search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.15k stars 431 forks source link

Microsoft Company Portal App installer being incorrectly parsed to Microsoft AutoUpdate.app #24083

Open ddribeiro opened 10 hours ago

ddribeiro commented 10 hours ago

Fleet version: Observed in 4.59.0 and Fleet 0.0.0-SNAPSHOT-8f94247

💥  Actual behavior

After uploading the Microsoft Company Portal app as a custom package, Fleet names the software title "Microsoft AutoUpdate.app" This is unexpected, as it should be "Company Portal.app."

Screenshot 2024-11-22 at 12 31 16 PM

🧑‍💻  Steps to reproduce

  1. Download the Microsoft Company Portal app from: https://go.microsoft.com/fwlink/?linkid=853070
  2. Log into Fleet, select a team, and navigate to Software > Add software > Custom package > Choose file. Select the CompanyPortal-Installer.pkg file and upload it to Fleet.
  3. After the file uploads, observe that Fleet has named the software title "Microsoft AutoUpdate.app"

🕯️ More info (optional)

Inspecting this .pkg with Suspicious Package shows multiple apps and receipts being installed:

Screenshot 2024-11-22 at 12 29 41 PM Screenshot 2024-11-22 at 12 30 04 PM
ddribeiro commented 10 hours ago

Here's the contents of Distribution.xml file I got when I ran pkgutil --expand on this .pkg:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<installer-gui-script minSpecVersion="1">
    <title>Intune Company Portal</title>
    <background file="background.png" mime-type="image/png" scaling="none" alignment="bottomleft"/>
    <background-darkAqua file="background-dark.png" mime-type="image/png" scaling="none" alignment="bottomleft"/>
    <license file="LICENSE.html"/>
    <pkg-ref id="com.microsoft.package.Microsoft_AutoUpdate.app">
        <bundle-version>
            <bundle CFBundleShortVersionString="4.74" CFBundleVersion="4.74.24081116" id="com.microsoft.autoupdate.fba" path="Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app"/>
            <bundle CFBundleShortVersionString="16.88" CFBundleVersion="16.88.24081116" id="com.microsoft.errorreporting" path="Microsoft AutoUpdate.app/Contents/SharedSupport/Microsoft Error Reporting.app"/>
            <bundle CFBundleShortVersionString="4.74" CFBundleVersion="4.74.24081116" id="com.microsoft.autoupdate2" path="Microsoft AutoUpdate.app"/>
        </bundle-version>
    </pkg-ref>
    <pkg-ref id="com.microsoft.CompanyPortalMac">
        <bundle-version>
            <bundle CFBundleShortVersionString="0.1.0" CFBundleVersion="1" id="org.cocoapods.AppleClientLogger" path="Applications/Company Portal.app/Contents/Frameworks/AppleClientLogger.framework"/>
            <bundle CFBundleShortVersionString="3.6.1" CFBundleVersion="1" id="org.cocoapods.CocoaLumberjack" path="Applications/Company Portal.app/Contents/Frameworks/CocoaLumberjack.framework"/>
            <bundle CFBundleShortVersionString="6.6.0" CFBundleVersion="1" id="org.cocoapods.RxCocoa" path="Applications/Company Portal.app/Contents/Frameworks/RxCocoa.framework"/>
            <bundle CFBundleShortVersionString="5.2.0" CFBundleVersion="1" id="org.cocoapods.Cache" path="Applications/Company Portal.app/Contents/Frameworks/Cache.framework"/>
            <bundle CFBundleShortVersionString="4.9.1" CFBundleVersion="1" id="org.cocoapods.Alamofire" path="Applications/Company Portal.app/Contents/Frameworks/Alamofire.framework"/>
            <bundle CFBundleShortVersionString="6.6.0" CFBundleVersion="1" id="org.cocoapods.RxRelay" path="Applications/Company Portal.app/Contents/Frameworks/RxRelay.framework"/>
            <bundle CFBundleShortVersionString="6.6.0" CFBundleVersion="1" id="org.cocoapods.RxSwift" path="Applications/Company Portal.app/Contents/Frameworks/RxSwift.framework"/>
            <bundle CFBundleShortVersionString="1.0" CFBundleVersion="1" id="com.microsoft.authenticationBroker" path="Applications/Company Portal.app/Contents/PlugIns/Mac SSO Extension.appex/Contents/Frameworks/ADAuthenticationBrokerMacOS.framework"/>
            <bundle CFBundleShortVersionString="1.4.1" CFBundleVersion="1" id="org.cocoapods.MSAL" path="Applications/Company Portal.app/Contents/Frameworks/MSAL.framework"/>
            <bundle CFBundleShortVersionString="5.2.0" CFBundleVersion="1" id="org.cocoapods.PowerLiftKit" path="Applications/Company Portal.app/Contents/Frameworks/PowerLiftKit.framework"/>
            <bundle CFBundleShortVersionString="5.2409.1" CFBundleVersion="53.2409926.002" id="com.microsoft.CompanyPortalMac.ssoextension" path="Applications/Company Portal.app/Contents/PlugIns/Mac SSO Extension.appex"/>
            <bundle CFBundleShortVersionString="1.0" CFBundleVersion="1" id="com.microsoft.CommonFramework" path="Applications/Company Portal.app/Contents/Frameworks/CommonFramework.framework"/>
            <bundle CFBundleShortVersionString="5.2409.1" CFBundleVersion="53.2409926.002" id="com.microsoft.CompanyPortalMac" path="Applications/Company Portal.app"/>
        </bundle-version>
    </pkg-ref>
    <allowed-os-versions>
        <os-version min="11.0"/>
    </allowed-os-versions>
    <options customize="never" require-scripts="false"/>
    <options hostArchitectures="arm64,x86_64"/>
    <choices-outline>
        <line choice="com.microsoft.package.Microsoft_AutoUpdate.app"/>
        <line choice="com.microsoft.CompanyPortalMac"/>
    </choices-outline>
    <choice id="com.microsoft.package.Microsoft_AutoUpdate.app" visible="false">
        <pkg-ref id="com.microsoft.package.Microsoft_AutoUpdate.app"/>
    </choice>
    <pkg-ref id="com.microsoft.package.Microsoft_AutoUpdate.app" version="4.74.24081116" onConclusion="none" installKBytes="11004">#Office16_all_autoupdate.pkg</pkg-ref>
    <choice id="com.microsoft.CompanyPortalMac" visible="false">
        <pkg-ref id="com.microsoft.CompanyPortalMac"/>
    </choice>
    <pkg-ref id="com.microsoft.CompanyPortalMac" version="5.2409.1" onConclusion="none" installKBytes="192850">#CompanyPortal-Component.pkg</pkg-ref>
</installer-gui-script>