5/10/2023 0 Comments Microsoft onedrive mac os![]() These service binaries are located inside the main application’s bundle, at /Applications/OneDrive.app/Contents/OneDriveUpdaterDaemon.xpc/Contents/MacOS/OneDriveUpdaterDaemon and /Applications/OneDrive.app/Contents/StandaloneUpdaterDaemon.xpc/Contents/MacOS/StandaloneUpdaterDaemon. Both services contain the same methods and therefore the same vulnerability. OneDrive installs two Mach services, and that are defined in the PLIST files located under /Library/LaunchDaemons/. This helper can be replaced with a custom binary resulting in root-level execution controlled by low-priv users. This allows us to overwrite an existing OneDrive.app, and give world write permission to all files and directories, including the root-invoked helper. Although its signature is properly verified and can’t be bypassed, it retains the file permission of the new OneDrive.app. Additionally, the XPC Daemon allows the installation of a new OneDrive.app. The XPC Daemon uses the process ID (PID) to verify the client, which results in an insecure client verification. The vulnerability in question stems from a combination of two issues. A CVE was not assigned to this vulnerability. It took Microsoft over a year to fix the vulnerability and the patched version of OneDrive was released in 2021 December. Although Microsoft secured these services reasonably well, we will see how small mistakes in the code can have serious impacts. In this blog post, we will share the details of a vulnerability Offensive Security discovered in the XPC service of Microsoft OneDrive. Security Operations for Beginners (SOC-100).Exploit Development Prerequisites (EXP-100).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |