diff --git a/SUMMARY.md b/SUMMARY.md index 8a4a57248..f0a97cb33 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -149,7 +149,7 @@ * [macOS Serial Number](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/macos-serial-number.md) * [macOS Network Services & Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md) * [macOS Bypassing Firewalls](macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md) - * [macOS File Extension Apps](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md) + * [macOS File Extension & URL scheme app handlers](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md) * [macOS Files, Folders, Binaries & Memory](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md) * [macOS Bundles](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md) * [macOS Installers Abuse](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md) diff --git a/macos-hardening/macos-security-and-privilege-escalation/README.md b/macos-hardening/macos-security-and-privilege-escalation/README.md index 6374f20df..050211498 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/README.md @@ -104,20 +104,14 @@ If a process can **inject code in another process with better privileges or enti [macos-proces-abuse](macos-proces-abuse/) {% endcontent-ref %} -### File Extension Apps +### File Extension & URL scheme app handlers -Weird apps registered by file extensions could be abused: +Weird apps registered by file extensions could be abused and different applications can be register to open specific protocols {% content-ref url="macos-file-extension-apps.md" %} [macos-file-extension-apps.md](macos-file-extension-apps.md) {% endcontent-ref %} -### URL handler applications - -Different applications can be resgiter to open specific protocols. They could be abused. - -TODO: Create a page about this - ## MacOS Privilege Escalation ### CVE-2020-9771 - mount\_apfs TCC bypass and privilege escalation diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md index ad30cb383..c982f24ec 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md @@ -307,7 +307,7 @@ When calling the **`objc_sendMsg`** function, the **rsi** register holds the **n * It's also possible to find **if a process is being debugged** with a simple code such us: * `if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)){ //process being debugged }` * It can also invoke the **`ptrace`** system call with the **`PT_DENY_ATTACH`** flag. This **prevents** a deb**u**gger from attaching and tracing. - * You can check if the **`sysctl` \*\* or**`ptrace`\*\* function is being **imported** (but the malware could import it dynamically) + * You can check if the **`sysctl`** or **`ptrace`** function is being **imported** (but the malware could import it dynamically) * As noted in this writeup, “[Defeating Anti-Debug Techniques: macOS ptrace variants](https://alexomara.com/blog/defeating-anti-debug-techniques-macos-ptrace-variants/)” :\ “_The message Process # exited with **status = 45 (0x0000002d)** is usually a tell-tale sign that the debug target is using **PT\_DENY\_ATTACH**_” @@ -354,7 +354,11 @@ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist ### Internal Handlers -[**Checkout this section**](../#file-extensions-apps) to find out how you can find which app is responsible of **handling the specified scheme or protocol**. +**Checkout the following page** to find out how you can find which app is responsible of **handling the specified scheme or protocol:** + +{% content-ref url="../macos-file-extension-apps.md" %} +[macos-file-extension-apps.md](../macos-file-extension-apps.md) +{% endcontent-ref %} ### Enumerating Network Processes diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md b/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md index 26ee0708b..05c035818 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md @@ -1,4 +1,4 @@ -# macOS File Extension Apps +# macOS File Extension & URL scheme app handlers
@@ -12,7 +12,7 @@
-### File Extensions Apps +File Extension & URL scheme app handlers The following line can be useful to find the applications that can open files depending on the extension: @@ -22,7 +22,7 @@ The following line can be useful to find the applications that can open files de Or use something like [**SwiftDefaultApps**](https://github.com/Lord-Kamina/SwiftDefaultApps): -``` +```bash ./swda getSchemes #Get all the available schemes ./swda getApps #Get all the apps declared ./swda getUTIs #Get all the UTIs