CVE-2018-8412: by MS Office for Mac Legacy Package to provide the right-vulnerability warning-the black bar safety net

ID MYHACK58:62201891366
Type myhack58
Reporter 佚名
Modified 2018-09-02T00:00:00


Note: a patch has been released, please will you MAU upgrade to 18081201 ! Microsoft Autoupdate Helper 3.18(180410) + legacy SilverLight insecure installer package EoP Scope of impact: Microsoft Office for Mac 2016 and SkypeForBusiness( This report relates to two main defects: 1. Code signature verification bypass; and 2. Insecure installer module loaded. XPC authentication bypass In/Library/PrivilegedHelperTools/com. microsoft. autoupdate. helper there is a XPC service com. microsoft. autoupdate. helper. The service is based on the NSXPCConnection, and only provides two of the XPC interface: @protocol MAUHelperToolProtocol - (void)logString:(NSString )arg1 atLevel:(int)arg2 fromAppName:(NSString )arg3; - (void)installUpdateWithPackage:(NSString )arg1 withXMLPath:(NSString )arg2 withReply:(void (^)(NSString ))arg3; @end In the XPC when the connection is established, will check the other pid corresponding to the code signature is on the white list: char cdecl -MAUHelperTool listener:shouldAcceptNewConnection: { ... caller_pid = (unsigned int64)objc_msgSend(v6, "processIdentifier", self); ksecguestattrpid = kSecGuestAttributePid; number_with_pid = objc_msgSend(&OBJC;_CLASSNSNumber, "numberWithInt:", callerpid); pid_as_nsnumber = objc_retainAutoreleasedReturnValue(number_with_pid); _dict = objc_msgSend( &OBJC;_CLASS_NSDictionary, "dictionaryWithObjects:forKeys:count:", &pid;_as_nsnumber, &ksecguestattrpid;, 1LL); attributes = objc_retainAutoreleasedReturnValue(_dict); objc_release(pid_as_nsnumber); guest_code = 0LL; v12 = 0; if ( ! (unsigned int)SecCodeCopyGuestWithAttributes(0LL, attributes, 0LL, &guest;_code) )// kSecCSDefaultFlags { v43 = 0LL; v12 = 0; if ( ! (unsigned int)SecRequirementCreateWithString( CFSTR("(identifier \"com. microsoft. autoupdate2\" or identifier \"com. microsoft. autoupdate. fba\") and anchor apple generic and certificate 1[field. 1. 2. 840. 113635. 100. 6. 2. 6] and certificate leaf[field. 1. 2. 840. 113635. 100. 6. 1. 13] and certificate leaf[subject. OU] = UBF8T346G9"), 0LL, &v43;) ) v12 = (unsigned int)SecCodeCheckValidity(guest_code, 0LL, v43) == 0; if ( v43 ) CFRelease(v43); The following are the two possible bypass methods: First, it uses the pid that is not to be trusted, because the execfunction of the process can be itself replaced by another process, and you can keep the previous pid constant. Please refer to the MacOS/iOS userspace entitlement checking is racy and Don't Trust the PID is! In fact, this method is not available. When the caller attempts to replace itself, the failure handler will be called, which causes the[MAUHelperTool shouldExit]the method returns true. v30 = _NSConcreteStackBlock; v31 = -1040187392; v32 = 0; v33 = sub_100002748; v34 = &unk;_100008440; v19 = (void )objc_retain(v27, v7); v35 = v19; objc_copyWeak(&v36;, &v43;); objc_msgSend(v7, "setInvalidationHandler:", &v30;); v20 = objc_msgSend(v19, "loggingConnections"); v21 = (void )objc_retainAutoreleasedReturnValue(v20); objc_msgSend(v21, "performSelectorOnMainThread:withObject:waitUntilDone:", "addObject:", v7, 1LL); objc_release(v21); int64 fastcall sub_100002748(int64 a1) { void v1; // rax void v2; // r14 int64 v3; // rbx v1 = objc_msgSend((void )(a1 + 32), "loggingConnections"); v2 = (void )objc_retainAutoreleasedReturnValue(v1); v3 = objc_loadWeakRetained(a1 + 40); objc_msgSend(v2, "performSelectorOnMainThread:withObject:waitUntilDone:", "removeObject:", v3, 1LL);

[1] [2] [3] next