Hello Operator. Mac OS

Hello Operator. Mac OS

June 02 2021

Hello Operator. Mac OS

  1. Hello Operator. Mac Os X
  2. Hello Operator. Mac Os Catalina
  3. Hello Operator. Mac Os 11
  4. Mac Os Download
  5. Mac Os Mojave

So here we'll make a command line operating system. As we saw the previous code, the code just writes some text on screen via Console.WriteLine function. Now we will write a OS where the user gives the input and the computer processes it. So, lets make a code which prints Hello User! Mac OS / Clang Windows / MSVC WebAssembly / Emscripten Interpreter / Cling IDEs Basic Syntax Basic Syntax Input / Output Input / Output Build script Hello World Input Output Format Tabulate Control flow Control flow Build script.

After my recent blog post, my old mate @_Dark_Knight_ reached out to me and he asked me a question:

“Do you typically callout user apps that allow dyld_insert_libraries?”

And a few similar ones, and I will be honest, I had no idea what is he talking about, if only I understood the question :D Despite the fact that my recent blog posts and talks are about macOS, I deal much more with Windows on a daily basis, probably like 95%, and macOS is still a whole new territory for me. So I decided to dig into the question and learn a bit more about this.

The Mac is a fun and powerful platform, and Objective-C is a wonderful language for writing code. You can have a great time programming the Mac in Objective-C. We do, and want you to join us! Mark Dalrymple is a longtime Mac and Unix programmer who has code running all over the world. Scott Knaster is a legendary Mac programmer and author of. Run the Installer Package to Install Go on Mac. Open the Mac OS installer package and follow the steps. There are no configurations and options to choose from, so it’s a straight forward installation.

As it turns out there is a very well known injection technique for macOS utilizing DYLD_INSERT_LIBRARIES environment variable. Here is the description of the variable from the dyld man document:

In short, it will load any dylibs you specify in this variable before the program loads, essentially injecting a dylib into the application. Let’s try it! I took my previous dylib code I used when playing with dylib hijacking:

Hello operator. mac os catalina

Compile:

For a quick test I made a sophisticated hello world C code, and tried it with that. In order to set the environment variable for the application to be executed, you need to specify DYLD_INSERT_LIBRARIES=[path to your dylib] in the command line. Here is how it looks like:

Executing my favourite note taker application, Bear (where I’m writing this right now) is also affected:

We can also see all these events in the log (as our dylib puts there a message):

There are two nice examples in the following blog posts about how to hook the application itself:

I will not repeat those, so if you are interested please read those.

Can you prevent this infection? Michael mentioned that you can do it by adding a RESTRICTED segment at compile time, so I decided to research it more. According to Blocking Code Injection on iOS and OS X there are three cases when this environment variable will be ignored:

  1. setuid and/or setgid bits are set
  2. restricted by entitlements
  3. restricted segment

We can actually see this in the source code of dyld - this is an older version, but it’s also more readable: https://opensource.apple.com/source/dyld/dyld-210.2.3/src/dyld.cpp

The function pruneEnvironmentVariables will remove the environment variables:

If we search where the variable sRestrictedReason is set, we arrive to the function processRestricted:

This is the code segment that will identify the restricted segment:

Now, the above is the old source code, that was referred in the article above - since then it has evolved. The latest available code is dyld.cpp looks slightly more complicated, but essentially the same idea. Here is the relevant code segment, that sets the restriction, and the one that returns it (configureProcessRestrictions , processIsRestricted ):

It will set the gLinkContext.allowEnvVarsPath to false if: Eda (demo) mac os.

  1. The main executable has restricted segment
  2. suid / guid bits are set
  3. SIP is enabled (if anyone wonders CSR_ALLOW_TASK_FOR_PID is a SIP boot configuration flag, but I don’t know much more about it) and the program has the CS_RESTRICT flag (on OSX = program was signed with entitlements)

But! It’s unset if CS_REQUIRE_LV is set. What this flag does? If it’s set for the main binary, it means that the loader will verify every single dylib loaded into the application, if they were signed with the same key as the main executable. If we think about this it kinda makes sense, as you can only inject a dylib to the application that was developed by the same person. You can only abuse this if you have access to that code signing certificate - or not, more on that later ;).

Polygot pelican mac os. There is another option to protect the application, and it’s enabling Hardened Runtime. Then if you want, you can specifically enable DYLD environment variables: Allow DYLD Environment Variables Entitlement - Entitlements. The above source code seems to be dated back to 2013, and this option is only available since Mojave (10.14), which was released last year (2018), probably this is why we don’t see anything about this in the source code.

