krypted.com

Tiny Deathstars of Foulness

September 20th, 2018

Posted In: Bushel

Tags:

macOS allows you to launch an app but in a hidden state. To do so, use the open command to open the app and then use the -a flag to specify the path of the app and –hide after the path to the app, as follows:

/usr/bin/open -a /Applications/Notes.app --hide

September 19th, 2018

Posted In: Mac OS X

Tags: , , ,

OpenBSM is a subsystem that has been installed on the Mac for some time. OpenBSM provides that ability to create and read audit logs based on the Common Criteria standards.

Audit Logs

The quick and easy way to see what OpenBSM is auditing is to cat the /etc/security/audit_control file:

cat /etc/security/audit_control

The output displays the directory of audit logs, as well as what is currently being audited. By default the configuration is as follows:

#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:lo,aa
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated

You can then see all of the files in your audit log, using a standard ls of those 

ls /var/audit

As you can see, the files are then stored with a date/time stamp naming convention. 

20180119012009.crash_recovery 20180407065646.20180407065716 20180407073931.20180407074018
20180119022233.crash_recovery 20180407065716.20180407065747 20180407074018.20180407074050
20180119043338.crash_recovery 20180407065747.20180407065822 20180407074050.20180511030725
20180119134354.crash_recovery 20180407065822.20180407065853 20180511030725.crash_recovery
20180208172535.crash_recovery 20180407065853.20180407065928 20180616025641.crash_recovery
20180219133137.crash_recovery 20180407065928.20180407070004 20180624022028.crash_recovery
20180312153634.crash_recovery 20180407070004.20180407070036 20180718235941.crash_recovery
20180312160131.crash_recovery 20180407070036.20180407071722 20180720031150.crash_recovery
20180322141701.crash_recovery 20180407071722.20180407072215 20180724021901.crash_recovery
20180330190040.crash_recovery 20180407072215.20180407072259 20180728173033.crash_recovery
20180330191420.20180407064622 20180407072259.20180407073747 20180907031058.crash_recovery
20180407064622.20180407065616 20180407073747.20180407073836 20180911021141.not_terminated
20180407065616.20180407065646 20180407073836.20180407073931 current

The files are binary and so cannot be read properly without the use of a tool to interpret the output. In the next section we will review how to read the logs. 

Using praudit

Binary files aren’t easy to read. Using the praudit binary, you can dump audit logs into XML using the -x flag followed by the path of the log. For example, the following command would read a given log in the above /var/audit example directory:

praudit -x 20180407065747.20180407065822

One record of the output would look as follows

<record version="11" event="session start" modifier="0" time="Sat Apr 7 01:58:22 2018" msec=" + 28 msec" >
<argument arg-num="1" value="0x0" desc="sflags" />
<argument arg-num="2" value="0x0" desc="am_success" />
<argument arg-num="3" value="0x0" desc="am_failure" />
<subject audit-uid="-1" uid="root" gid="wheel" ruid="root" rgid="wheel" pid="0" sid="100645" tid="0 0.0.0.0" />
<return errval="success" retval="0" />
</record>

In the above output, you’ll find the time that an event was logged, as well as the type of event. This could be parsed for specific events, and, as an example, just dump the time and event in a simple json or xml for tracking in another tool. For example, if you’re doing statistical analysis for how many times privileges were escalated as a means of detecting a bad actor on a system.

You can also use the auditreduce command to filter records. Once filtered, results are still in binary and must be converted using praudit.

September 18th, 2018

Posted In: Mac OS X, Mac Security

Tags: , , , ,

Most phishing sites follow a known pattern. And people like to flag bad sites. So Google and a few other organizations, such as stopbadware.org have a collection of feeds that can be leveraged by software vendors to provide a warning or flat-out block potentially fraudulent sites. If a piece of malware is found, even if buried deep in a site, the site will likely get picked up by a robot or reported by a user. Robots can pick up a lot, as people who exploit WordPress sites and stuff like that are often after playing a numbers game. Harvesting hundreds of thousands or email address and sending phishing emails. It only takes one person to give you banking information Given that they’re just dropping a file in an open web directory, the attacker might otherwise go months before enough people complained and the web host shut them down.

Google Safe Browsing came about similar to how realtime blacklisting has worked with email for a long time. Sites are listed and then blocked as needed. But privacy works differently with web browsing and so Google added a bunch of cool stuff that is described at https://safebrowsing.google.com. Basically though, there are some encrypted files on nearly every computer running Safari, Firefox, Chrome, etc that contains information about bad sites. This is updated fairly regularly, as well as some signatures of known nastiness and a little machine learning magic so that the systems are able to react to emerging threats.

In case you’re interested in writing your own tools, Google Safe Browsing has an API, which is documented at API Documentation.

