We will concentrate on the OneDriveUpdaterDaemon binary, although OneDriveStandaloneUpdaterDaemon should be the same. These service binaries are located inside the main application’s bundle, at /Applications/OneDrive.app/Contents/OneDriveUpdaterDaemon.xpc/Contents/MacOS/OneDriveUpdaterDaemon and /Applications/OneDrive.app/Contents/StandaloneUpdaterDaemon.xpc/Contents/MacOS/StandaloneUpdaterDaemon. Select OneDrive Preferences > Preferences Select Download all OneDrive files now. Both services contain the same methods and therefore the same vulnerability. On the menu bar across the top of the screen, select the OneDrive icon. OneDrive installs two Mach services, and that are defined in the PLIST files located under /Library/LaunchDaemons/.
This helper can be replaced with a custom binary resulting in root-level execution controlled by low-priv users. This allows us to overwrite an existing OneDrive.app, and give world write permission to all files and directories, including the root-invoked helper. Although its signature is properly verified and can’t be bypassed, it retains the file permission of the new OneDrive.app. Additionally, the XPC Daemon allows the installation of a new OneDrive.app.
The XPC Daemon uses the process ID (PID) to verify the client, which results in an insecure client verification. The vulnerability in question stems from a combination of two issues.
#ONEDRIVE FOR MAC OSX INSTALL#
A CVE was not assigned to this vulnerability. OneDrive Download and Install for your computer - on Windows PC 10, Windows 8 or Windows 7 and Macintosh macOS 10 X, Mac 11 and above, 32/64-bit processor. It took Microsoft over a year to fix the vulnerability and the patched version of OneDrive was released in 2021 December. Although Microsoft secured these services reasonably well, we will see how small mistakes in the code can have serious impacts. In this blog post, we will share the details of a vulnerability Offensive Security discovered in the XPC service of Microsoft OneDrive. Security Operations for Beginners (SOC-100).
0 kommentar(er)
