Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-12-19 09:34:03 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-default-sandbox-debug.md

8.4 KiB
Raw Blame History

Depuração do Sandbox Padrão do macOS

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Nesta página, você pode aprender como criar um aplicativo para executar comandos arbitrários de dentro do sandbox padrão do macOS:

  1. Compile o aplicativo:

{% code title="main.m" %}

#include <Foundation/Foundation.h>

int main(int argc, const char * argv[]) {
@autoreleasepool {
while (true) {
char input[512];

printf("Enter command to run (or 'exit' to quit): ");
if (fgets(input, sizeof(input), stdin) == NULL) {
break;
}

// Remove newline character
size_t len = strlen(input);
if (len > 0 && input[len - 1] == '\n') {
input[len - 1] = '\0';
}

if (strcmp(input, "exit") == 0) {
break;
}

system(input);
}
}
return 0;
}

{% endcode %}

Compile-o executando: clang -framework Foundation -o SandboxedShellApp main.m

  1. Construa o pacote .app
mkdir -p SandboxedShellApp.app/Contents/MacOS
mv SandboxedShellApp SandboxedShellApp.app/Contents/MacOS/

cat << EOF > SandboxedShellApp.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleIdentifier</key>
<string>com.example.SandboxedShellApp</string>
<key>CFBundleName</key>
<string>SandboxedShellApp</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleExecutable</key>
<string>SandboxedShellApp</string>
</dict>
</plist>
EOF
  1. Definir as permissões

{% tabs %} {% tab title="sandbox" %}

cat << EOF > entitlements.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>
EOF

{% tab title="sandbox + downloads" %}

macOS Sandbox + Downloads

Introduction

The macOS Sandbox is a security feature that restricts the actions of applications, preventing them from accessing sensitive resources or performing malicious activities. This helps to protect the system and user data from potential threats.

One area where the macOS Sandbox is commonly used is in handling file downloads. By default, applications running in the sandbox are not allowed to write files to the user's Downloads folder. This prevents downloaded files from being automatically saved to a location where they could potentially cause harm.

Sandbox Entitlements

To enable an application to write files to the Downloads folder, specific entitlements need to be added to its sandbox profile. These entitlements grant the necessary permissions for the application to access and modify the Downloads folder.

Modifying the Sandbox Profile

To modify the sandbox profile of an application, you can use the sandbox-exec command-line tool. This tool allows you to specify a custom sandbox profile for an application, overriding the default restrictions.

To allow an application to write files to the Downloads folder, you need to create a custom sandbox profile that includes the necessary entitlements. This profile can then be applied to the application using the sandbox-exec command.

Creating a Custom Sandbox Profile

To create a custom sandbox profile, you can use the sandbox-simplify tool. This tool simplifies an existing sandbox profile by removing unnecessary restrictions, making it easier to understand and modify.

Once you have a simplified sandbox profile, you can add the necessary entitlements to allow file writing to the Downloads folder. This can be done by modifying the profile using a text editor.

Adding Entitlements

To allow an application to write files to the Downloads folder, you need to add the following entitlements to its sandbox profile:

(version 1)
(deny default)
(allow file-write* (subpath "/Users/<username>/Downloads"))

Replace <username> with the actual username of the user account.

Applying the Custom Sandbox Profile

To apply the custom sandbox profile to an application, you can use the sandbox-exec command-line tool. The following command applies the custom profile to the specified application:

sandbox-exec -f <path-to-profile> <path-to-application>

Replace <path-to-profile> with the path to the custom sandbox profile, and <path-to-application> with the path to the application.

Conclusion

By modifying the sandbox profile of an application, you can enable it to write files to the user's Downloads folder. This allows for more flexibility in handling file downloads while still maintaining the security benefits of the macOS Sandbox.

{% endtab %}

cat << EOF > entitlements.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.downloads.read-write</key>
<true/>
</dict>
</plist>
EOF

{% endtab %} {% endtabs %}

  1. Assine o aplicativo (você precisa criar um certificado no keychain)
codesign --entitlements entitlements.plist -s "YourIdentity" SandboxedShellApp.app
./SandboxedShellApp.app/Contents/MacOS/SandboxedShellApp

# An d in case you need this in the future
codesign --remove-signature SandboxedShellApp.app
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