Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDHash serialization issue in fileinfo #1318

Closed
np5 opened this issue Apr 5, 2024 · 3 comments · Fixed by #1322
Closed

CDHash serialization issue in fileinfo #1318

np5 opened this issue Apr 5, 2024 · 3 comments · Fixed by #1322
Labels
bug

Comments

@np5
Copy link
Contributor

np5 commented Apr 5, 2024
edited

There are issues with the CD Hash in the santactl fileinfo command output:

Path                   : /Applications/Firefox Developer Edition.app/Contents/MacOS/firefox
SHA-256                : e089ce663ef57a9be064f9ad8c49428930ce03083b19d5949460b14a5ce8571e
SHA-1                  : b9e82bdb5d90ec039df945d79a61c09a3fab9457
Bundle Name            : Firefox Developer Edition
Bundle Version         : 12524.4.3
Bundle Version Str     : 125.0
Download Timestamp     : 2024/04/04 07:02:21 +0200
Team ID                : 43AQ936H96
Signing ID             : org.mozilla.firefoxdeveloperedition
CDHash                 : {length = 20, bytes = 0xa71fd6b275762f87ad27f0f8cbe76961025370e3}
Type                   : Executable (arm64, x86_64)
Code-signed            : Yes
Rule                   : Could not communicate with daemon

It seems that the binary data is passed directly to the text output.

There is also a related hard crash in the json output:

/Applications/Santa.app/Contents/MacOS/santactl fileinfo --json /Applications/1Password.app
[
*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: 'Invalid type in JSON write (__NSCFData)'
*** First throw call stack:
(
	0   CoreFoundation                      0x000000019a872ccc __exceptionPreprocess + 176
	1   libobjc.A.dylib                     0x000000019a35a788 objc_exception_throw + 60
	2   Foundation                          0x000000019b9734f4 _writeJSONValue + 788
	3   Foundation                          0x000000019b973e08 ___writeJSONObject_block_invoke + 388
	4   CoreFoundation                      0x000000019a7c0904 __NSDICTIONARY_IS_CALLING_OUT_TO_A_BLOCK__ + 24
	5   CoreFoundation                      0x000000019a7ffcc4 -[__NSDictionaryM enumerateKeysAndObjectsWithOptions:usingBlock:] + 288
	6   Foundation                          0x000000019b97372c _writeJSONObject + 504
	7   Foundation                          0x000000019c0f2e68 -[_NSJSONWriter dataWithRootObject:options:] + 88
	8   Foundation                          0x000000019b9730cc +[NSJSONSerialization dataWithJSONObject:options:error:] + 112
	9   santactl                            0x000000010044cca8 -[SNTCommandFileInfo jsonStringForDictionary:] + 40
	10  santactl                            0x000000010044b4c8 -[SNTCommandFileInfo printInfoForFile:] + 3508
	11  Foundation                          0x000000019b91212c __NSBLOCKOPERATION_IS_CALLING_OUT_TO_A_BLOCK__ + 24
	12  Foundation                          0x000000019b911fec -[NSBlockOperation main] + 104
	13  Foundation                          0x000000019b911f7c __NSOPERATION_IS_INVOKING_MAIN__ + 16
	14  Foundation                          0x000000019b911324 -[NSOperation start] + 648
	15  Foundation                          0x000000019b911094 __NSOPERATIONQUEUE_IS_STARTING_AN_OPERATION__ + 16
	16  Foundation                          0x000000019b910f84 __NSOQSchedule_f + 172
	17  libdispatch.dylib                   0x000000019a57d470 _dispatch_block_async_invoke2 + 148
	18  libdispatch.dylib                   0x000000019a56e3e8 _dispatch_client_callout + 20
	19  libdispatch.dylib                   0x000000019a5718ec _dispatch_continuation_pop + 600
	20  libdispatch.dylib                   0x000000019a570f08 _dispatch_async_redirect_invoke + 584
	21  libdispatch.dylib                   0x000000019a57fea8 _dispatch_root_queue_drain + 392
	22  libdispatch.dylib                   0x000000019a5806b8 _dispatch_worker_thread2 + 156
	23  libsystem_pthread.dylib             0x000000019a71afd0 _pthread_wqthread + 228
	24  libsystem_pthread.dylib             0x000000019a719d28 start_wqthread + 8
)
libc++abi: terminating due to uncaught exception of type NSException

