search

DavidPhillipOster / ThumbHost3mf

A macOS app that hosts a thumbnail provider that makes the Finder displays the thumbnails built in to some .gcode and .3mf files.
Apache License 2.0
115 stars 2 forks source link

Virustotal: /etc/master.passwd is read. Why? #14

Closed fah closed 1 week ago

fah commented 1 week ago

I've sent the bin file of version 1.6 to virustotal. In the sandbox “VirusTotal Box of Apples” it was detected that /etc/master.passwd was opened.

https://www.virustotal.com/gui/file/87c3ac773cbc9b37215c5343b1cf0d879bb69d1d970a6b1284c3055355cd4b00/behavior

Bildschirmfoto 2024-11-03 um 15 18 32

I also don't understand why network traffic is required for the purpose of this application. See behavior analysis above.

Any idea what causes this?

This is just a question of understanding, not a personal attack.

DavidPhillipOster commented 1 week ago

Thank you for the bug report. You can check the codesigning and entitlements of the released ThumbMF3Version1.6 and its embedded quicktime plugin, and you can inspect the XML of their entitlements. You'll see that both executables have the sandbox entitlement and the hardened runtime entitlement. This prevents them from opening files outside their sandbox, and user selected files can only be opened read-only. The Info.plist of the plugin specifies that it won't open any files on its own, but will be handed file URLs by the Quicklook system, and only files with extensions .3mf, .gcode, and .bgcode.

codesign -d --entitlements - --xml /Applications/ThumbHost3mf.app

and

codesign -d --entitlements - --xml /Applications/ThumbHost3mf.app/Contents/PlugIns/ThumbMF3.appex

<plist version="1.0"><dict>
  <key>com.apple.security.app-sandbox</key><true/>
  <key>com.apple.security.application-groups</key><array><string>2X3M9VFULE.com.turbozen.-mf</string>
  </array><key>com.apple.security.files.user-selected.read-only</key><true/>
</dict></plist>

The signing, the entitlements, and the Info.plist give you assurance that ThumbHost3mf.app is kept from accessing things it should not access.

That leaves the question of where does that report of opening /etc/master.passwd come from?

I could not reproduce it using a fresh download from the releases section of the github page.

I tried another of my apps, https://www.virustotal.com/gui/file/377bb94e134e1113321306cb983f1315574fd6253a76b59a6a2b647392d1e2e1/behavior

VirusTotal Box of Apples Sandbox report

I clicked on the Full Reports link, and then the popup menu item VirusTotal Box of Apples and I got a page that had a screen shot and a more complete list of processes and file paths. Here is a pdf of what I saw, and you'll notice at the top of page 3 that /etc/master.passwd is opened by coreservicesd and my app never got to open any files of its own: instead the process XProtectRemediatorDubRobber was probing my app,

VirusTotal Box of Apples Sandbox report.pdf

I checked that ThumbHost3mf.app is safe, by verifying the codesigning and entitlements. virustotal.com gives it a malware factor of 0 out of 66 - the safest.

virustotal.com reports some access to /etc/master.passwd and Crowdsourced IDS rule www.apple.com/osx/apps/all.html#messages but that is just part of the normal process of a mac running an app.