killorentals.blogg.se - Com microsoft autoupdate helper plist

Com microsoft autoupdate helper plist for mac#
Com microsoft autoupdate helper plist update#
Com microsoft autoupdate helper plist full#

The -task-allow also must’t be present as that would allow injection via Mach task ports. Verify the code signing flags of the client, it has to be signed either with library validation or hardened runtime.Īdditionally to these checks, the client mustn’t hold the .disable-library-validation entitlement, because that will allow 3rd party dylib injection. If we know that our clients are signed with hardened runtime or library validation above version X, we need to verify if the connecting client is at least at version X. This is done right, but there is one very important piece missing, which is ensuring that the client is hardened against injection attacks.

The connecting process is identified by one of the 3 bundle IDs we see above ( 2,, ).

The connecting process is signed by Microsoft.

The connecting process is signed by Apple.

When the MSAU privileged helper tool accepts a connection from a connecting client, it will perform the following signature check against it in its shouldAcceptNewConnection function: "(identifier \"2\" or identifier \"\" or identifier \"\") and anchor apple generic and certificate 1 and certificate leaf = UBF8T346G9 Unfortunately this is common theme that vendors don’t fix XPC vulnerabilities properly, and many time we can re-exploit them. This was patched by Microsoft at the 15th of April 2020, and assigned CVE-2020-0984. Although Microsoft patched the vulnerable XPC function installUpdateWithPackage, they introduced new functionality in later versions, and as the client verification still wasn’t fixed properly it introduced a new local privilege escalation vulnerability.

Com microsoft autoupdate helper plist for mac#

Almost 2 years ago already found a local privilege escalation in this software which was a weakness in its XPC connection verification and one of the offered functions, here is the link to his writeup: CVE-2018–8412: MS Office 2016 for Mac Privilege Escalation via a Legacy Package.

Since the introduction of XPC, these tools mostly utilize XPC as an IPC (Inter Process Communication). Privileged helper tools run as root, and these services are typically installed to perform specific tasks for the client application that would require privilege elevation otherwise.

Com microsoft autoupdate helper plist update#

Microsoft uses a privileged helper tool to update MS Office applications on macOS, called Microsoft AutoUpdate (MSAU).

Secure coding XPC Services - Part 2 - Checking CS (CodeSigning) flags of the client Microsoft AutoUpdate

Secure coding XPC Services - Part 1 - Why EvenBetterAuthorization is not enough? My earlier posts on the subject can be found here:

Com microsoft autoupdate helper plist full#

If this validation is not right, it opens up the possibility for an attacker to run privileged commands or worse case, achieve full privilege escalation on the system. This one will highlight why XPC client hardening and proper verification is extremely important when we use XPC messaging on macOS between clients that run as a normal user and services that run as root. This is the third post in my series which is trying to help Apple developers to avoid typical insecure coding practices. Microsoft AutoUpdate macOS privilege escalation vulnerability (CVE-2020-0984) Introduction