Microsoft disclosed technical details of a vulnerability in Apple macOS that could be exploited by an attacker to bypass Gatekeeper.
Microsoft has disclosed details of a now-fixed security vulnerability dubbed Achilles (CVE-2022-42821, CVSS score: 5.5) in Apple macOS that could be exploited by threat actors to bypass the Gatekeeper security feature.
The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasnât signed by an Apple developer, you will not be able to run apps that werenât downloaded from Appleâs store if the device is not jailbreaked of course.
The flaw was discovered on July 27, 2022, by Jonathan Bar Or from Microsoft, it is a logic issue that was addressed with improved checks.
âOn July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Appleâs Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call âAchillesâ.â reads the post published by Microsoft.
Microsoft researchers explained that Gatekeeper bypasses can be used by threat actors to install malware on macOS systems.
The experts pointed out that Appleâs Lockdown Mode introduced in July does not prevent the exploitation of the Achilles bug.
The Achilles vulnerability relies on the Access Control Lists (ACLs) permission model to add extremely restrictive permissions to a downloaded file (i.e., âeveryone deny write, writeattr, writeextattr, writesecurity, chownâ), to block the Safari browser from setting the quarantine extended attribute.
Below is the POC developed by Microsoft:
Create a fake directory structure with an arbitrary icon and payload.
Create an AppleDouble file with the com.apple.acl.text extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of âeveryone deny write,writeattr,writeextattr,writesecurity,chownâ). Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.
Create an archive with the application alongside its AppleDouble file and host it on a web server.
If youâre into web API security testing, then you know that API hacking books are a valuable resource. They can teach you new things, introduce you to new concepts around breaking web application programming and help you stay up-to-date on the latest trends in your field. Thatâs why Iâve put together this list of 5 essential books for any API hacker!
API security and you
So before I go through the list of book recommendations, I want to preface that if you are a security researcher who wants to conduct web API security testing, the reality is itâs just as important to focus on the web applications themselves.
As such, a crash course in web hacking fundamentals never hurts. So some of my recommendations may seem more focused on that than on breaking web application programming interfaces.
You may also notice that I also recommend a few books that focus on bounty programs and make it possible to make a living as you break APIs.
The point is, regardless of where you are in your API hacking career, these books can help. I have organized them in such a way that if you canât afford to buy them all just yet, start from the top and work your way down.
Book #1 : Hacking APIs: Breaking Web Application Programming Interfaces
This is one of the few books that is actually dedicated to API hacking.
This book is a great resource for anyone who wants to learn more about API security and how to hack into web applications. It provides in-depth information on how to break through various types of APIs, as well as tips on how to stay ahead of the curve in this rapidly changing field. Corey also shares his own personal experiences with API hacking, which makes the content even more valuable. If youâre interested in learning more about API security and want to start from the basics, then this is the perfect book for you!
Book #2 : The Web Application Hackerâs Handbook: Finding and Exploiting Security Flaws
This book is a tomb of information. Itâs the oldest book on the list and by far the largest.
The Web Application Hackerâs Handbook is an essential read for anyone looking to understand how web application vulnerabilities are discovered and exploited. The book is filled with in-depth technical information and real-world examples that will help you understand the inner workings of web applications and how to protect them from potential attacks.
One of the best features of this book is the âHands-Onâ sections, which provide you with step-by-step instructions on how to find and exploit various vulnerabilities. This makes it an ideal resource for both beginner and experienced hackers alike.
If youâre looking to beef up your skills in web application security, then The Web Application Hackerâs Handbook is a must-read!
Book #3 : Web Application Security: Exploitation and Countermeasures for Modern Web Applications
Sometimes before focusing on offense, we have to know defensive tactics.
This book provides in-depth coverage of all the major areas of web application security, from vulnerabilities and exploits to countermeasures and defense strategies. Written by security expert Andrew Hoffman, this book is packed with real-world examples and step-by-step instructions that will help you understand how developers protect their web applications from potential attacks.
If youâre serious about web application security, then this is the perfect book for you!
Book #4 : Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities
If you are looking at being an independent security researcher focused on web API security testing, finding high payout API bugs may be important.
Bug Bounty Bootcamp is a guide to becoming a bug bounty hunter. The book covers the basics of hunting for bugs, including how to find and report them. It also includes a number of case studies of successful bug bounty hunting, detailing methods and strategies.
In chapter 24 of the Expert Techniques section, Vicki goes deeper into discussing multiple API attack techniques.
Overall, Bug Bounty Bootcamp is an informative and well-written guide that should be of interest to anyone considering a career in API hacking through bug bounty hunting.
Book #5 : Real-World Bug Hunting: A Field Guide to Web Hacking
âReal-World Bug Huntingâ is a brilliant resource for anyone who aspires to be a professional bug hunter. The book is written by Peter Yaworski, who is himself a professional bug hunter.
He begins by delving into the mindset of a bug hunter â what drives them to find vulnerabilities in software and systems? He then provides an overview of the bug hunting process, from identifying potential targets to writing up a report. The bulk of the book is devoted to teaching readers how to find and exploit common web application vulnerabilities.
Yaworski provides clear and concise explanations of each vulnerability, along with examples of real-world exploits. He also offers advice on how to avoid getting caught by security teams and how to maximize the value of your findings. âReal-World Bug Huntingâ is an essential read for anyone who wants to make a career out of finding bugs.
