hacktricks/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md

5.1 KiB

macOS Kernel Extensions

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Basic Information

Kernel extensions (Kexts) are packages with a .kext extension that are loaded directly into the macOS kernel space, providing additional functionality to the main operating system.

Requirements

Obviously, this is so powerful that it is complicated to load a kernel extension. These are the requirements that a kernel extension must meet to be loaded:

  • When entering recovery mode, kernel extensions must be allowed to be loaded:
  • The kernel extension must be signed with a kernel code signing certificate, which can only be granted by Apple. Who will review in detail the company and the reasons why it is needed.
  • The kernel extension must also be notarized, Apple will be able to check it for malware.
  • Then, the root user is the one who can load the kernel extension and the files inside the package must belong to root.
  • During the upload process, the package must be prepared in a protected non-root location: /Library/StagedExtensions (requires the com.apple.rootless.storage.KernelExtensionManagement grant).
  • Finally, when attempting to load it, the user will receive a confirmation request and, if accepted, the computer must be restarted to load it.

Loading process

In Catalina it was like this: It is interesting to note that the verification process occurs in userland. However, only applications with the com.apple.private.security.kext-management grant can request the kernel to load an extension: kextcache, kextload, kextutil, kextd, syspolicyd

  1. kextutil cli starts the verification process for loading an extension
    • It will talk to kextd by sending using a Mach service.
  2. kextd will check several things, such as the signature
    • It will talk to syspolicyd to check if the extension can be loaded.
  3. syspolicyd will prompt the user if the extension has not been previously loaded.
    • syspolicyd will report the result to kextd
  4. kextd will finally be able to tell the kernel to load the extension

If kextd is not available, kextutil can perform the same checks.

Referencias

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!