Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 09:27:32 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] one page modified

Browse source
This commit is contained in:
CPol 2021-07-29 00:18:11 +00:00 committed by gitbook-bot
parent cf6e142fd3
commit 67f9c47578
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 16 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
macos/macos-security-and-privilege-escalation/README.md
View file

@ -296,7 +296,7 @@ List the cron jobs of the **current user** with:
crontab -l
```
You can also see all the cron jobs of the users in **`/usr/lib/cron/tabs/`** \(needs root\).
You can also see all the cron jobs of the users in **`/usr/lib/cron/tabs/`** and **`/var/at/tabs/`** \(needs root\).
### kext
@ -333,9 +333,10 @@ osascript -e 'tell application "System Events" to make login item at end with pr
#Remove an item:
osascript -e 'tell application "System Events" to delete login item "itemname"'
```
These items are stored in the file /Users/<username>/Library/Application Support/com.apple.backgroundtaskmanagementagent
### At
“At tasks” are used to **schedule tasks at specific times**.
@ -649,7 +650,7 @@ However, there are 2 types of dylib hijacking:
The way to **escalate privileges** abusing this functionality would be in the rare case that an **application** being executed **by** **root** is **looking** for some **library in some folder where the attacker has write permissions.**
**A nice scanner to find missing libraries in applications is** [**Dylib Hijack Scanner**](https://objective-see.com/products/dhs.html)**.
**A nice scanner to find missing libraries in applications is** [**Dylib Hijack Scanner**](https://objective-see.com/products/dhs.html) **or a** [**CLI version**](https://github.com/pandazheng/DylibHijack)**.
A nice report with technical details about this technique can be found** [**here**](https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x)**.**
### **DYLD\_INSERT\_LIBRARIES**
@ -660,6 +661,14 @@ This is like the [**LD\_PRELOAD on Linux**](../../linux-unix/privilege-escalatio
This technique may be also **used as an ASEP technique** as every application installed has a plist called "Info.plist" that allows for the **assigning of environmental variables** using a key called `LSEnvironmental`.
{% hint style="info" %}
Since 2012 when [OSX.FlashBack.B](https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_b.shtml) \[22\] abused this technique, **Apple has drastically reduced the “power”** of the DYLD\_INSERT\_LIBRARIES.
For example the dynamic loader \(dyld\) ignores the DYLD\_INSERT\_LIBRARIES environment variable in a wide range of cases, such as setuid and platform binaries. And, starting with macOS Catalina, only 3rd-party applications that are not compiled with the hardened runtime \(which “protects the runtime integrity of software” \[22\]\), or have an exception such as the com.apple.security.cs.allow-dyld-environment-variables entitlement\) are susceptible to dylib insertions.
For more details on the security features afforded by the hardened runtime, see Apples documentation: “[Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime)”
{% endhint %}
## Crons
In MacOS several folders executing scripts with **certain frequency** can be found in:
@ -747,3 +756,7 @@ networksetup -getwebproxy Wi-Fi #Wifi Web proxy
networksetup -getftpproxy Wi-Fi #Wifi ftp proxy
```
## References
* [https://taomm.org/vol1/analysis.html](https://taomm.org/vol1/analysis.html)