Unpacking pkgs: A look inside macOS Installer packages and common security flaws

We are hackers, we won’t do as you expect or play by your rules, and we certainly don’t trust you. JAR files are really ZIPs…unzip them! So are DOCX, XLSX, PPTX, etc. Open them up! macOS applications (.app “”files””) are really browsable directories?! Sweet, let’s do that.

Less well known but similarly prevalent are Flat Package Mac OS X Installer (.pkg) files. These are actually XAR archives containing many plaintext files (including scripts) with plenty to examine without installing.

In this presentation I’ll walk through extracting the contents of these installer packages, understanding their structure, and how they work while highlighting where security issues can come up. To drive the point home of what can go wrong, I’ll include examples of security issues I’ve seen in the wild and show how they can be exploited to elevate privileges and gain code/command execution.

After this talk, .pkg files will no longer be opaque blobs to you. You’ll walk away knowing tools and techniques to examine, understand what they’re really doing, and a methodology for finding bugs in them. As a final bonus, I’ll include a subtle trick or two that can be used on red teams.

Presented by