mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-21 20:23:18 +00:00
GITBOOK-4408: No subject
This commit is contained in:
parent
430c630b79
commit
dede0e41b5
5 changed files with 364 additions and 19 deletions
|
@ -196,9 +196,10 @@
|
||||||
* [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md)
|
* [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md)
|
||||||
* [macOS TCC Payloads](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.md)
|
* [macOS TCC Payloads](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.md)
|
||||||
* [macOS Dangerous Entitlements & TCC perms](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md)
|
* [macOS Dangerous Entitlements & TCC perms](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md)
|
||||||
|
* [macOS MACF](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf.md)
|
||||||
* [macOS FS Tricks](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md)
|
* [macOS FS Tricks](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md)
|
||||||
* [macOS xattr-acls extra stuff](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md)
|
* [macOS xattr-acls extra stuff](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md)
|
||||||
* [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
|
* [macOS Users & External Accounts](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
|
||||||
* [macOS Red Teaming](macos-hardening/macos-red-teaming/README.md)
|
* [macOS Red Teaming](macos-hardening/macos-red-teaming/README.md)
|
||||||
* [macOS MDM](macos-hardening/macos-red-teaming/macos-mdm/README.md)
|
* [macOS MDM](macos-hardening/macos-red-teaming/macos-mdm/README.md)
|
||||||
* [Enrolling Devices in Other Organisations](macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md)
|
* [Enrolling Devices in Other Organisations](macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md)
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
# macOS Auto Start
|
# macOS Auto Start
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -119,7 +119,7 @@ One of the first things `launchd` would do is to **start** all the **daemons** l
|
||||||
* crond (`com.apple.systemstats.daily.plist`): Has `StartCalendarInterval` to start at 00:15
|
* crond (`com.apple.systemstats.daily.plist`): Has `StartCalendarInterval` to start at 00:15
|
||||||
* **Network daemons** like:
|
* **Network daemons** like:
|
||||||
* `org.cups.cups-lpd`: Listens in TCP (`SockType: stream`) with `SockServiceName: printer`
|
* `org.cups.cups-lpd`: Listens in TCP (`SockType: stream`) with `SockServiceName: printer`
|
||||||
*  SockServiceName must be either a port or a service from `/etc/services`
|
* SockServiceName must be either a port or a service from `/etc/services`
|
||||||
* `com.apple.xscertd.plist`: Listens on TCP in port 1640
|
* `com.apple.xscertd.plist`: Listens on TCP in port 1640
|
||||||
* **Path daemons** that are executed when a specified path changes:
|
* **Path daemons** that are executed when a specified path changes:
|
||||||
* `com.apple.postfix.master`: Checking the path `/etc/postfix/aliases`
|
* `com.apple.postfix.master`: Checking the path `/etc/postfix/aliases`
|
||||||
|
@ -1406,6 +1406,19 @@ And therefore any attempt to use **`sudo` will work**.
|
||||||
Note that this directory is protected by TCC so it's highly probably that the user will get a prompt asking for access.
|
Note that this directory is protected by TCC so it's highly probably that the user will get a prompt asking for access.
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
|
Another nice example is su, were you can see that it's also possible to give parameters to the PAM modules (and you coukd also backdoor this file):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cat /etc/pam.d/su
|
||||||
|
# su: auth account session
|
||||||
|
auth sufficient pam_rootok.so
|
||||||
|
auth required pam_opendirectory.so
|
||||||
|
account required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
|
||||||
|
account required pam_opendirectory.so no_check_shell
|
||||||
|
password required pam_opendirectory.so
|
||||||
|
session required pam_launchd.so
|
||||||
|
```
|
||||||
|
|
||||||
### Authorization Plugins
|
### Authorization Plugins
|
||||||
|
|
||||||
Writeup: [https://theevilbit.github.io/beyond/beyond\_0028/](https://theevilbit.github.io/beyond/beyond\_0028/)\
|
Writeup: [https://theevilbit.github.io/beyond/beyond\_0028/](https://theevilbit.github.io/beyond/beyond\_0028/)\
|
||||||
|
@ -1830,8 +1843,8 @@ RunService ()
|
||||||
* [https://github.com/D00MFist/PersistentJXA](https://github.com/D00MFist/PersistentJXA)
|
* [https://github.com/D00MFist/PersistentJXA](https://github.com/D00MFist/PersistentJXA)
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
# macOS Sensitive Locations & Interesting Daemons
|
# macOS Sensitive Locations & Interesting Daemons
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -38,6 +38,12 @@ sudo bash -c 'for i in $(find /var/db/dslocal/nodes/Default/users -type f -regex
|
||||||
```
|
```
|
||||||
{% endcode %}
|
{% endcode %}
|
||||||
|
|
||||||
|
Another way to obtain the `ShadowHashData` of a user is by using `dscl`: ``sudo dscl . -read /Users/`whoami` ShadowHashData``
|
||||||
|
|
||||||
|
### /etc/master.passwd
|
||||||
|
|
||||||
|
This file is **only used** when the system id running in **single-user mode** (so not very frequently).
