mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
GITBOOK-3970: change request with no subject merged in GitBook
This commit is contained in:
parent
93a710fee6
commit
85e4315980
4 changed files with 18 additions and 6 deletions
|
@ -151,7 +151,7 @@
|
|||
* [macOS File Extension Apps](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md)
|
||||
* [macOS Files, Folders, Binaries & Memory](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md)
|
||||
* [macOS Bundles](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md)
|
||||
* [macOS Installer Packages (pkg)](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installer-packages-pkg.md)
|
||||
* [macOS Installers Abuse](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md)
|
||||
* [macOS Memory Dumping](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md)
|
||||
* [macOS Sensitive Locations](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md)
|
||||
* [macOS Universal binaries & Mach-O Format](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md)
|
||||
|
|
|
@ -92,8 +92,8 @@ Being able to **create a file** that is going to be **used by root**, allows a u
|
|||
|
||||
For this kind of vulnerabilities don't forget to **check vulnerable `.pkg` installers**:
|
||||
|
||||
{% content-ref url="macos-files-folders-and-binaries/macos-installer-packages-pkg.md" %}
|
||||
[macos-installer-packages-pkg.md](macos-files-folders-and-binaries/macos-installer-packages-pkg.md)
|
||||
{% content-ref url="macos-files-folders-and-binaries/macos-installers-abuse.md" %}
|
||||
[macos-installers-abuse.md](macos-files-folders-and-binaries/macos-installers-abuse.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Entitlements and Privileges abuse via process abuse
|
||||
|
|
|
@ -51,8 +51,8 @@ MacOS stores information such as passwords in several places:
|
|||
|
||||
### Vulnerable pkg installers
|
||||
|
||||
{% content-ref url="macos-installer-packages-pkg.md" %}
|
||||
[macos-installer-packages-pkg.md](macos-installer-packages-pkg.md)
|
||||
{% content-ref url="macos-installers-abuse.md" %}
|
||||
[macos-installers-abuse.md](macos-installers-abuse.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## OS X Specific Extensions
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# macOS Installer Packages (pkg)
|
||||
# macOS Installers Abuse
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -52,6 +52,18 @@ If a pre or post installation script is for example executing from **`/var/tmp/I
|
|||
|
||||
<figure><img src="../../../.gitbook/assets/Pasted Graphic 5.png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### AuthorizationExecuteWithPrivileges
|
||||
|
||||
This is a [public function](https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg) that several installers and updaters will call to **execute something as root**. This function accepts the **path** of the **file** to **execute** as parameter, however, if an attacker could **modify** this file, he will be able to **abuse** its execution with root to **escalate privileges**.
|
||||
|
||||
```bash
|
||||
# Breakpoint in the function to check wich file is loaded
|
||||
(lldb) b AuthorizationExecuteWithPrivileges
|
||||
# You could also check FS events to find this missconfig
|
||||
```
|
||||
|
||||
For more info check this talk: [https://www.youtube.com/watch?v=lTOItyjTTkw](https://www.youtube.com/watch?v=lTOItyjTTkw)
|
||||
|
||||
## References
|
||||
|
||||
* [https://www.youtube.com/watch?v=iASSG0\_zobQ](https://www.youtube.com/watch?v=iASSG0\_zobQ)
|
Loading…
Reference in a new issue