Hello Operator. Mac Os X

For the record, these are the values of the CS flags, taken from cs_blobs.h

This was the theory, let’s see all of these in practice, if they indeed work as advertised. I will create an Xcode project and modify the configuration as needed. Before that we can use our original code for the SUID bit testing, and as we can see it works as expected:

Interestingly, in the past, there was an LPE bug from incorrectly handling one of the environment variables, and with SUID files, you could achieve privilege escalation, here you can read the details:OS X 10.10 DYLD_PRINT_TO_FILE Local Privilege Escalation Vulnerability SektionEins GmbH

I created a complete blank Cocoa App for testing the other stuff. I also export the environment variable, so we don’t need to specify it always:

Hello Operator. Mac Os Catalina

If we compile it, and run as default, we can see that dylib is injected:

To have a restricted section, on the Build Settings -> Linking -> Other linker flags let’s set this value:

If we recompile, we will see a whole bunch of errors, that dylibs are being ignored, like these:

Our dylib is also not loaded, so indeed it works as expected. We can verify the segment being present with the size command, and indeed we can see it there:

Alternatively we can use the otool -l [path to the binary] command for the same purpose, the output will be slightly different.

Next one is setting the app to have ( hardened runtime ), we can do this at the Build Settings -> Signing -> Enable Hardened Runtime or at the Capabilities section. If we do this and rebuild the app, and try to run it, we get the following error:

If I code sign my dylib using the same certificate the dylib will be loaded:

If I use another certificate for code signing, it won’t be loaded as you can see below. I want to highlight that this verification is always being done, it’s not a Gatekeeper thing.

Interestingly, even if I set the com.apple.security.cs.allow-dyld-environment-variables entitlement at the capabilities page, I can’t load a dylib with other signature. Not sure what I’m doing wrong.

To move on, let’s set the library validation (CS_REQUIRE_LV) requirement for the application. It can be done, by going to Build Settings -> Signing -> Other Code Signing Flags and set it to -o library. If we recompile and check the code signature for our binary, we can see it enabled:

And we get the same error message as with the hardened runtime if we try to load a dylib with different signer.

The last item to try would be to set the CS_RESTRICT flag, but the only thing I found about this is that it’s a special flag only set for Apple binaries. If anyone can give more background, let me know, I’m curious. The only thing I could do to verify it, is trying to inject to an Apple binary, which doesn’t have the previous flags set, not a suid file neither has a RESTRICTED segment. Interestingly the CS_RESTRICT flag is not reflected by the code signing utility. I picked up Disk Utility. Indeed our dylib is not loaded:

Hello Operator. Mac Os 11

I would say that’s all, but no. Let’s go back to the fact that you can inject a dylib even to SUID files if the CS_REQUIRE_LV flag is set. (In fact probably also to files with the CS_RUNTIME flag). Yes, only dylibs with the same signature, but there is a potential (although small) for privilege escalation. To show, I modified my dylib:

Let’s sign this, and the test program with the same certificate and set the SUID bit for the test binary and run it. As we can see we can inject a dylib as expected and indeed it will run as root.

In theory you need one of the following to exploit this:

  1. Have the code signing certificate of the original executable (very unlikely)
  2. Have write access to the folder, where the file with SUID bit present -> in this case you can sign the file with your own certificate (code sign will replace the file you sign, so it will delete the original and create a new - this is possible because on *nix systems you can delete files from directories, where you are the owner even if the file is owned by root), wait for the SUID bit to be restored (fingers crossed) and finally inject your own dylib. You would think that such scenario wouldn’t exist, but I did find an example for it.

Here is a quick and dirty python script to find #2 items, mostly put together from StackOverflow :D

One last thought on this topic is GateKeeper. You can inject quarantine flagged binaries in Mojave, which in fact is pretty much expected.

However it doesn’t work anymore on Catalina, which is also expected with the introduced changes:

Hello Operator. Mac OS

We got a very similar error message as before:

I think applications should protect themselves against this type of dylib injection, and as it stands, it’s pretty easy to do, you have a handful of options, so there is really no reason not to do so. As Apple is moving towards notarization hardened runtime will be enabled slowly for most/all applications (it is mandatory for notarised apps), so hopefully this injection technique will fade away slowly. If you develop an app where you set the SUID bit, be sure to properly set permissions for the parent folder.

GIST link to codes:DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX deep dive · GitHub

Hello Operator?