I have just installed Santa 2024.3:

$ santactl version
santad          | 2024.3 (build 618894742)
santactl        | 2024.3 (build 618894742)
SantaGUI        | 2024.3 (build 618894742)

$ systemextensionsctl list
2 extension(s)
--- com.apple.system_extension.endpoint_security
enabled	active	teamID	bundleID (version)	name	[state]
*	*	EQHXZ8M8AV	com.google.santa.daemon (2024.3/2024.3.618894742)	santad	[activated enabled]

Also, the daemon is up and running, status and sync are OK, but there is a "Could not communicate with daemon" error in the rule key value, so there may be another issue there.

The events received by the sync server are OK. We get the cdhash key in the payload with a string value.
@np5
Copy link
Contributor Author

np5 commented Apr 5, 2024
edited

The cdhash property has a CFData return type (kSecCodeInfoUnique):

santa/Source/santactl/Commands/SNTCommandFileInfo.m

Lines 536 to 540 in 3b2d02f

- (SNTAttributeBlock)cdhash {
return ^id(SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:NULL];
return [csc.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoUnique];
};

In the rest of the app, the cdhash comes from the es_process_t type and is converted to a string:

santa/Source/santad/SNTPolicyProcessor.m

Lines 318 to 322 in 3b2d02f

const uint8_t *buf = targetProc->cdhash;
cdhash = [[NSString alloc] initWithFormat:kCDHashFormatString, buf[0], buf[1], buf[2], buf[3],
buf[4], buf[5], buf[6], buf[7], buf[8], buf[9],
buf[10], buf[11], buf[12], buf[13], buf[14],
buf[15], buf[16], buf[17], buf[18], buf[19]];

@np5
Copy link
Contributor Author

np5 commented Apr 5, 2024

The daemon communication error is maybe cause by the wrong type:

santa/Source/santactl/Commands/SNTCommandFileInfo.m

Lines 403 to 421 in 3b2d02f

struct RuleIdentifiers identifiers = {
.cdhash = cdhash,
.binarySHA256 = fileInfo.SHA256,
.signingID = signingID,
.certificateSHA256 = err ? nil : csc.leafCertificate.SHA256,
.teamID = teamID,
};
[[cmd.daemonConn remoteObjectProxy]
decisionForFilePath:fileInfo.path
identifiers:[[SNTRuleIdentifiers alloc] initWithRuleIdentifiers:identifiers]
reply:^(SNTEventState s) {
state = s;
dispatch_semaphore_signal(sema);
}];
if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
cmd.daemonUnavailable = YES;
return kCommunicationErrorMsg;
} else {

cdhash is CFData, but in the SNTRuleIdentifiers object, it is a NSString:

santa/Source/common/SNTRuleIdentifiers.h

Lines 36 to 41 in 3b2d02f

@interface SNTRuleIdentifiers : NSObject <NSSecureCoding>
@property(readonly) NSString *cdhash;
@property(readonly) NSString *binarySHA256;
@property(readonly) NSString *signingID;
@property(readonly) NSString *certificateSHA256;
@property(readonly) NSString *teamID;

@pmarkowsky pmarkowsky added the bug label Apr 5, 2024
@pmarkowsky pmarkowsky mentioned this issue Apr 5, 2024
Closed
@mlw mlw mentioned this issue Apr 5, 2024
Merged
@mlw
Copy link
Member

mlw commented Apr 5, 2024

Note: Added a warning banner to the release: https://github.com/google/santa/releases/tag/2024.3

@pmarkowsky pmarkowsky mentioned this issue Apr 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: Update code to use the new MOLCodesignChecker interfaces for codesigning info pmarkowsky/santa
3 participants
@np5 @mlw @pmarkowsky