Show Notes

147 - Stealing DropBox Google Drive Tokens, a GitLab Bug, and macOS "Powerdir" Vulnerability

A Transparency Consent and Control (TCC) bypass in macOS. TCC is the subsystem responsible for gating off access to privacy settings and iCloud account data and such. The way it works is it tracks consent history for app requests and stores them in a database. Two databases are managed, a user database and a system-wide database. Microsoft stumbled on an old bypass, which abused the fact the tccd daemon would use the HOME environment variable to build the path to the TCC.db user database file. By manipulating environment variables, the HOME path could be switched to an attacker-controlled one to get a fake database loaded.

Apple fixed this by removing the HOME variable evaluation in favor of using getpwuid() to get the pwdir field. While this prevents easy bypass through env vars, the root issue still remains; an attacker can change the home directory in other ways. Two ways are detailed, first of which using the directory services utility to swap the home directory. This required root and relied on the dsimport and dsexport utilities for their TCC entitlement, though it’s still a privesc as it can allow hijacking the database without full disk access. The second method was the configd daemon, which also had the TCC entitlement, and supported the ability to load arbitrary code via bundle options.

Bug comes from GitLab’s use of Rails UJS (Unobtrusive JavaScript). While known data-* attributes like data-url and data-method are stripped by DOMPurify, arbitrary data-* attributes aren’t. They will be sanitized, however the problem is that GitLab has certain event handlers such as dismiss that will use endpoints for POST requests that can be influenced by some of these attributes. The dismiss event handler specifically (which is called on any element with the closeButton class) will use the dismissEndpoint for sending a POST request, which can be set via data-dismiss-endpoint. This can be combined with an output from jupyter notebook to create a button with the closeButton class that occupies the whole screen, and can abuse the GitLab API to do some sensitive action (like add an attacker account as admin).

Funny bug in Glovo, which is a delivery platform for taking orders and dispatching deliveries. The bug is an integer overflow in the quantity parameter of the POST request for the order, which can affect the total price of the order. For example, the researcher places an order for two different items, 1 of each. They then edit the request to change the quantities to 2299922 and 2499999, which when used to calculate the price, results in a price lower than it was for the two items at one each.

Inspired by HTTPVoid’s February write-up about Hacking Google Drive Integrations. They took a bit deeper look at how HelloSign patched the SSRF documented.

Turns out the patch was basically just to limit the resources the SSRF could hit, so no access to sensitive endpoints but the SSRF remains. This is important because the SSRF thinks it is accessing a Google Drive API endpoint, so it includes the authorization token for the current user’s Drive integration. Alone, this means an attack can expose their own authorization token to themselves.

Combining this with a CSRF attack, as the page leading to the SSRF itself had no CSRF protection an attacker could have any victim upon visiting their HelloSign link will leak their Google Drive Authorization Token to the attack.