|
||||||
|
|
||||||
### Keychain Dump
|
### Keychain Dump
|
||||||
|
|
||||||
Note that when using the security binary to **dump the passwords decrypted**, several prompts will ask the user to allow this operation.
|
Note that when using the security binary to **dump the passwords decrypted**, several prompts will ask the user to allow this operation.
|
||||||
|
@ -187,12 +193,50 @@ for i in $(sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.s
|
||||||
|
|
||||||
## Preferences
|
## Preferences
|
||||||
|
|
||||||
In macOS apps preferences are located in **`$HOME/Library/Preferences`** and in iOS they are in `/var/mobile/Containers/Data/Application/<UUID>/Library/Preferences`. 
|
In macOS apps preferences are located in **`$HOME/Library/Preferences`** and in iOS they are in `/var/mobile/Containers/Data/Application/<UUID>/Library/Preferences`.
|
||||||
|
|
||||||
In macOS the cli tool **`defaults`** can be used to **modify the Preferences file**.
|
In macOS the cli tool **`defaults`** can be used to **modify the Preferences file**.
|
||||||
|
|
||||||
**`/usr/sbin/cfprefsd`** claims the XPC services `com.apple.cfprefsd.daemon` and `com.apple.cfprefsd.agent` and can be called to perform actions such as modify preferences.
|
**`/usr/sbin/cfprefsd`** claims the XPC services `com.apple.cfprefsd.daemon` and `com.apple.cfprefsd.agent` and can be called to perform actions such as modify preferences.
|
||||||
|
|
||||||
|
## OpenDirectory permissions.plist
|
||||||
|
|
||||||
|
The file `/System/Library/OpenDirectory/permissions.plist` contains permissions applied on node attributes and is protected by SIP.\
|
||||||
|
This file grants permissions to specific users by UUID (and not uid) so they are able to access specific sensitive information like `ShadowHashData`, `HeimdalSRPKey` and `KerberosKeys` among others:
|
||||||
|
|
||||||
|
```xml
|
||||||
|
[...]
