GITBOOK-3970: change request with no subject merged in GitBook

This commit is contained in:
CPol 2023-06-08 10:01:03 +00:00 committed by gitbook-bot
parent 93a710fee6
commit 85e4315980
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 18 additions and 6 deletions

View file

@ -151,7 +151,7 @@
* [macOS File Extension Apps](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md)
* [macOS Files, Folders, Binaries & Memory](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md)
* [macOS Bundles](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md)
* [macOS Installer Packages (pkg)](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installer-packages-pkg.md)
* [macOS Installers Abuse](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md)
* [macOS Memory Dumping](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md)
* [macOS Sensitive Locations](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md)
* [macOS Universal binaries & Mach-O Format](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md)

View file

@ -92,8 +92,8 @@ Being able to **create a file** that is going to be **used by root**, allows a u
For this kind of vulnerabilities don't forget to **check vulnerable `.pkg` installers**:
{% content-ref url="macos-files-folders-and-binaries/macos-installer-packages-pkg.md" %}
[macos-installer-packages-pkg.md](macos-files-folders-and-binaries/macos-installer-packages-pkg.md)
{% content-ref url="macos-files-folders-and-binaries/macos-installers-abuse.md" %}
[macos-installers-abuse.md](macos-files-folders-and-binaries/macos-installers-abuse.md)
{% endcontent-ref %}
### Entitlements and Privileges abuse via process abuse

View file

@ -51,8 +51,8 @@ MacOS stores information such as passwords in several places:
### Vulnerable pkg installers
{% content-ref url="macos-installer-packages-pkg.md" %}
[macos-installer-packages-pkg.md](macos-installer-packages-pkg.md)
{% content-ref url="macos-installers-abuse.md" %}
[macos-installers-abuse.md](macos-installers-abuse.md)
{% endcontent-ref %}
## OS X Specific Extensions

View file

@ -1,4 +1,4 @@
# macOS Installer Packages (pkg)
# macOS Installers Abuse
<details>
@ -52,6 +52,18 @@ If a pre or post installation script is for example executing from **`/var/tmp/I
<figure><img src="../../../.gitbook/assets/Pasted Graphic 5.png" alt=""><figcaption></figcaption></figure>
### AuthorizationExecuteWithPrivileges
This is a [public function](https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg) that several installers and updaters will call to **execute something as root**. This function accepts the **path** of the **file** to **execute** as parameter, however, if an attacker could **modify** this file, he will be able to **abuse** its execution with root to **escalate privileges**.
```bash
# Breakpoint in the function to check wich file is loaded
(lldb) b AuthorizationExecuteWithPrivileges
# You could also check FS events to find this missconfig
```
For more info check this talk: [https://www.youtube.com/watch?v=lTOItyjTTkw](https://www.youtube.com/watch?v=lTOItyjTTkw)
## References
* [https://www.youtube.com/watch?v=iASSG0\_zobQ](https://www.youtube.com/watch?v=iASSG0\_zobQ)