Threat Research

The Dangers of Cracking Tools

Kandji.io
The Dangers of Cracking Tools

Downloading cracks, keygens, or cheat tools can deliver malware or embed critical vulnerabilities into systems, as shown by examples like iOS jailbreaks, Windows cheat drivers, and the macOS AutoHackGUI helper that runs as root. Researchers reversed AutoHackGUI and demonstrated an XPC-based exploit that connects to the Mach service io.github.marlkiller.AutoHackGUIHelper to execute arbitrary commands as root, illustrating how non-malicious cracking tools can enable local privilege escalation. #AutoHackGUI #IDAPro

Keypoints

  • Downloading and running cracked software or crack tools is illegal and can introduce malware or vulnerabilities that outweigh any apparent benefit.
  • iOS jailbreaks often start an SSH service with the default root password “alpine”, exposing devices to remote access if the password is not changed.
  • Windows game cheats frequently install kernel drivers that grant kernel memory read/write access, enabling full system compromise (examples: nkga/cheat-driver, nbqofficial/kernel-csgo).
  • The AutoHackGUI macOS tool installs a privileged helper as a LaunchDaemon and exposes a Mach service (io.github.marlkiller.AutoHackGUIHelper) that accepts XPC calls to run commands as root.
  • The AutoHackGUI helper is ad-hoc signed and imposes no code-signature restrictions, meaning any process can connect to it and request command execution.
  • Researchers provided exploit code showing how to create an XPC client that calls executeCommand:withReply: to run arbitrary shell commands as root, demonstrating a practical local privilege escalation risk.

MITRE Techniques

  • [T1543 ] Create or Modify System Process – The tool installs and runs a privileged LaunchDaemon that executes as root (‘runs as a LaunchDaemon job, runs as root’).
  • [T1059 ] Command and Scripting Interpreter – The privileged helper accepts and runs arbitrary shell commands via an XPC method (‘it installs a helper tool that can run arbitrary shell commands’).
  • [T1068 ] Exploitation for Privilege Escalation – The researcher describes a local privilege escalation vulnerability where connecting to the helper allows execution of commands as root (‘local privilege escalation vulnerability we uncovered’ / ‘can also run arbitrary commands as root’).

Indicators of Compromise

  • [URL ] GitHub repositories and project pages referenced – https://github.com/marlkiller/AutoHackGUI-Releases, https://github.com/nkga/cheat-driver (and other repo links).
  • [File path ] macOS LaunchDaemon plist and helper binary – /AutoHackGUI.app/Contents/Library/LaunchDaemons/io.github.marlkiller.AutoHackGUIHelper.plist, Contents/Library/LaunchDaemons/io.github.marlkiller.AutoHackGUIHelper.
  • [Mach service ] XPC/Mach service name exposed by the helper – io.github.marlkiller.AutoHackGUIHelper.
  • [Credential ] Default SSH root password used by many iOS jailbreaks – “alpine”.
  • [Repository name ] Kernel cheat driver projects referenced as sources of kernel privileges – nkga/cheat-driver, nbqofficial/kernel-csgo.

Read more: https://the-sequence.com/dangers-of-cracking-tools