Though Apple now thwarts this attack, by protecting TCC.db via System Integrity Protection (SIP) - various macOS keyloggers still attempt to utilize this 'attack.' I figured one of these keyloggers would be a good addition to my slides as an illustrative example. By directly modifying the database, one could avoid the obnoxious system alert that is normally presented to the user: With such rights, applications can then interact with system UIs, other applications, and even intercept key events (i.e. An example of the latter was DropBox, which directly modified macOS's 'privacy database' ( TCC.db) which contains the list of applications that are afforded 'accessibility' rights. Think, (ab)using AppleScript, sending simulated mouse events via core graphics, or directly interacting with the file system. Though reported and now patched, it allowed one to do things like dump passwords from the keychain or bypass High Sierra's "Secure Kext Loading" - in a manner that was invisible to the user 🙈.Īs part of my talk, I'm covering various older (and currently mitigated) attacks, which sought to dismiss or avoid UI security prompts.
UXPROTECT MAC APP CODE
Titled, " Synthetic Reality Breaking macOS One Click at a Time" my talk will discuss a vulnerability I found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogs. Next month, I'm stoked to be presenting some new research at SyScan360 in Singapore.
Want to play along? I've shared the malware, which can be downloaded here (password: infect3d).
0 kommentar(er)
