8.9 KiB
macOS Dangerous Entitlements & TCC perms
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
{% hint style="warning" %}
Note that entitlements starting with com.apple
are not available to third-parties, only Apple can grant them.
{% endhint %}
High
com.apple.rootless.install.heritable
The entitlement com.apple.rootless.install.heritable
allows to bypass SIP. Check this for more info.
com.apple.rootless.install
The entitlement com.apple.rootless.install
allows to bypass SIP. Check this for more info.
com.apple.system-task-ports
(previously called task_for_pid-allow
)
This entitlement allows to get the task port for any process, except the kernel. Check this for more info.
com.apple.security.get-task-allow
This entitlement allows other processes with the com.apple.security.cs.debugger
entitlement to get the task port of the process run by the binary with this entitlement and inject code on it. Check this for more info.
com.apple.security.cs.debugger
Apps with the Debugging Tool Entitlement can call task_for_pid()
to retrieve a valid task port for unsigned and third-party apps with the Get Task Allow
entitlement set to true
. However, even with the debugging tool entitlement, a debugger can’t get the task ports of processes that don’t have the Get Task Allow
entitlement, and that are therefore protected by System Integrity Protection. Check this for more info.
com.apple.security.cs.disable-library-validation
This entitlement allows to load frameworks, plug-ins, or libraries without being either signed by Apple or signed with the same Team ID as the main executable, so an attacker could abuse some arbitrary library load to inject code. Check this for more info.
com.apple.security.cs.allow-dyld-environment-variables
This entitlement allows to use DYLD environment variables that could be used to inject libraries and code. Check this for more info.
com.apple.private.tcc.manager
and com.apple.rootless.storage
.TCC
According to this blog, these entitlements allows to modify the TCC database.
com.apple.private.security.kext-management
Entitlement needed to ask the kernel to load a kernel extension.
com.apple.private.tcc.manager.check-by-audit-token
TODO: I don't know what this allows to do
com.apple.private.apfs.revert-to-snapshot
TODO: In this report is mentioned that this could be used to update the SSV-protected contents after a reboot. If you know how it send a PR please!
com.apple.private.apfs.create-sealed-snapshot
TODO: In this report is mentioned that this could be used to update the SSV-protected contents after a reboot. If you know how it send a PR please!
kTCCServiceSystemPolicyAllFiles
Gives Full Disk Access permissions, one of the TCC highest permissions you can have.
kTCCServiceAppleEvents
Allows the app to send events to other applications that are commonly used for automating tasks. Controlling other apps, it can abuse the permissions granted to these other apps.
kTCCServiceSystemPolicySysAdminFiles
Allows to change the NFSHomeDirectory
attribute of a user that changes his home folder and therefore allows to bypass TCC.
kTCCServiceSystemPolicyAppBundles
Allow to modify apps inside their folders (inside app.app), which is disallowed by default.
Medium
com.apple.security.cs.allow-jit
This entitlement allows to create memory that is writable and executable by passing the MAP_JIT
flag to the mmap()
system function. Check this for more info.
com.apple.security.cs.allow-unsigned-executable-memory
This entitlement allows to override or patch C code, use the long-deprecated NSCreateObjectFileImageFromMemory
(which is fundamentally insecure), or use the DVDPlayback framework. Check this for more info.
{% hint style="danger" %} Including this entitlement exposes your app to common vulnerabilities in memory-unsafe code languages. Carefully consider whether your app needs this exception. {% endhint %}
com.apple.security.cs.disable-executable-page-protection
This entitlement allows to modify sections of its own executable files on disk to forcefully exit. Check this for more info.
{% hint style="danger" %} The Disable Executable Memory Protection Entitlement is an extreme entitlement that removes a fundamental security protection from your app, making it possible for an attacker to rewrite your app’s executable code without detection. Prefer narrower entitlements if possible. {% endhint %}
com.apple.security.cs.allow-relative-library-loads
TODO
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.