bin/zsh

	: '
	You need a personal access token for GitHub to avoid hitting the rate limit. Refer to the docs:
	https://docs.github.com/en/rest/guides/getting-started-with-the-rest-api
	https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
	'

	APPLE_OSS_DIR="all_apple_oss_archives"
	APPLE_OSS_REPO_FILE="all_apple_oss_repo_names.txt"

	<html>
	<head>
	<title>google-ctf fullchain</title>
	</head>
	<body>
	<h1>HK</h1>
	<pre id='log'></pre>
	</body>
	<script src='./mojo/mojo_bindings.js'></script>
	<script src="./mojo/third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>

	<script>
	function gc() {
	for (var i = 0; i < 0x80000; ++i) {
	var a = new ArrayBuffer();
	}
	}

	let shellcode = [

	// Move x18 to x28 (TEB)

	// Bugs by NSO Group / Ian Beer.
	// Exploit by Siguza & tihmstar.
	// Thanks also to Max Bazaliy.

	#include <stdint.h> // uint32_t, uint64_t
	#include <stdio.h> // fprintf, stderr
	#include <string.h> // memcpy, memset, strncmp
	#include <unistd.h> // getpid
	#include <mach/mach.h>
	#include <stdlib.h>

	#include <IOKit/IOKitLib.h>
	#include <mach/mach.h>
	#include <stdio.h>
	#include <stdint.h>
	#include <stdlib.h>
	#include <ctype.h>

	void hexdump(void *ptr, int buflen) {
	unsigned char buf = (unsigned char)ptr;
	int i, j;

	//
	// main.m
	// EndpointSecurityDemo
	//
	// Created by Omar Ikram on 17/06/2019 - macOS Catalina 10.15 Beta 1 (19A471t)
	// Updated by Omar Ikram on 15/08/2019 - macOS Catalina 10.15 Beta 5 (19A526h)
	// Updated by Omar Ikram on 01/12/2019 - macOS Catalina 10.15 (19A583)
	// Updated by Omar Ikram on 31/01/2021 - macOS Big Sur 11.1 (20C69)
	// Updated by Omar Ikram on 07/05/2021 - macOS Big Sur 11.3.1 (20E241)
	// Updated by Omar Ikram on 04/07/2021 - macOS Monterey 12 Beta 2 (21A5268h)

	/*
	During Dark Mode migration for macOS, I found it helpful to have a global hotkey
	which toggled between Light/Dark Mode.

	This hack attempts to do something similar for iOS.

	1) Add your main window in -applicationDidFinishLaunching:
	2) Triple tap the window (I tend to do this near the title bar) to flip between light and dark.
	*/

	/*
	This query looks at the programs referenced by LaunchDaemons in order to find ones which are writable by non-root users.

	Note that it is hard to tell what will actually be executed by launchd in some cases, and may return false positives. Reccomended to be used with process monitoring as well.
	*/

	select
	distinct p.launchd_path as launchd_path,
	p.launchd_label as launchd_label,
	f.path,