Conclusion
These five books are essential readings for anyone interested in hacking APIs. They provide detailed information on how to find and exploit vulnerabilities, as well as defensive tactics and strategies. If you want to be a successful API bug bounty hunter, then these books will also give you the tools and techniques you need to get started.
Dustin Childs and Brian Gorenc of ZDI take the opportunity at Black Hat USA to break down the many vulnerability disclosure issues making patch prioritization a nightmare scenario for many orgs.
BLACK HAT USA â Las Vegas â Keeping up with security-vulnerability patching is challenging at best, but prioritizing which bugs to focus on has become more difficult than ever before, thanks to context-lacking CVSS scores, muddy vendor advisories, and incomplete fixes that leave admins with a false sense of security.
ZDI has disclosed more than 10,000 vulnerabilities to vendors across the industry since 2005. Over the course of that time, ZDI communications manager Childs said that he’s noticed a disturbing trend, which is a decrease in patch quality and reduction of communications surrounding security updates.
“The real problem arises when vendors release faulty patches, or inaccurate and incomplete information about those patches that can cause enterprises to miscalculate their risk,” he noted. “Faulty patches can also be a boon to exploit writers, as ‘n-days’ are much easier to use than zero-days.”
Apple last year addressed multiple macOS vulnerabilities discovered by the security researcher Ryan Pickren in the Safari browser that could allow threat actors to access usersâ online accounts, microphone, and webcam.
Pickren received a total of $100,500 payouts for these issues as part of Appleâs bug bounty program.
The security researcher chained the vulnerabilities in iCloud Sharing and Safari 15 to gain unauthorized camera access. An attacker can trick victims into clicking âopenâ on a popup from my website in order to hijack multimedia permissions and gain full access to every website ever visited by the victim.
The expert pointed out that an attacker could exploit this attack chain to turn the userâs camera, and also to hack their iCloud, PayPal, Facebook, Gmail, and other accounts.
âMy hack successfully gained unauthorized camera access by exploiting a series of issues with iCloud Sharing and Safari 15. While this bug does require the victim to click âopenâ on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.â reads the post published by the expert. âThis research resulted in 4 0day bugs (
CVE-2021-30861
,Â
CVE-2021-30975
, and two without CVEs), 2 of which were used in the camera hack. I reported this chain to Apple and was awarded $100,500 as a bounty.â
The bugs reside in the iCloud file-sharing mechanism named ShareBear. The iCloud Sharing Application ShareBear prompts users only upon attempting to open a shared document for the first time. Successive actions will no more display the prompt again once the users have accepted to open the file. Pickren successfully exploited this behavior by altering the fileâs content and file extension after user agree to open it.
The CVE-2021-30861 is a logic issue in WebKit that could allow a malicious application to bypass Gatekeeper checks. The flaw was reported by Wojciech ReguĆa (@_r3ggi) and Ryan Pickren (ryanpickren.com). The second bug, tracked as CVE-2021-30975, resides in the Script Editor and could allow a malicious OSAX scripting addition to bypass Gatekeeper checks and circumvent sandbox restrictions.
âOnce the user clicks Open, the file is downloaded onto the victimâs machine at the location /Users/<user>/Library/Mobile Documents/com~apple~CloudDocs then automatically opened via Launch Services. Then the user will never see this prompt again. From that point forward, ShareBear (and thus any website in Safari) will have the ability to automatically launch this file.â continues the post.âThe truly problematic part of this agreement is that the file can be changed by anybody with write access to it. For example, the owner of the file could change the entire byte content and file extension after you agree to open it. ShareBear will then download and update the file on the victimâs machine without any user interaction or notification.â
New to the bug bounty and confused about where to start? Worry not! This reconnaissance for bug bounty hunters guides you to take the first step in bug bounty hunting.
Reconnaissance is the initial step in every penetration test, bug bounty, or ethical hacking. This step aims to gather the targetâs information publicly available on the internet.
Publicly available data offers technical details about the network structure and systems. However, it also contains information about personnel and the firm that might be valuable later in the attack.
Two types of cyber reconnaissance are:
Passive Information Gathering
Active Information Gathering
Letâs utilize some suitable tools and gather the victimâs information passively first. The tools I will use to collect victimâs data will be:
Passive Recon Tools
Google Dork
Netcraft
WHOIS
Social Media
Active Recon Tools
Nmap
GoBuster
Dig
The above-mentioned tools are not the only tools; there are many tools available for data gathering which you can utilize.
Weâre all appalled at scammers who take advantage of peopleâs fears to sell them products they donât need, or worse still products that donât exist and never arrive.
Worst of all, perhaps, are the scammers who offer products and services that do exactly the opposite of what they claim â making their victims pay up simply to make them even easier to defraud in future.
Well-known cyberexamples of this sort of fraud include:
Fake technical support incidents. These are the web popups or the phone calls you get out of the blue that report âvirusesâ on your computer, and persuade you to âhireâ the services of an online âexpertâ to remove them. Often these victims are lonely, vulnerable, and particularly ill-placed to deal with the financial loss. The scammers then target those individuals repeatedly and, in some cases we have heard, with ever-increasing aggression.