Designing a Security Product for MacOS by ipat8

SystemLogo-2 (dragged).png

MacOS Security, Or One of the Best Jokes I've Ever Heard

That's a bit of a clickbait heading, but MacOS is surprisingly vulnerable if exploited the right way. In general, the exploit I'm talking about today has to do with single user mode, or SUM. 

The Problem

In general, this exploit isn't something that we can directly fix, it's baked into every Apple OS going as far back as I care to remember (eg. 10.1), but it is something that is mitigated by existing infrastructure; the issue that you need to be in front of the computer to exploit it. Well then, you ask, "Why should we care? I can protect my physical security fairly easily, and inexpensively.". This is correct, but you're forgetting a crucial fact, users. 

Users are the single point of failure that plague every environment. It doesn't matter if you're a government agency, or a small mom and pop shop, users exist on your systems, and users can be exploited remotely. 

The Scenario 

This problem actually first occurred to me 2 years ago while working on a network build out for an education institution. Before I actually start planning a build out, I like to take a two step approach to determining what the client is looking for. Step one is the "shake hands and have lunch meeting" where we go over what goals they have for the project. Step two is an audit. 

I started in computers as a script kiddie, and over time I've gotten much better at pen testing. One of my favorite tricks from back in those days is when I'd use single user mode to rerun the MacOS setup assistant. Doing so was trivial. Boot the machine using a special key command, delete a file, and reboot. When the system rebooted, it would act like a new mac, allowing you to create a new local admin user, and gain full access to the machine.

While this does highlight a problem, it's not the main one we're concerned about, as it can be mitigated by mandating network login. Our real problem came with the ability to set a root password, and modify root files.

During this audit, I decided I wanted a smaller menu bar on a local machine, unfortunately (for them), they disabled this using profile manager; so I decided to break it. Thanks to this lovely article on stack exchange, it became arbitrarily easy to gain root access.




So, what can we do with root on a Mac? Almost anything. For this example I just opened system preferences as root and changed my taskbar size, but we could effectively do anything.

So, is there a solution?

Google will tell you that there are only two ways to protect systems from this exploit: FileVault and EFI Passwords. The issue with these solutions is that you have to give the user the password to boot the machine, or you need an admin to type in a password every time you restart. Both don't work because after they type in the password they can still get access to SUM, defeating the point.

We need a solution that targets SUM then. TO GOOGLE!

The Solution

Google, wasn't exactly helpful. It seems like most people don't worry about this, and I can understand why, it's not a visible issue. So what do we do then? We build our own solution. 

After many nights of researching, I found a blog post by Jacob Salmela. He detailed how he went about solving this problem in his environment. This was a great stepping stone, but I ran into an issue, I was working with OS X Yosimite.

If you we're unaware, when Apple released OS X Yosemite they added a feature call system integrity protection (SIP). That sounds like a great little add on right? System Integrity Protection, has a nice ring to it. Past my horrible attempts at a joke, SIP changed how OS X handled startup. Most of these changes came in the form of new versions of config.d, mDNSresponder, and security.d. All three of these plists are required to bring up networking on the system and alert an admin to a  potential attack. After modifying the script to work with the new versions of these plists, I created this. 

The Single User Mode Protection Agent

"That's not a solution, that's just a monitoring agent" you cry, writing an angry comment. Yes, that is correct, in this instance I did not directly create a solution to this problem, mostly because the solution became more of a bother than just monitoring the attack. The best "solution" per say is locking the user entirely out of SUM. You can do this of course, simply changing the mount and load commands to "exit" would do it, but what happens when you need to access SUM to fix a problem? 

You're locked out.


Users are a major part of what drove this project, as users can be exploited. Let's say I wanted to gain admin access to a computer on your network. If I can find a Mac user, I could get them to exploit the system of their own fruition. While the protection agent won't stop their attempt, it will at least let you know about it. 

A Summery

While this version of the software is extremely basic, I have plans for newer versions, and eventually versions that can support GUI configuration and management. We'll have to see how Macs in the workplace, work out.

I'm sorry, I'll stop now.

Good luck, and good night.

-iPat8 (Patrick M. Womack)