OSMR Journey & Guide
Introduction
Welcome all to this blog post, I will be sharing my journey for the (Offensive Security(offsec) macOS Researcher) ethier the course content or the exam, And i will be giving a final review, Where i will be answering some questions & Giving some advice. Aside from a guide to the OSMR & How to prepare for it, And also it would be helpful even if you are planning to go with macOS Security Research & Exploitation.
Back In Time
In my previous work as a Security Researcher, I had analyzed a Dylib Injection Vulnerability that affects Telegram App on macOS, The vulnerability leads to TCC Bypass, To analysis it in depth, I had to do learn multiple things such as, macOS basics, Sandbox in macOS how it works, Dylib what is it & how it works, What is TCC and many more. So I had built a few knowledge & skills regarding the macOS Research & Exploitation side. You can read my analysis for this vulnerability & also the exploit development for it:
- CVE-2023-26818 Part1: MacOS TCC Bypass with telegram using DyLib Injection
- CVE-2023-26818 Part 2 (Sandbox): MacOS TCC Bypass W/ telegram using DyLib Injection
- Exploit Writing Part 1: CVE-2023-26818 MacOS TCC Bypass W/ telegram
- Exploit Writing Part 2: CVE-2023-26818 MacOS TCC Bypass W/ telegram
After finishing the analysis for it, I had identifying some vulnerabilities with the same patterns in some
macOSapps & got little more familiar withmacOS.
Studying
The content of the course is really brilliant & magniful. Mostly, you won’t find that many resources for macOS in the security part, But there are still some resources around. The course covered a lot of topics.
Note: Make sure to use
nomachineapp to access the lab machines, As theVNCservice is too lame and slow., You can transfernomachineapp to the lab usingSSH.
The Course
What is really good about the course is that is using study cases from previously discovered vulnerabilities like CVEs, Where on each topic they teach the basics & internals of technologies then get some CVEs where start to discuss it, Analyze it, Developing an exploit for it and perform patch diffing to see how the vulnerability got patched. Which is a great way of learning in my opinion. In general the course is discussing everything on Intel architecture & There is only one module for ARM based architecture which is shellcoding.
The course starts with a basic introduction for macOS components and different technologies like the file type for macOS & the mach file architecture, Explaining it in detail, how to inspect it, etc. Then, It moves on using different tools for reverse engineering that are used for static and dynamic analysis, Which will be helpful when you conduct research on any app or macOS component as it will help you in understanding it and uncover hidden vulnerabilities. It was a basic and simple introduction, But it was useful, And it was practical as there are exercises to help you in practicing what you have learned. Also aside from learningObjective-C which was enough for the basic programming.
After that, It moves to shellcoding on both Intel & ARM. No difference between both except this one using Intel Assembly & The other one ARM Assembly, Both parts discussing the same topics and in the same ways with the architecture differences, Except for the Shellcoding with C which is mostly the same. It teaches also how to get rid of null bytes from your shellcode and optimize it. I was familiar with it as I passed through OSED and also my previous experience with assembly and other things, So it was easy for me.
Then, It moved with the Dylib Injection attacks First, Started with the Dylib technology and it’s restrictions and how it’s applied through AMFI, And how to identify and exploit Dylib attacks with different study cases, As I studied this one before i was already familiar with it, But going through the AMFI was new to me so i enjoyed it.
Following by that, Going with Mach-IPC starts with explaining Mach-IPC, How it works and The Mach Microkernel, Mach special ports, How to identify vulnerable apps & When the apps can be vulnerable to it, And how to exploit it step by step. And escalate the process to POSIX threat & linject a dylib. Basically, It was a pretty good simple module for learning code injection.
After that it goes to XPC Attacks, Starting with explaining XPC low level API & How it works in practice, Identifying and exploiting insecure XPC, Moving with Hooking Functions, Bypassing Sandbox, TCC & GateKeeper, Gaining kernel code execution and many more. Overall the course content was really enjoyable and amazing.
