From 840b63af943d10700f8b86a5628fac476658b3de Mon Sep 17 00:00:00 2001 From: CPol Date: Sun, 11 Jun 2023 01:04:59 +0000 Subject: [PATCH] GITBOOK-3976: change request with no subject merged in GitBook --- SUMMARY.md | 3 +- .../README.md | 6 ++ .../macos-security-protections/README.md | 2 + .../macos-sandbox/README.md | 4 +- .../README.md} | 20 +++--- .../macos-office-sandbox-bypasses.md | 72 +++++++++++++++++++ .../macos-security-protections/macos-sip.md | 2 + 7 files changed, 98 insertions(+), 11 deletions(-) rename macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/{macos-sandbox-debug-and-bypass.md => macos-sandbox-debug-and-bypass/README.md} (94%) create mode 100644 macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.md diff --git a/SUMMARY.md b/SUMMARY.md index f0a97cb3..755f360a 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -168,7 +168,8 @@ * [macOS Security Protections](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md) * [macOS SIP](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md) * [macOS Sandbox](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md) - * [macOS Sandbox Debug & Bypass](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass.md) + * [macOS Sandbox Debug & Bypass](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md) + * [macOS Office Sandbox Bypasses](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.md) * [macOS TCC](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md) * [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-apple-scripts.md) * [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md) diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md index f4fe5eea..3e6d7ad4 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md @@ -122,6 +122,12 @@ Note that in order to debug binaries, **SIP needs to be disabled** (`csrutil dis Note that in order to **instrument system binaries**, (such as `cloudconfigurationd`) on macOS, **SIP must be disabled** (just removing the signature won't work). {% endhint %} +### Unified Logs + +MacOS generates a lot of logs that can be very useful when running an application trying to understand **what is it doing**. + +Moreover, the are some logs that will contain the tag `` to **hide** some **user** or **computer** **identifiable** information. However, it's possible to **install a certificate to disclose this information**. Follow the explanations from [**here**](https://superuser.com/questions/1532031/how-to-show-private-data-in-macos-unified-log). + ### Hopper #### Left panel diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md index 87cb854d..b3175137 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md @@ -88,6 +88,8 @@ Therefore, these checks are **only run when executing apps with the quarantined {% hint style="warning" %} **Note that Safari and other web browsers and applications are the ones that need to mark the downloaded files** + +Moreover, **files created by sandboxed processes** are also appended this attribute to prevent sandbox escaped. {% endhint %} It's possible to **check it's status and enable/disable** (root required) with: diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md index b72c58bf..63c58d9a 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md @@ -218,8 +218,8 @@ Bypasses examples: Processes are automatically Sandboxed from userland when they start if they have the entitlement: `com.apple.security.app-sandbox`. For a detailed explanation of this process check: -{% content-ref url="macos-sandbox-debug-and-bypass.md" %} -[macos-sandbox-debug-and-bypass.md](macos-sandbox-debug-and-bypass.md) +{% content-ref url="macos-sandbox-debug-and-bypass/" %} +[macos-sandbox-debug-and-bypass](macos-sandbox-debug-and-bypass/) {% endcontent-ref %} ### **Check PID Privileges** diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md similarity index 94% rename from macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass.md rename to macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md index f1a3b418..1dad2256 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md @@ -14,7 +14,7 @@ ## Sandbox loading process -

