We are hackers, we won’t do as you expect or play by your rules, and we certainly don’t trust you. JAR files are really ZIPs…unzip them! So are DOCX, XLSX, PPTX, etc. Open them up! macOS applications (.app “”files””) are really browsable directories?! Sweet, let’s do that.
Less well known but similarly prevalent are Flat Package Mac OS X Installer (.pkg) files. These are actually XAR archives containing many plaintext files (including scripts) with plenty to examine without installing.
In this presentation I’ll walk through extracting the contents of these installer packages, understanding their structure, and how they work while highlighting where security issues can come up. To drive the point home of what can go wrong, I’ll include examples of security issues I’ve seen in the wild and show how they can be exploited to elevate privileges and gain code/command execution.
After this talk, .pkg files will no longer be opaque blobs to you. You’ll walk away knowing tools and techniques to examine, understand what they’re really doing, and a methodology for finding bugs in them. As a final bonus, I’ll include a subtle trick or two that can be used on red teams.
Andy Grant is a Technical Vice President for NCC Group with more than a decade of professional experience in offensive security and two decades of involvement in the computer security space. While at NCC Group, Andy has worked on a wide-variety of projects. He has performed countless application assessments across many platforms and systems. This includes web applications, widget/third-party platforms, mobile applications on Android, iOS and WP7, and native/desktop applications for OS X/macOS, Windows, and unix. Andy’s security assessments regularly include code review of many programming languages, including C, C++, Java, Scala, PHP, Ruby, Python, Go, Kotlin, Objective-C, and Swift. Andy has also conducted multiple internal and external network penetration tests, architecture and design reviews, and threat modeling exercises. Andy has worked with small tech start-ups, small and large software development groups, and large financial institutions. He has been embedded in corporate security programs for multiple months to provide on going security guidance and program/process improvements. Prior to working at iSEC Partners (aquired by NCC Group), Andy was part of a three person team that developed the security application that became the foundation for Dasient, a dynamic, behavioral-based engine to defend web sites against attacks and malware. Andy has a BS in Computer Science and an Advanced Computer Security Certificate, both from Stanford University.