|
||||||
|
<key>dsRecTypeStandard:Computers</key>
|
||||||
|
<dict>
|
||||||
|
<key>dsAttrTypeNative:ShadowHashData</key>
|
||||||
|
<array>
|
||||||
|
<dict>
|
||||||
|
<!-- allow wheel even though it's implicit -->
|
||||||
|
<key>uuid</key>
|
||||||
|
<string>ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000</string>
|
||||||
|
<key>permissions</key>
|
||||||
|
<array>
|
||||||
|
<string>readattr</string>
|
||||||
|
<string>writeattr</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</array>
|
||||||
|
<key>dsAttrTypeNative:KerberosKeys</key>
|
||||||
|
<array>
|
||||||
|
<dict>
|
||||||
|
<!-- allow wheel even though it's implicit -->
|
||||||
|
<key>uuid</key>
|
||||||
|
<string>ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000</string>
|
||||||
|
<key>permissions</key>
|
||||||
|
<array>
|
||||||
|
<string>readattr</string>
|
||||||
|
<string>writeattr</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</array>
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
|
||||||
## System Notifications
|
## System Notifications
|
||||||
|
|
||||||
### Darwin Notifications
|
### Darwin Notifications
|
||||||
|
@ -251,8 +295,8 @@ These are notifications that the user should see in the screen:
|
||||||
* **`NSUserNotificationCenter`**: This is the iOS bulletin board in MacOS. The database with the notifications in located in `/var/folders/<user temp>/0/com.apple.notificationcenter/db2/db`
|
* **`NSUserNotificationCenter`**: This is the iOS bulletin board in MacOS. The database with the notifications in located in `/var/folders/<user temp>/0/com.apple.notificationcenter/db2/db`
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,283 @@
|
||||||
|
# macOS MACF
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
{% hint style="success" %}
|
||||||
|
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
|
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary>Support HackTricks</summary>
|
||||||
|
|
||||||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
## Basic Information
|
||||||
|
|
||||||
|
**MACF** stands for **Mandatory Access Control Framework**, which is a security system built into the operating system to help protect your computer. It works by setting **strict rules about who or what can access certain parts of the system**, such as files, applications, and system resources. By enforcing these rules automatically, MACF ensures that only authorized users and processes can perform specific actions, reducing the risk of unauthorized access or malicious activities.
|
||||||
|
|
||||||
|
Note that MACF doesn't really make any decisions as it just **intercepts** actions, it leaves the decisions to the **policy modules** (kernel extensions) it calls like `AppleMobileFileIntegrity.kext`, `Quarantine.kext`, `Sandbox.kext`, `TMSafetyNet.kext` and `mcxalr.kext`.
|
||||||
|
|
||||||
|
### Flow
|
||||||
|
|
||||||
|
1. Process performs a syscall/mach trap
|
||||||
|
2. The relevant function is called inside the kernel
|
||||||
|
3. Function calls MACF
|
||||||
|
4. MACF checks policy modules that requested to hook that function in their policy
|
||||||
|
5. MACF calls the relevant policies
|
||||||
|
6. Policies indicates if they allow or deny the action
|
||||||
|
|
||||||
|
{% hint style="danger" %}
|
||||||
|
Apple is the only one that can use the MAC Framework KPI.
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
### Labels
|
||||||
|
|
||||||
|
MACF use **labels** that then the policies checking if they should grant some access or not will use. The code of the labels struct declaration can be [found here](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/\_label.h), which is then used inside the **`struct ucred`** in [**here**](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/sys/ucred.h#L86) in the **`cr_label`** part. The label contains flags and s number of **slots** that can be used by **MACF policies to allocate pointers**. For example Sanbox will point to the container profile
|
||||||
|
|
||||||
|
## MACF Policies
|
||||||
|
|
||||||
|
A MACF Policy defined **rule and conditions to be applied in certain kernel operations**. 
|
||||||
|
|
||||||
|
A kernel extension could configure a `mac_policy_conf` struct and then register it calling `mac_policy_register`. From [here](https://opensource.apple.com/source/xnu/xnu-2050.18.24/security/mac\_policy.h.auto.html):
|
||||||
|
|
||||||
|
```c
|
||||||
|
#define mpc_t struct mac_policy_conf *
|
||||||
|
|
||||||
|
/**
|
||||||
|
@brief Mac policy configuration
|
||||||
|
|
||||||
|
This structure specifies the configuration information for a
|
||||||
|
MAC policy module. A policy module developer must supply
|
||||||
|
a short unique policy name, a more descriptive full name, a list of label
|
||||||
|
namespaces and count, a pointer to the registered enty point operations,
|
||||||
|
any load time flags, and optionally, a pointer to a label slot identifier.
|
||||||
|
|
||||||
|
The Framework will update the runtime flags (mpc_runtime_flags) to
|
||||||
|
indicate that the module has been registered.
|
||||||
|
|
||||||
|
If the label slot identifier (mpc_field_off) is NULL, the Framework
|
||||||
|
will not provide label storage for the policy. Otherwise, the
|
||||||
|
Framework will store the label location (slot) in this field.
|
||||||
|
|
||||||
|
The mpc_list field is used by the Framework and should not be
|
||||||
|
modified by policies.
