Enrolling Devices in Other Organisations
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
As previously commented, in order to try to enrol a device into an organization only a Serial Number belonging to that Organization is needed. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations and so on. Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected.
The following is a summary of the research https://duo.com/labs/research/mdm-me-maybe. Check it for further technical details!
This research delves into the binaries associated with the Device Enrollment Program (DEP) and Mobile Device Management (MDM) on macOS. Key components include:
mdmclient
: Communicates with MDM servers and triggers DEP check-ins on macOS versions before 10.13.4.
profiles
: Manages Configuration Profiles, and triggers DEP check-ins on macOS versions 10.13.4 and later.
cloudconfigurationd
: Manages DEP API communications and retrieves Device Enrollment profiles.
DEP check-ins utilize the CPFetchActivationRecord
and CPGetActivationRecord
functions from the private Configuration Profiles framework to fetch the Activation Record, with CPFetchActivationRecord
coordinating with cloudconfigurationd
through XPC.
The DEP check-in involves cloudconfigurationd
sending an encrypted, signed JSON payload to iprofiles.apple.com/macProfile. The payload includes the device's serial number and the action "RequestProfileConfiguration". The encryption scheme used is referred to internally as "Absinthe". Unraveling this scheme is complex and involves numerous steps, which led to exploring alternative methods for inserting arbitrary serial numbers in the Activation Record request.
Attempts to intercept and modify DEP requests to iprofiles.apple.com using tools like Charles Proxy were hindered by payload encryption and SSL/TLS security measures. However, enabling the MCCloudConfigAcceptAnyHTTPSCertificate
configuration allows bypassing the server certificate validation, although the payload's encrypted nature still prevents modification of the serial number without the decryption key.
Instrumenting system binaries like cloudconfigurationd
requires disabling System Integrity Protection (SIP) on macOS. With SIP disabled, tools like LLDB can be used to attach to system processes and potentially modify the serial number used in DEP API interactions. This method is preferable as it avoids the complexities of entitlements and code signing.
Exploiting Binary Instrumentation: Modifying the DEP request payload before JSON serialization in cloudconfigurationd
proved effective. The process involved:
Attaching LLDB to cloudconfigurationd
.
Locating the point where the system serial number is fetched.
Injecting an arbitrary serial number into the memory before the payload is encrypted and sent.
This method allowed for retrieving complete DEP profiles for arbitrary serial numbers, demonstrating a potential vulnerability.
The exploitation process was automated using Python with the LLDB API, making it feasible to programmatically inject arbitrary serial numbers and retrieve corresponding DEP profiles.
The research highlighted significant security concerns:
Information Disclosure: By providing a DEP-registered serial number, sensitive organizational information contained in the DEP profile can be retrieved.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)