Practicing
For the practicing in each module and topic you have exercises and extra miles, And the best thing it’s all real world cases from widely used macOS Apps, Which will help you in having an overall idea on different cases of vulnerabilities or the patterns to it. Which helps you in general to build your own methodology and mindset in terms of macOS security research and exploit development. Side by that i was going around in apple security updates (old&new) ones, And check the updates in different versions to see the common patterns and common vulnerabilities found on it
Exam
The exam contains 4 challenges as the following:
- Challenge 1: 10 points
- Challenge 2: 30 points
- Challenge 3: 30 points
- Challenge 4: 10 points
I started my exam on 23 of june at 4 PM in almost total of few mins i already solved the first challenge for 10 points, I go for a quick nap, Then I came to the second challenge already identified the vulnerability and how to exploit it, I start writing the exploit code, And for like for few hours, I was just fixing errors with-in my exploit till i discovered that i was writing my exploit code out of the main() function, Which was the reason causing the error i faced xD, Finally, I fixed it i put my code inside of the main() function, And finally already pwned the second challenge with 30 points, Solving this challenge made me solve the 3rd challenge after it in only 4 mins and obtained another 30 points. To pass the exam you need a total of 70 points, Which i already obtained. I finished it all in the same day and finished my report all in the same day. To be honest, The exam disappointed me. It’s pretty easy even if you have basic knowledge in macOS research, You would pass it. I was expecting it to be in the same level or more than OSED.
On 28 of june i received my results and already passed:
Final Review
Now, I will share my final thoughts and review overall by answering some questions:
Do i need something before start ?
Yes, You would also need assembly of both ARM & Intel. It will help you in making life easy as there is a lot of reverse engineering using Hopper in the course. So if you are familiar with Hopper & Assembly. It will make a lot of things easy for you. Also, It needs you to be strong in C and Objective-C if you really want to gain the knowledge and the skills in a right way, You got to have a strong understanding of C & Objective-C as there are a lot of exploit development, Shellcoding happening & Also source codes to read and understand. Aside from that, having a basic knowledge of macOS and its technologies like XPC, TCC, etc. Would really help you in obtaining the most of skills and knowledge in this content in a very clear way.
Are Exercises & Extra Miles enough for the exam ?
If you just wanna obtain the certificate, I would say the course exercises and extra miles are really more than enough to obtain the certificate, because as i mentioned the exam is pretty easy. But if you are looking for more challenges you can follow my words in the practicing.
Advice ?
- Practice on the exploit development part really well.
- Writing the exploits code on your way, Out of the way the course teaches you
- Make sure to review the code
syntxand structure cause some errors are triaged because of small mistakes like the one i mentioned. - Go around internet resources related to
macOS, Such as the talks inBlackHat, etc. It will help you a lot - If you want to go further, Dive deep into the books and use the
macOSas a developer first. - Practice, Practice, Practice!
OSMR Resources
Now, As the resources not that much i will discuss some of resources i got around that you can use in general ethier for OSMR or macOS Research in general:
- *OS Internals: https://newosxbook.com/jbooks.html
The *OS Internals Books are really amazing and worth every min of reading, The 3 parts discussing internals in terms of user mode, kernel mode and the last part for security and it’s even discussing some zeroday discovered before like the one used in pegasus software to obtain access through ZeroClick RCE.
-
The Mac Hacker’s Handbook: https://www.amazon.com/Mac-Hackers-Handbook-Charlie-Miller/dp/0470395362
-
https://eclecticlight.co/mac-problem-solving/ The
eclecticlightwebsite is full of articles related tomacOStechnologies which will help you in understanding a lot ofmacOStechnologies. -
https://www.sektioneins.de/categories/blog.html This website has few analyses for
macOSvulnerabilities which will be helpful. -
https://objective-see.org/blog.html A well known website with its amazing projects for
macOS.
And all the following are the same and has analysis for vulnerabilities in macOS and It’s technologies:
- https://developer.apple.com/documentation/
- https://przhu.github.io
- https://knight.sc
- https://theevilbit.github.io/posts/
- https://rekken.github.io/archives/
- https://nshipster.com
- https://book.hacktricks.xyz/macos-hardening/macos-red-teaming
- https://saagarjha.com/blog/
- https://reverse.put.as
- https://redsweater.com/blog/
- https://www.brunerd.com/blog/
- https://wojciechregula.blog/post/
- https://ronmasas.com
Conclusion
In conclusion, The exam was pretty easy, not hard at all, The content was amazing and I learned a lot from it. I do recommend it for anyone interested in macOS Research & Exploit development, And will advice you to have a strong foundation before you go ahead for the course to make it all easy on you and get the most knowledge and skill out of it. Finally, The experiance in general was pretty amazing.