|
||||||
|
*/
|
||||||
|
/* XXX - reorder these for better aligment on 64bit platforms */
|
||||||
|
struct mac_policy_conf {
|
||||||
|
const char *mpc_name; /** policy name */
|
||||||
|
const char *mpc_fullname; /** full name */
|
||||||
|
const char **mpc_labelnames; /** managed label namespaces */
|
||||||
|
unsigned int mpc_labelname_count; /** number of managed label namespaces */
|
||||||
|
struct mac_policy_ops *mpc_ops; /** operation vector */
|
||||||
|
int mpc_loadtime_flags; /** load time flags */
|
||||||
|
int *mpc_field_off; /** label slot */
|
||||||
|
int mpc_runtime_flags; /** run time flags */
|
||||||
|
mpc_t mpc_list; /** List reference */
|
||||||
|
void *mpc_data; /** module data */
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
||||||
|
It's easy to identify the kernel extensions configuring these policies by checking calls to `mac_policy_register`. Moreover, checking the disassemble of the extension it's also possible to find the used `mac_policy_conf` struct.
|
||||||
|
|
||||||
|
Note that MACF policies can be registered and unregistered also **dynamically**.
|
||||||
|
|
||||||
|
One of the main fields of the `mac_policy_conf` is the **`mpc_ops`**. This fied specifies which opreations the policy is interested in. Note that there are hundres of them, so it's possible to zero all of them and then select just the ones the policy is interested on. From [here](https://opensource.apple.com/source/xnu/xnu-2050.18.24/security/mac\_policy.h.auto.html):
|
||||||
|
|
||||||
|
```c
|
||||||
|
struct mac_policy_ops {
|
||||||
|
mpo_audit_check_postselect_t *mpo_audit_check_postselect;
|
||||||
|
mpo_audit_check_preselect_t *mpo_audit_check_preselect;
|
||||||
|
mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
|
||||||
|
mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;
|
||||||
|
mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init;
|
||||||
|
mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive;
|
||||||
|
mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve;
|
||||||
|
mpo_cred_check_label_update_t *mpo_cred_check_label_update;
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
|
||||||
|
Almost all the hooks will be called back by MACF when one of those operations are intercepted. However, **`mpo_policy_*`** hooks are an exception because `mpo_hook_policy_init()` is a callback called upon registration (so after `mac_policy_register()`) and `mpo_hook_policy_initbsd()` is called during late registration once the BSD subsystem has initialised properly.
|
||||||
|
|
||||||
|
Moreover, the **`mpo_policy_syscall`** hook can be registered by any kext to expose a private **ioctl** style call **interface**. Then, a user client will be able to call `mac_syscall` (#381) specifying as parameters the **policy name** with an integer **code** and optional **arguments**.\
|
||||||
|
For example, the **`Sandbox.kext`** uses this a lot.
|
||||||
|
|
||||||
|
Checking the kext's **`__DATA.__const*`** is possible to identify the `mac_policy_ops` structure used when registering the policy. It's possible to find it because its pointer is at an offset inside `mpo_policy_conf` and also because the amount of NULL pointers that will be in that area.
|
||||||
|
|
||||||
|
Moreover, it's also possible to get the list of kexts that have configured a policy by dumping from memory the struct **`_mac_policy_list`** which is updated with every policy that is registered.
|
||||||
|
|
||||||
|
## MACF Initialization
|
||||||
|
|
||||||
|
MACF is initialised very soon. It's set up in XNU's `bootstrap_thread`: after `ipc_bootstrap` a call to `mac_policy_init()` which initializes the `mac_policy_list` and moments later `mac_policy_initmach()` is called. Among other things, this function will get all the Apple kexts with the `AppleSecurityExtension` key in their Info.plist like `ALF.kext`, `AppleMobileFileIntegrity.kext`, `Quarantine.kext`, `Sandbox.kext` and `TMSafetyNet.kext` and loads them.
