Add OSX High Sierra APFS volume password disclosure

[cbrnrd]

This PR adds a module that uses a vulnerability in OSX's log command to get plaintext passwords of encrypted APFS volumes. This command is taken from this article and should be tested (for accuracy mainly). If it doesn't work, I will fall back to the command used in the POC.

Verification

• Start msfconsole
• Get a shell on an OSX High Sierra system (between 10.13.0 to 10.13.3)
• use post/osx/gather/apfs_encrypted_volume_passwd
• Verify it works on all reported High Sierra versions
• Verify that the MOUNT_PATH option works as it should
• Write docs

[bcoles]

This should be =~ rather than ~=

Also, this check will also match 10.13.39999 and 99910.13.0 which may or may not cause false positives in the future. I'm not greatly familiar with the Mac OSX versioning scheme.

[cbrnrd]

from my experience, OSX versions are major.minor.patch but I'll check the apple docs to see if theres any other info.

[bcoles]

The conditional should probably look something like this:

if osx_version =~ /^10\.13\.[0-3]$/

[bcoles]

print_good even if the cmd_exec fails ? What if the command returns no results?

[bcoles]

Isn't this the reverse logic? Append unless datastore['MOUNT_PATH'].empty? would make more sense.

[bcoles]

Superfluous return

[cbrnrd]

Docs should be up by tonight. I'm not quite sure why it's failing the sanity test (or what that test is). It just needs to be tested.

[busterb]

Sanity test will fail this weekend because we're in the process of moving things between data centers. Sorry about that.

[cbrnrd]

Ah okay, all good 👍

[jmartin-tech]

Jenkins test this please.

[cbrnrd]

Docs are finished. All that's left is testing. I will need some help with this as I don't own a High Sierra machine. Any help would be appreciated :)

[timwr]

ARCH_ALL

[timwr]

Assuming 10.13.0 is vulnerable, we should do:
if osx_version =~ /^10\.13[\.[0-3]]?$/
to match 10.13

$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.13
BuildVersion:   17A365

[timwr]

Exploit::CheckCode::Safe?
Otherwise:

[-] Post failed: NameError uninitialized constant Msf::Modules::Mod706f73742f6f73782f6761746865722f617066735f656e637279707465645f766f6c756d655f706173737764::MetasploitModule::CheckCode

[timwr]

I think log show rather than log stream, so that the command returns.
If not the command never returns and the session dies.

[timwr]

just do osx_version = cmd_exec('sw_vers -productVersion')

[timwr]

Hmm I'm not seeing an option to format in APFS on 10.13.0

[cbrnrd]

Should I revert it back to the previous command (grep the full output)?

[timwr]

No sorry I'm struggling to reproduce the bug. APFS is not a formatting option.

[cbrnrd]

are using the Application or the command line tool?

[cbrnrd]

@timwr Here's a few things that may work for formatting:

https://superuser.com/questions/1097016/format-disk-with-apfs-the-new-apple-file-system#1110991

https://www.macobserver.com/tips/quick-tip/experiment-apfs-drive-heres-how-format-apfs/

[cbrnrd]

And the command you can use to encrypt the drive is newfs_apfs.
The command looks something like this:

newfs_apfs -A -i -E -S password -v VOLUMENAME disknum .

[timwr]

msf5 post(osx/gather/apfs_encrypted_volume_passwd) > exploit

[+] Timestamp                       Thread     Type        Activity             PID    TTL
2018-04-04 13:01:44.187221+0800 0x1c8cd    Fault       0x57b0               6241   14   diskmanagementd: diskmanagement: execve(2) pid=6241 /System/Library/Filesystems/exfat.fs/Contents/Resources/newfs_exfat -v Files /dev/rdisk1s2 .
2018-04-04 13:05:03.028476+0800 0x1ccee    Fault       0x5a20               6297   14   diskmanagementd: diskmanagement: execve(2) pid=6297 /System/Library/Filesystems/apfs.fs/Contents/Resources/newfs_apfs -i -v Files /dev/rdisk1s2 .
2018-04-04 13:05:15.730561+0800 0x1cdf8    Fault       0x5a90               6312   14   diskmanagementd: diskmanagement: execve(2) pid=6312 /System/Library/Filesystems/apfs.fs/Contents/Resources/newfs_apfs -A -i -v Untitled disk2 .
2018-04-04 13:05:35.168412+0800 0x1cfdb    Fault       0x5b60               6331   14   diskmanagementd: diskmanagement: execve(2) pid=6331 /System/Library/Filesystems/apfs.fs/Contents/Resources/newfs_apfs -i -E -S aa -v Untitled disk2s2 .
[*] Post module execution completed

I guess we could try match newfs_apfs -i -E -S password with a regex? or just match /newfs_apfs*$/ (from newfs_apfs until the end of the line).

[timwr]

I'm surprised our automated testing did not pick up the missing comma here

[cbrnrd]

I kind of did that in my last commit. I matched for /newfs_apfs/ and /-S (.+)/. This should only get the line of text where the password is.

[timwr]

I was getting an error here:
[-] Post failed: NoMethodError undefined method join' for nil:NilClass`
Please see cbrnrd#1

[cbrnrd]

Anything new @timwr?

[timwr]

Apologies for the delay, it works so I think we can just land this as-is unless anyone has any further comments.
I can add the output of a successful run into the docs.

[cbrnrd]

Okay great, thanks!

[timwr]

Minor tweaks: 72cd97d

[timwr]

Landed, thanks @cbrnrd !

[timwr]

Release Notes

The post/osx/gather/apfs_encrypted_volume_passwd module has been added to the framework. It recovers the password of an APFS encrypted volume from the logs of the Disk Utility app. Volumes encrypted on macOS High Sierra versions 10.13.0-10.13.2 are vulnerable.