Audio Unit Plug-ins

Malware News
1

Legitimate Un-signed Code Execution

MacOS is known as the premiere platform for sound and video editing software. Applications such as GarageBand 10, Logic Pro X, Audacity, etc., use audio unit plug-ins to create sound effects and virtual instruments. Software developers and sound engineers can create either audio components or virtual studio technology (VST) plug-ins. This blog post will cover audio components and how to execute unsigned code with the auvaltool command line tool.

Creating an Audio Component

To create an Audio Component, you’ll need to open Xcode. At the splash menu, select Create a New Xcode Project. Once you arrive at the template selection menu, under the Framework & Library section, choose the bundle option, and then click next. On the next screen, provide values for the product name, team, organization name, and organization identifier. For the bundle extension, use .component. Now, click next, then choose a location for your project, and proceed to the main project menu. The new project will only contain a property list (Plist) file. Audio components require a special set of keys in the info.plist file in order for auvaltool to recognize the bundle as an audio component. The manufacturer , name , subtype, and type are defined in Figure 1. You can find a gist for the complete info.plist file here.

1024×268
Figure 1: Info.plist File

The manufacturer key value should be an alphabetical four character string. The type for audio components should be aufx. The subtype key value should be a four character string of your choosing.

Next, we’ll add some objective-c code to the bundle that executes when initially loaded. In the project navigator pane, right-click on the top-level project folder, and select new file. Under the macOS section, choose objective-c file, then click next. On the next screen, choose a name for the the file and click next. Add the following code to the new file:

<a href="https://medium.com/media/90e7129a7aeaad1f0db0c06722ac126f/href">https://medium.com/media/90e7129a7aeaad1f0db0c06722ac126f/href</a>

On line 23, the module initializer called detonate is defined. When a library is loaded into a process, dyld(or the dynamic linker), executes the library’s module initializer. This is an ideal location for malicious code. Replace the BASE64_ENCODED_JXAPAYLOAD value with a base64 encoded Apfell-JXA payload or download cradle. We won’t cover how to create a legitimate audio component in this blog post. However, there are additional resources related to creating audio extensions here, and Apple’s documentation here. In Xcode, to compile the audio component, select the Product option in the menu bar, then click Build . If successful, the bundle will be compiled and saved to the Products folder in the project navigator pane.

Executing an Audio Component with Auvaltool

Apple provides a binary, auvaltool, that allows software developers to test their audio plugins for behavioral and API conformance. Developers are less likely to sign test versions of their plugins, and since auvaltool is signed by Apple, it requires a special entitlement to load unsigned libraries. The com.apple.security.cs.disable-library-validation entitlement is a boolean value that indicates whether an application can load arbitrary plug-ins or frameworks, without requiring code-signing. Otherwise, libraries need to be signed by Apple or signed with the same team ID as the hosting application. To find other native applications that possess this entitlement, visit Jonathan Levin’s entitlement database.

According to Apple documentation, audio components should be stored in one of three locations: ~/Library/Audio/Plug-Ins/Components , /Library/Audio/Plug-Ins/Components , or /System/Library/Components . Applications such as Audacity, GarageBand, and Logic Pro X, search these directories for bundles that have the .component , or .audiocomp extension. Then, each bundle is loaded into the application for editing purposes. The audio validation tool searches through all component directories for audio components to test. A quick review of the man page for auvaltool , shows that we can provide theTYPE , SUBTYPE , and MANUFACTURER to the -v flag to load, and test a single component. The audio validation tool will load the bundle and trigger execution of our malicious code. Alternatively, the -a flag can be used to list all available plugins. During this process, auvaltool will list information about the component and then load the component bundle. Here’s a quick video that demonstrates how trivial it is to abuse this feature:

<a href="https://medium.com/media/eb895421890b9d65251acd4c149c4a77/href">https://medium.com/media/eb895421890b9d65251acd4c149c4a77/href</a>

Possible Detections

When building a detection for this technique, there are a few indicators you should consider:

  • File creation events for the /Library/Audio/Plug-ins/Components or the ~/Library/Audio/Plug-ins/Components directory, with the file extensions .component or .audiocomp. The /System/Library/Components directory is restricted due to System Integrity Protection and cannot be modified by any user, including root.
  • Process creation events with command line arguments for auval -a, auvaltool -a, auval -v <TYPE> <SUBTYPE> <MANU> , or auvaltool -v <TYPE> <SUBTYPE> <MANU>. Legitimate applications such as Logic Pro X, use auval to manage audio plugins and could create false positives.
  • Network connection events that originate from auvaltool . The audio validation tool does not typically make network connections. In the event that it does, it should be treated as abnormal behavior.

The audio validation tool provides a simple mechanism for attackers to execute un-signed code in a native process.

Audio Unit Plug-ins was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: https://posts.specterops.io/audio-unit-plug-ins-896d3434a882?source=rss----f05f8696e3cc---4