|
||||||
|
|
||||||
|
## MACF Callouts
|
||||||
|
|
||||||
|
It's common to find callouts to MACF defined in code like: **`#if CONFIG_MAC`** conditional blocks. Moreover, inside these blocks it's possible to find calls to `mac_proc_check*` which calls MACF to **check for permissions** to perform certain actions. Moreover, the format of the MACF callouts is: **`mac_<object>_<opType>_opName`**.
|
||||||
|
|
||||||
|
The object is one of the following: `bpfdesc`, `cred`, `file`, `proc`, `vnode`, `mount`, `devfs`, `ifnet`, `inpcb`, `mbuf`, `ipq`, `pipe`, `sysv[msg/msq/shm/sem]`, `posix[shm/sem]`, `socket`, `kext`.\
|
||||||
|
The `opType` is usually check which will be used to allow or deny the action. However, it's also possible to find `notify`, which will allow the kext to react to the given action.
|
||||||
|
|
||||||
|
You can find an example in [https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/kern/kern\_mman.c#L621](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/kern/kern\_mman.c#L621):
|
||||||
|
|
||||||
|
<pre class="language-c"><code class="lang-c">int
|
||||||
|
mmap(proc_t p, struct mmap_args *uap, user_addr_t *retval)
|
||||||
|
{
|
||||||
|
[...]
|
||||||
|
#if CONFIG_MACF
|
||||||
|
<strong> error = mac_file_check_mmap(vfs_context_ucred(ctx),
|
||||||
|
</strong> fp->fp_glob, prot, flags, file_pos + pageoff,
|
||||||
|
&maxprot);
|
||||||
|
if (error) {
|
||||||
|
(void)vnode_put(vp);
|
||||||
|
goto bad;
|
||||||
|
}
|
||||||
|
#endif /* MAC */
|
||||||
|
[...]
|
||||||
|
</code></pre>
|
||||||
|
|
||||||
|
Then, it's possible to find the code of `mac_file_check_mmap` in [https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_file.c#L174](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_file.c#L174)
|
||||||
|
|
||||||
|
```c
|
||||||
|
mac_file_check_mmap(struct ucred *cred, struct fileglob *fg, int prot,
|
||||||
|
int flags, uint64_t offset, int *maxprot)
|
||||||
|
{
|
||||||
|
int error;
|
||||||
|
int maxp;
|
||||||
|
|
||||||
|
maxp = *maxprot;
|
||||||
|
MAC_CHECK(file_check_mmap, cred, fg, NULL, prot, flags, offset, &maxp);
|
||||||
|
if ((maxp | *maxprot) != *maxprot) {
|
||||||
|
panic("file_check_mmap increased max protections");
|
||||||
|
}
|
||||||
|
*maxprot = maxp;
|
||||||
|
return error;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Which is calling the `MAC_CHECK` macro, whose code can be found in [https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_internal.h#L261](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_internal.h#L261)
|
||||||
|
|
||||||
|
```c
|
||||||
|
/*
|
||||||
|
* MAC_CHECK performs the designated check by walking the policy
|
||||||
|
* module list and checking with each as to how it feels about the
|
||||||
|
* request. Note that it returns its value via 'error' in the scope
|
||||||
|
* of the caller.
|
||||||
|
*/
|
||||||
|
#define MAC_CHECK(check, args...) do { \
|
||||||
|
error = 0; \
|
||||||
|
MAC_POLICY_ITERATE({ \
|
||||||
|
if (mpc->mpc_ops->mpo_ ## check != NULL) { \
|
||||||
|
DTRACE_MACF3(mac__call__ ## check, void *, mpc, int, error, int, MAC_ITERATE_CHECK); \
|
||||||
|
int __step_err = mpc->mpc_ops->mpo_ ## check (args); \
|
||||||
|
DTRACE_MACF2(mac__rslt__ ## check, void *, mpc, int, __step_err); \
|
||||||
|
error = mac_error_select(__step_err, error); \
|
||||||
|
} \
|
||||||
|
}); \
|
||||||
|
} while (0)
|
||||||
|
```
|
||||||
|
|
||||||
|
Which will go over all the registered mac policies calling their functions and storing the output inside the error variable, which will only be overridable by `mac_error_select` by success codes so if any check fails the complete check will fail and the action won't be allowed.