Before we jump into the switches we use in our day to day lives at the office. I would like to take you back again to a time when we had telephone operators who would “switch” our calls for us. These operators had the job of picking up any calls that would come in. You would tell them who you are trying to reach and they would connect your line by physically moving a cable from one port on the switchboard to the port of the person you are calling. Their phone will ring and now you are able to have a telephone conversation.
I want you to remember the concept of the operator having to take a physical wire and connect it to a different port as we will be making our own switches do this for us in a similar fashion automatically for us as we start discussing the network switch next.

The Network Switch

Now what is a switch and what does it do? Similar to the call operators it is a central point where cabling goes into (physical) in order to receive frames or “Signals” that are then switched out of the correct ports, switches are an evolution of networking technology which is a great advancement from things such as hubs as well as bridges, the switch is smart enough to switch traffic specifically on a port basis where only the port where the recipient is connected to will receive the frames and the sender will receive any return traffic back, things such as hubs would broadcast the traffic out of all the ports causing problems such as increased network traffic as well as major security concerns as everyone would receive your data.
The process a switch follows is quite straight forward and I will quickly list the details here while we reference the OSI Model as well.
1) The switch will receive a frame on one of its ports and this frame will contain a destination and source MAC-address.
2)The switch will put an entry in its CAM Table or MAC-Address table of which port the frame came from and it will do a lookup against the MAC-Address table if the destination MAC-Address has been learned.
3)If the destination MAC-Address has not yet been learned the switch will send a broadcast message out (an ARP) of all of its ports to try and learn the MAC-Adress.
4)If the destination MAC-Address has been learned the frame will be sent out of the port where the MAC-Address has been learned if no MAC-Address is learned the frame will be dropped.
That is the base function the switch has, it is there to learn MAC-Addresses and switch the traffic in and out of ports, we also have additional features to talk about such as VLANs where the switch can partition some of its ports into different broadcast domains, meaning if the switch receives a frame with a VLAN tag added to the header it will only forward the frame out ports that also have this same VLAN tag configured to it.

Media Access Control Address

Mac Os Download

A Media Access Control Address or for short a MAC-ADDRESS. This is a physical 48bit address that is burned into each and every NIC when manufactured. These addresses will contain information on the OUI (Organizational Unique Identifier) as well as NIC specific information, think of the OUI as the vendor where Cisco, Juniper or Mikrotik devices will have their own unique 24bit address added to the front of each MAC-Address which serves as proof that this hardware belongs to this vendor.
Think of the MAC-ADDRESS as the IP address that switches use to communicate and that switches transfer frames by sending them out of a port for a specific MAC-ADDRESS, this is all pure Layer 2 communication.

Virtual Local-Area-Network (VLANs)

Mac Os Mojave

If you’re new to networking then the idea of VLANs might confuse you a little however, I will do my best to explain what a VLAN is in the easiest terms possible. VLANs allow us a way to assign our switch ports into different broadcast domains. VLANs also follow a standard called 802.1Q. If you recall I mentioned that a switch will send a broadcast message whenever it is doing a lookup for a MAC-ADDRESS. When we start adding VLANs to the Layer 2 equation the lookup will only be done on the broadcast domain that the frame was received so if you have a Laptop in VLAN1 trying to send a frame, the switch will receive the frame and only send the frame out of ports that also have VLAN1 assigned to it, the machines in VLAN2 will not receive any broadcast messages and no frames will be passed between machines in different VLANs.
This is useful for segmenting your network and could potentially also be a security requirement for the company you work for, where machines in your finance department may only see other finance department machines. Another use for this would be to split up customer networks as well, you could potentially use the same switch for many different customers and none of their frames will be exchanged with each-other due to how VLANs function.

Conclusion

You have now learned how switches work in our day to day lives and how layer 2 frames are passed between ports as well as what a Mac-Address is and what VLANs are, this is a very important fundamental for any network engineer as this plays a big part in your daily work, the bigger the networks you support the more VLANs you will start seeing and the more switches you will be supporting. I hope this has been informational for you and that you have learned something new.
Please apply to our newsletter for any new blogs that are posted as well as sign-up to my youtube channel to view any related vlogs on any of these subjects.

Hungry for more?

Why not check out the follow-up post on routers and routing
https://thenetworkberg.com/routers-and-routing to get more insight on how routing works or check out the previous article for a refresher on host-to-host communication on what a network is
https://thenetworkberg.com/networking-basics

Hello Operator. Mac OS

Leave a Reply

Cancel reply