Image from http://newosxbook.com/files/HITSB.pdf

+

Image from http://newosxbook.com/files/HITSB.pdf

In the previous image it's possible to observe **how the sandbox will be loaded** when an application with the entitlement **`com.apple.security.app-sandbox`** is run. @@ -25,6 +25,10 @@ Finally, the sandbox will be activated will a call to **`__sandbox_ms`** which w ## Possible Bypasses +{% hint style="warning" %} +Note that **files created by sandboxed processes** are appended the **quarentine attribute** to prevent sandbox escaped. +{% endhint %} + ### Run binary without Sandbox If you run a binary that won't be sandboxed from a sandboxed binary, it will **run within the sandbox of the parent process**. @@ -178,16 +182,16 @@ Process 2517 exited with status = 0 (0x00000000) If from then sandbox process you are able to **compromise other processes** running in less restrictive sandboxes (or none), you will be able to escape to their sandboxes: -{% content-ref url="../../macos-proces-abuse/" %} -[macos-proces-abuse](../../macos-proces-abuse/) +{% content-ref url="../../../macos-proces-abuse/" %} +[macos-proces-abuse](../../../macos-proces-abuse/) {% endcontent-ref %} ### Interposting Bypass For more information about **Interposting** check: -{% content-ref url="../../mac-os-architecture/macos-function-hooking.md" %} -[macos-function-hooking.md](../../mac-os-architecture/macos-function-hooking.md) +{% content-ref url="../../../mac-os-architecture/macos-function-hooking.md" %} +[macos-function-hooking.md](../../../mac-os-architecture/macos-function-hooking.md) {% endcontent-ref %} #### Interpost `_libsecinit_initializer` to prevent the sandbox @@ -280,7 +284,7 @@ ld -o shell shell.o -macosx_version_min 13.0 ld: dynamic executables or dylibs must link with libSystem.dylib for architecture arm64 ``` -### Abusing Austo Start Locations +### Abusing Auto Start Locations If a sandboxed process can **write** in a place where **later an unsandboxed application is going to run the binary**, it will be able to **escape just by placing** there the binary. A good example of this kind of locations are `~/Library/LaunchAgents` or `/System/Library/LaunchDaemons`. @@ -288,8 +292,8 @@ For this you might even need **2 steps**: To make a process with a **more permis Check this page about **Auto Start locations**: -{% content-ref url="broken-reference" %} -[Broken link](broken-reference) +{% content-ref url="../../../../macos-auto-start-locations.md" %} +[macos-auto-start-locations.md](../../../../macos-auto-start-locations.md) {% endcontent-ref %} ## References diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.md new file mode 100644 index 00000000..943e78d0 --- /dev/null +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.md @@ -0,0 +1,72 @@ +# macOS Office Sandbox Bypasses + +
+ +☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - πŸŽ™οΈ Twitch πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ + +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). + +
+ +### Word Sandbox bypass via Launch Agents + +The application uses a **custom Sandbox** using the entitlement **`com.apple.security.temporary-exception.sbpl`** and this custom sandbox allows to write files anywhere as long as the filename started with `~$`: `(require-any (require-all (vnode-type REGULAR-FILE) (regex #"(^|/)~$[^/]+$")))` + +Therefore, escaping was as easy as **writing a `plist`** LaunchAgent in `~/Library/LaunchAgents/~$escape.plist`. + +Check the [**original report here**](https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/). + +### Word Sandbox bypass via Login Items and zip + +(Remember that from the first escape, Word can write arbitrary files whose name start with `~$`). + +It was discovered that from within the sandbox it's possible to create a **Login Item** (apps that will be executed when the user logs in). However, these apps **won't execute unless** they are **notarized** and it's **not possible to add args** (so you cannot just run a reverse shell using **`bash`**). + +From the previous Sandbox bypass, Microsoft disabled the option to write files in `~/Library/LaunchAgents`. However, it was discovered that if you put a **zip file as a Login Item** the `Archive Utility` will just **unzip** it on its current location. So, because by default the folder `LaunchAgents` from `~/Library` is not created, it was possible to **zip a plist in `LaunchAgents/~$escape.plist`** and **place** the zip file in **`~/Library`** so when decompress it will reach the persitence destination. + +Check the [**original report here**](https://objective-see.org/blog/blog\_0x4B.html). + +### Word Sandbox bypass via Login Items and .zshenv + +(Remember that from the first escape, Word can write arbitrary files whose name start with `~$`). + +However, the previous technique had a limitation, if the folder **`~/Library/LaunchAgents`** exists because some other software created it, it would fail. So a different Login Items chain was discovered for this. + +An attacker could crate the the files **`.bash_profile`** and **`.zshenv`** with the payload to execute and then zip them and **write the zip in the victims** user folder: \~/\~$escape.zip. + +Then, add the zip file to the **Login Items** and then the **`Terminal`** app. When the user relogins, the zip file would be uncompressed in the users file, overwriting **`.bash_profile`** and **`.zshenv`** and therefore, the terminal will execute one of these files (depending if bash or zsh is used). + +Check the [**original report here**](https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c). + +### Word Sandbox Bypass with Open and env variables + +From sandboxed processes it's still possible to invoke other processes using the **`open`** utility. Moreover, these processes will run **within their own sandbox**. + +It was discovered that the open utility has the **`--env`** option to run an app with **specific env** variables. Therefore, it was possible to create the **`.zshenv` file** within a folder **inside** the **sandbox** and the use `open` with `--env` setting the **`HOME` variable** to that folder opening that `Terminal` app, which will execute the `.zshenv` file (for some reason it was also needed to set the variable `__OSINSTALL_ENVIROMENT`). + +Check the [**original report here**](https://perception-point.io/blog/technical-analysis-of-cve-2021-30864/). + +### Word Sandbox Bypass with Open and stdin + +The **`open`** utility also supported the **`--stdin`** param (and after the previous bypass it was no longer possible to use `--env`). + +The thing is that even if **`python`** was signed by Apple, it **won't execute** a script with the **`quarantine`** attribute. However, it was possible to pass it a script from stdin so it won't check if it was quarantined or not: + +1. Drop a **`~$exploit.py`** file with arbitrary Python commands. +2. Run _open_ **`–stdin='~$exploit.py' -a Python`**, which runs the Python app with our dropped file serving as its standard input. Python happily runs our code, and since it’s a child process of _launchd_, it isn’t bound to Word’s sandbox rules. + +
+ +☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - πŸŽ™οΈ Twitch πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ + +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). + +
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md index 4e0d8d39..340124fc 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md @@ -107,6 +107,8 @@ Researchers found that during the installation of an Apple-signed package (.pkg Moreover, it was discovered that **`/etc/zshenv` could be used as a general attack technique**, not just for a SIP bypass. Each user profile has a `~/.zshenv` file, which behaves the same way as `/etc/zshenv` but doesn't require root permissions. This file could be used as a persistence mechanism, triggering every time `zsh` starts, or as an elevation of privilege mechanism. If an admin user elevates to root using `sudo -s` or `sudo `, the `~/.zshenv` file would be triggered, effectively elevating to root. +In [**CVE-2022-22583**](https://perception-point.io/blog/technical-analysis-cve-2022-22583/) it was discovered that the same **`system_installd`** process could still be abused because it was putting the **post-install script inside a random named folder protected by SIP inside `/tmp`**. The thing is that **`/tmp` itself isn't protected by SIP**, so it was possible to **mount** a **virtual image on it**, then the **installer** would put in there the **post-install script**, **unmount** the virtual image, **recreate** all the **folders** and **add** the **post installation** script with the **payload** to execute. + ### **com.apple.rootless.install** {% hint style="danger" %}