hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md
2024-12-12 11:39:29 +01:00

4.9 KiB

macOS File Extension & URL scheme app handlers

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

LaunchServices Database

This is a database of all the installed applications in the macOS that can be queried to get information about each installed application such as URL schemes it support and MIME types.

It's possible to dump this datase with:

{% code overflow="wrap" %}

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump

{% endcode %}

Or using the tool lsdtrip.

/usr/libexec/lsd is the brain of the database. It provides several XPC services like .lsd.installation, .lsd.open, .lsd.openurl, and more. But it also requires some entitlements to applications to be able to use the exposed XPC functionalities, like .launchservices.changedefaulthandler or .launchservices.changeurlschemehandler to change default apps for mime types or url schemes and others.

/System/Library/CoreServices/launchservicesd claims the service com.apple.coreservices.launchservicesd and can be queried to get information about running applications. It can be queried with the system tool /usr/bin/lsappinfo or with lsdtrip.

File Extension & URL scheme app handlers

The following line can be useful to find the applications that can open files depending on the extension:

{% code overflow="wrap" %}

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | grep -E "path:|bindings:|name:"

{% endcode %}

Or use something like SwiftDefaultApps:

./swda getSchemes #Get all the available schemes
./swda getApps #Get all the apps declared
./swda getUTIs #Get all the UTIs
./swda getHandler --URL ftp #Get ftp handler

You can also check the extensions supported by an application doing:

cd /Applications/Safari.app/Contents
grep -A3 CFBundleTypeExtensions Info.plist  | grep string
				<string>css</string>
				<string>pdf</string>
				<string>webarchive</string>
				<string>webbookmark</string>
				<string>webhistory</string>
				<string>webloc</string>
				<string>download</string>
				<string>safariextz</string>
				<string>gif</string>
				<string>html</string>
				<string>htm</string>
				<string>js</string>
				<string>jpg</string>
				<string>jpeg</string>
				<string>jp2</string>
				<string>txt</string>
				<string>text</string>
				<string>png</string>
				<string>tiff</string>
				<string>tif</string>
				<string>url</string>
				<string>ico</string>
				<string>xhtml</string>
				<string>xht</string>
				<string>xml</string>
				<string>xbl</string>
				<string>svg</string>

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}