forestlogoboss.blogg.se - Github desktop for mac

#GITHUB DESKTOP FOR MAC FULL#
#GITHUB DESKTOP FOR MAC CODE#
#GITHUB DESKTOP FOR MAC DOWNLOAD#

Let's get you started! Click to clone the repository. ( void) applicationDidFinishLaunching:(NSNotification *) aNotification #import AppDelegate ( weak) IBOutlet NSWindow AppDelegate

The attacker can use the same website to try to invoke his/her application.Īs noted above, I created an app, which will launch Calculator, and do nothing else, the URL handler it will use is evilapp:// its source is very simple:.

Once cloning is done, lsd will parse the app and register the URL handle.

The user has to acknowledge to run the GitHub Desktop app, and click clone.

An attacker creates a website, with a link to invoke GitHub Desktop to clone the app.

An attacker creates a Git repository hosting his evil application, which has a custom URL handle defined.

#GITHUB DESKTOP FOR MAC CODE#

But combining the missing quarantine flag, and this allows a very convenient unsigned remote code execution, completely bypassing GateKeeper. This is a macOS feature, and GitHub Desktop has nothing to do with it. In a few seconds later, the handler is ready to be used.

#GITHUB DESKTOP FOR MAC DOWNLOAD#

In short upon download of the application launch services daemon ( lsd) will automatically parse the ist file of the application bundle, and if it has an URL handler defined, it will auto-register it (thank you Apple!).

#GITHUB DESKTOP FOR MAC FULL#

I will just make a brief summary here, but for full details you can read Patrick Wardle’s blogpost on the subject: Remote Mac Exploitation Via Custom URL Schemes or his recent VirusBulletin 2019 talk about Windtail malware: Cyber-Espionage in the Middle East: Unravelling OSX.WindTail - Speaker Deck. I made a very simple application, available from here (including source code): GitHub - theevilbit/githubpoc It’s unsigned, and if we download it normally via the browser (Download ZIP), we will see GateKeeper popping up, denying execution.īefore we move on, we need to talk about macOS’s URL handler auto registration. When the user clicks Clone on the window, the repository will be cloned, and the files will miss the quarantine extended attribute, which is required for GateKeeper to be triggered on file execution. The full link would look like this: x-github-client://openRepo/url-of-the-repository-to-be-cloned. If we provide the openRepo action for this handler, and then a URL after, if will offer us cloning the repository to our local drive. The user gets a prompt to allow opening the application, unless previously it was ticked to always allow running the app. If someone clicks a link on a website pointing to such an URL, the browser will open GitHub Desktop. The GitHub Desktop app registers an URL handle upon installation for x-github-client.

The other idea that immediately popped up in my mind is what if the app I clone contains custom URL handlers? That could be auto-registered, and we could gain a few click RCE. I quickly went ahead and verified it, and indeed it was missing even in the latest version. This is a clear indication that GitHub Desktop doesn’t add the quarantine flag to the downloaded content and thus GateKeeper never comes into play. Since the app is cloned through Git the OS will not prompt the user to confirm this action.

Although it’s fixed, there was a sentence that caught my attention:įirst, I thought that OSX would be able to detect that this app was downloaded from the Internet. I recently came across a very good blog post about an RCE vulnerability on GitHub Desktop: GitHub Desktop RCE (OSX) - André Baptista via its custom URL handlers. If we don’t count the clicks required to open the GitHub App, and cloning an external repository, then this is a 2 click RCE. The GitHub Desktop app doesn’t add the quarantine extended attribute to files downloaded from the web, and this along with macOS’s URL handler auto-registration feature allows an attacker to execute arbitrary, even unsigned code on a macOS system.