|
||||||
|
|
||||||
|
{% hint style="success" %}
|
||||||
|
However, remember that not all MACF callouts are used only to deny actions. For example, `mac_priv_grant` calls the macro [**MAC\_GRANT**](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_internal.h#L274), which will grant the requested privilege if any policy answers with a 0:
|
||||||
|
|
||||||
|
```c
|
||||||
|
/*
|
||||||
|
* MAC_GRANT performs the designated check by walking the policy
|
||||||
|
* module list and checking with each as to how it feels about the
|
||||||
|
* request. Unlike MAC_CHECK, it grants if any policies return '0',
|
||||||
|
* and otherwise returns EPERM. Note that it returns its value via
|
||||||
|
* 'error' in the scope of the caller.
|
||||||
|
*/
|
||||||
|
#define MAC_GRANT(check, args...) do { \
|
||||||
|
error = EPERM; \
|
||||||
|
MAC_POLICY_ITERATE({ \
|
||||||
|
if (mpc->mpc_ops->mpo_ ## check != NULL) { \
|
||||||
|
DTRACE_MACF3(mac__call__ ## check, void *, mpc, int, error, int, MAC_ITERATE_GRANT); \
|
||||||
|
int __step_res = mpc->mpc_ops->mpo_ ## check (args); \
|
||||||
|
if (__step_res == 0) { \
|
||||||
|
error = 0; \
|
||||||
|
} \
|
||||||
|
DTRACE_MACF2(mac__rslt__ ## check, void *, mpc, int, __step_res); \
|
||||||
|
} \
|
||||||
|
}); \
|
||||||
|
} while (0)
|
||||||
|
```
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
### priv\_check & priv\_grant
|
||||||
|
|
||||||
|
These callas are meant to check and provide (tens of) **privileges** defined in [**bsd/sys/priv.h**](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/sys/priv.h).\
|
||||||
|
Some kernel code would call `priv_check_cred()` from [**bsd/kern/kern\_priv.c**](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/kern/kern\_priv.c) with the KAuth credentials of the process and one of the privileges code which will call `mac_priv_check` to see if any policy **denies** giving the privilege and then it calls `mac_priv_grant` to see if any policy grants the `privilege`.
|
||||||
|
|
||||||
|
### proc\_check\_syscall\_unix
|
||||||
|
|
||||||
|
This hook allows to intercept all system calls. In `bsd/dev/[i386|arm]/systemcalls.c` it's possible to see the declared function [`unix_syscall`](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/dev/arm/systemcalls.c#L160C1-L167C25), which contains this code:
|
||||||
|
|
||||||
|
```c
|
||||||
|
#if CONFIG_MACF
|
||||||
|
if (__improbable(proc_syscall_filter_mask(proc) != NULL && !bitstr_test(proc_syscall_filter_mask(proc), syscode))) {
|
||||||
|
error = mac_proc_check_syscall_unix(proc, syscode);
|
||||||
|
if (error) {
|
||||||
|
goto skip_syscall;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* CONFIG_MACF */
|
||||||
|
```
|
||||||
|
|
||||||
|
Which will check in the calling process **bitmask** if the current syscall should call `mac_proc_check_syscall_unix`. This is because syscalls are called so frequently that it's interesting to avoid calling `mac_proc_check_syscall_unix` every time.
|
||||||
|
|
||||||
|
Note that the function `proc_set_syscall_filter_mask()`, which set the bitmask syscalls in a process is called by Sandbox to set masks on sandboxed processes.
|
||||||
|
|
||||||
|
## Exposed MACF syscalls
|
||||||
|
|
||||||
|
It's possible to interact with MACF through some syscalls defined in [security/mac.h](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac.h#L151):
|
||||||
|
|
||||||
|
```c
|
||||||
|
/*
|
||||||
|
* Extended non-POSIX.1e interfaces that offer additional services
|
||||||
|
* available from the userland and kernel MAC frameworks.