So what is sent to Google? Only information from unsigned executables (or when the signature isn’t accepted) is sent to the Google SafeBrowsing service. The implementation and also how to turn that remote app reputation check are explained in https://wiki.mozilla.org/Security/Features/Application_Reputation_Design_Doc.

If you find that you’re managing a site that gets attacked, maybe you learn about it initially from having the site blocked. If this happens, you would need to remove the stuff that was put on your site that resulted in the site being blocked and then request removal from the list of reported phishing sites, use this form provided by Google.

Also request removal from stopbadware.org.

Safari uses Google Safe Browsing. There is a “Fraudulent sites” setting in the Security Preference pane for Safari. Here, you check a box and then you get prompted when you attempt to open a bad site. 

Safari SafeBrowsing involves having Safari pull a new version of the bad stuff from Google every now and then. You can see the date and timestamp that this occurred using the defaults command to read com.apple.Safari.SafeBrowsing.plist, as follows:

defaults read com.apple.Safari.SafeBrowsing.plist

The output contains the SafeBrowsingRemoteConfigurationLastUpdateDate key for /Users//Library/Preferences/com.apple.Safari.SafeBrowsing.plist:

defaults read com.apple.Safari.SafeBrowsing.plist
{
SafeBrowsingRemoteConfigurationLastUpdateDate = "2018-09-19 22:43:30 +0000";
}


Or to wrap this into a command that just displays the last date updated:

defaults read /Users/charles.edge\ 1/Library/Preferences/com.apple.Safari.SafeBrowsing.plist SafeBrowsingRemoteConfigurationLastUpdateDate | awk ‘{print$1}’


The actual bad stuff file is tricky. A number of temporary dynamic files are stored in /var/folders, and then inside a hierarchy generated by guids for a given system. Here, you’ll find a couple of files, including /var/folders/r1/05ns3cqs0cg5c42x38gk0c0w0000gn/C/com.apple.Safari.SafeBrowsing and /var/folders/8s/s9k75nys3rb399w4fwwtk04h0000gn/C/com.apple.Safari.SafeBrowsing. 

These files are binaries and cannot be viewed. They appear to be downloaded via the com.apple.Safari.SafeBrowsing.BrowsingDatabases.Update service routinely. Looking at their date and time stamp though, will give you a good idea of when the last update was run if you care to find that out.

Enable SafeBrowsing via the WarnAboutFraudulentWebsites key in ~/Library/Preferences/com.apple.Safari.plist as can be seen below:

defaults write /Users/charles.edge/Library/Preferences/com.apple.Safari.plist WarnAboutFraudulentWebsites 1

September 17th, 2018

Posted In: Mac Security

Tags: , , ,

September 16th, 2018

Posted In: MacAdmins Podcast

Tags: , , , ,

September 14th, 2018

Posted In: JAMF

Tags: , , ,

Just some little one-liners to grab the version of a few common Apple services/built-in apps you might need the version of for another project I’m working on kinda’:
  • cups: cups-config –version
  • Finder: mdls -name kMDItemVersion /System/Library/CoreServices/Finder.app | cut -d ‘”‘ -f2
  • Help Viewer: mdls -name kMDItemVersion /System/Library/CoreServices/HelpViewer.app | cut -d ‘”‘ -f2
  • iBooks Author: mdls -name kMDItemVersion /Application/iTunes\ Author.app | cut -d ‘”‘ -f2
  • ical/Calendar: mdls -name kMDItemVersion /Applications/Calendar.app/ | cut -d ‘”‘ -f2
  • ichat/Messages: mdls -name kMDItemVersion /Applications/Calendar.app/ | cut -d ‘”‘ -f2
  • iMovie: mdls -name kMDItemVersion /Applications/iMovie.app | cut -d ‘”‘ -f2
  • installer: /usr/sbin/installer -vers
  • Photos/iPhoto: mdls -name kMDItemVersion /Applications/Photos.app | cut -d ‘”‘ -f2 
  • iTunes: mdls -name kMDItemVersion /Applications/iTunes.app | cut -d ‘”‘ -f2 
  • Java: /usr/bin/java -version
  • Keynote: mdls -name kMDItemVersion /Applications/Keynote.app | cut -d ‘”‘ -f2
  • macOS: sw_vers -productVersion
  • macOS Server: mdls -name kMDItemVersion /Applications/Server.app | cut -d ‘”‘ -f2
  • Mail: mdls -name kMDItemVersion /Applications/Mail.app | cut -d ‘”‘ -f2
  • mdnsresponder
  • Motion: mdls -name kMDItemVersion /Applications/Motion.app | cut -d ‘”‘ -f2
  • Numbers: mdls -name kMDItemVersion /Applications/Numbers.app | cut -d ‘”‘ -f2
  • Pages Required mdls -name kMDItemVersion /Applications/Pages.app | cut -d ‘”‘ -f2
  • Preview: mdls -name kMDItemVersion /Applications/Preview.app | cut -d ‘”‘ -f2
  • Quicktime: mdls -name kMDItemVersion /Applications/Quicktime\ Player.app | cut -d ‘”‘ -f2 quicktime_broadcaster No (Darwin Stream Server deprecated) N/A quicktime_darwin_mp3_broadcaster No (deprecated service) N/A quicktime_pictureviewer No (for QuickTime for Windows) N/A quicktime_streaming_server No (deprecated service) N/A
  • Remote Desktop: defaults read /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/version.plist CFBundleShortVersionString
  • Safari: mdls -name kMDItemVersion /Applications/Safari.app | cut -d ‘”‘ -f2 server_manager No (deprecated in 2006ish) N/A software_update tcp_ip_configuration_utility No (Laserwriter vuln from 2002) N/A terminal Required mdls -name kMDItemVersion /Applications/Utilities/Terminal.app | cut -d ‘”‘ -f2
  • Textedit Required mdls -name kMDItemVersion /Applications/TextEdit.app | cut -d ‘”‘ -f2
  • Transporter: /Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/itms/bin/itsmtransporter
  • Xcode: mdls -name kMDItemVersion /Applications/Xcode.app | cut -d ‘”‘ -f2
  • Xsan: /usr/sbin/cvversions
  • openSSL: openssl -version
  • Apache: httpd -v
If you notice, a lot of the built-in apps can be scanned with the same mdls command. There are certainly better ways for some, but when it comes to runtime cost, spotlight can respond quicker than a lot of other tools (other than purpose-built open source tools of course, who already have a smaller amount of data specific to the task). 3rd party software can be checked the same way. Let’s take Microsoft Outlook as an example:

mdls -name kMDItemVersion /Applications/Microsoft\ Outlook.app | cut -d ‘”‘ -f2

Additionally, Frameworks work a little differently. If I wanted to get the WebKit Framework version programmatically, I will need the system_profiler command along with the SPFrameworksDataType option. This will show me the version of WebKit, but strictly piping the output into grep won’t find the WebKit version. Instead I actually need to use an option I don’t use often with grep. Note that -A will allow you to define a number of lines to output following the pattern in question, so here I’m saying constrain my output to what you find that’s WebKit + the next ten lines, then constrain further for just the version number. 

system_profiler SPFrameworksDataType | grep -A10 WebKit: | grep Version

Anyway, more on all this soon.

September 13th, 2018

Posted In: Mac OS X, Mac Security

Tags: , , , , , ,

The Mac comes with a number of tools for querying version numbers of things like apps and operating systems. First, let’s look at operating systems. The quickest way to derive the version of an operating system would be 

sw_vers -productVersion

It then becomes trivial to pipe these into other language provided you can reach them from within a script. For example, if you import os into a python script, you can use the sw_vers command:

import os
os.system('sw_vers -productVersion')


Or to grab the version of the OS you could import a function just for that:

version = platform.mac_ver()

So in the following example, we’ll 

#!/usr/bin/python import sys, urllib, json, platform
if len(sys.argv) > 1: url = 'https://cve.circl.lu/api/search/apple/mac_os_x:{}'.format(sys.argv[1]) print([j['id'] for j in json.loads(urllib.urlopen(url).read().decode('utf-8'))]) else: version = platform.mac_ver() url = 'https://cve.circl.lu/api/search/apple/mac_os_x:{}'.format(version[0]) print([j['id'] for j in json.loads(urllib.urlopen(url).read().decode('utf-8'))])

This can be found at https://github.com/krypted/maccvecheck

So what might I want to do with it next? Well, you can also read the index of an app using mdls, using the -name option and the kMDItemVersion attribute, as follows for iTunes:

mdls -name kMDItemVersion /Applications/iTunes.app

And then you can lookup that up in the CVE database as well:

curl https://cve.circl.lu/api/search/apple/itunes:12.5

Or to merge the version check and the cve check:

curl -s https://cve.circl.lu/api/search/apple/itunes:`mdls -name kMDItemVersion /Applications/iTunes.app | cut -d '"' -f2`

Ultimately, Apple has a number of products that are tracked in the cve database and a library of each could easily be built and parsed to produce all cve hits encountered on a Mac. Obviously, you might not want to trust some random site from Luxembourg (those Luxembourgians are troublesome after all) and you can do this directly against the zip from NIST or create your own microservice that responds similarly to this site. 

Note: Special thanks to Yuresko for fixing my else statement.

September 12th, 2018

Posted In: Mac OS X, Mac Security

My session from MacTech 2017.

September 10th, 2018

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , ,

September 7th, 2018

Posted In: JAMF

Tags: , , , ,

« Previous PageNext Page »