|
||||||
|
*/
|
||||||
|
#ifdef __APPLE_API_PRIVATE
|
||||||
|
__BEGIN_DECLS
|
||||||
|
int __mac_execve(char *fname, char **argv, char **envv, mac_t _label);
|
||||||
|
int __mac_get_fd(int _fd, mac_t _label);
|
||||||
|
int __mac_get_file(const char *_path, mac_t _label);
|
||||||
|
int __mac_get_link(const char *_path, mac_t _label);
|
||||||
|
int __mac_get_pid(pid_t _pid, mac_t _label);
|
||||||
|
int __mac_get_proc(mac_t _label);
|
||||||
|
int __mac_set_fd(int _fildes, const mac_t _label);
|
||||||
|
int __mac_set_file(const char *_path, mac_t _label);
|
||||||
|
int __mac_set_link(const char *_path, mac_t _label);
|
||||||
|
int __mac_mount(const char *type, const char *path, int flags, void *data,
|
||||||
|
struct mac *label);
|
||||||
|
int __mac_get_mount(const char *path, struct mac *label);
|
||||||
|
int __mac_set_proc(const mac_t _label);
|
||||||
|
int __mac_syscall(const char *_policyname, int _call, void *_arg);
|
||||||
|
__END_DECLS
|
||||||
|
#endif /*__APPLE_API_PRIVATE*/
|
||||||
|
```
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [**\*OS Internals Volume III**](https://newosxbook.com/home.html)
|
||||||
|
|
||||||
|
{% hint style="success" %}
|
||||||
|
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
|
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary>Support HackTricks</summary>
|
||||||
|
|
||||||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
{% endhint %}
|
|
@ -1,8 +1,8 @@
|
||||||
# macOS Users
|
# macOS Users & External Accounts
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -15,8 +15,7 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
|
||||||
</details>
|
</details>
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
|
## Common Users
|
||||||
### Common Users
|
|
||||||
|
|
||||||
* **Daemon**: User reserved for system daemons. The default daemon account names usually start with a "\_":
|
* **Daemon**: User reserved for system daemons. The default daemon account names usually start with a "\_":
|
||||||
|
|
||||||
|
@ -35,16 +34,21 @@ for i in "${state[@]}"; do sysadminctl -"${i}" status; done;
|
||||||
* **Nobody**: Processes are executed with this user when minimal permissions are required
|
* **Nobody**: Processes are executed with this user when minimal permissions are required
|
||||||
* **Root**
|
* **Root**
|
||||||
|
|
||||||
### User Privileges
|
## User Privileges
|
||||||
|
|
||||||
* **Standard User:** The most basic of users. This user needs permissions granted from an admin user when attempting to install software or perform other advanced tasks. They are not able to do it on their own.
|
* **Standard User:** The most basic of users. This user needs permissions granted from an admin user when attempting to install software or perform other advanced tasks. They are not able to do it on their own.
|
||||||
* **Admin User**: A user who operates most of the time as a standard user but is also allowed to perform root actions such as install software and other administrative tasks. All users belonging to the admin group are **given access to root via the sudoers file**.
|
* **Admin User**: A user who operates most of the time as a standard user but is also allowed to perform root actions such as install software and other administrative tasks. All users belonging to the admin group are **given access to root via the sudoers file**.
|
||||||
* **Root**: Root is a user allowed to perform almost any action (there are limitations imposed by protections like System Integrity Protection).
|
* **Root**: Root is a user allowed to perform almost any action (there are limitations imposed by protections like System Integrity Protection).
|
||||||
* For example root won't be able to place a file inside `/System`
|
* For example root won't be able to place a file inside `/System`
|
||||||
|
|
||||||
|
## External Accounts
|
||||||
|
|
||||||
|
MacOS also support to login via external identity providers such as FaceBook, Google... The main daemon performing this job is `accountsd` (`/System/Library/Frameworks/Accounts.framework//Versions/A/Support/accountsd`) and it's possible to find plugins used for external authentication inside the folder `/System/Library/Accounts/Authentication/`.\
|
||||||
|
Moreover, `accountsd` gets the list of account types from `/Library/Preferences/SystemConfiguration/com.apple.accounts.exists.plist`.
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue