From 85e43159806ef9c54d9405adf4c5f3f21250f0c1 Mon Sep 17 00:00:00 2001 From: CPol Date: Thu, 8 Jun 2023 10:01:03 +0000 Subject: [PATCH] GITBOOK-3970: change request with no subject merged in GitBook --- SUMMARY.md | 2 +- .../README.md | 4 ++-- .../macos-files-folders-and-binaries/README.md | 4 ++-- ...r-packages-pkg.md => macos-installers-abuse.md} | 14 +++++++++++++- 4 files changed, 18 insertions(+), 6 deletions(-) rename macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/{macos-installer-packages-pkg.md => macos-installers-abuse.md} (87%) diff --git a/SUMMARY.md b/SUMMARY.md index fc195af9..bc7361fa 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -151,7 +151,7 @@ * [macOS File Extension Apps](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md) * [macOS Files, Folders, Binaries & Memory](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md) * [macOS Bundles](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md) - * [macOS Installer Packages (pkg)](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installer-packages-pkg.md) + * [macOS Installers Abuse](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md) * [macOS Memory Dumping](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md) * [macOS Sensitive Locations](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md) * [macOS Universal binaries & Mach-O Format](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md) diff --git a/macos-hardening/macos-security-and-privilege-escalation/README.md b/macos-hardening/macos-security-and-privilege-escalation/README.md index 174826cf..6374f20d 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/README.md @@ -92,8 +92,8 @@ Being able to **create a file** that is going to be **used by root**, allows a u For this kind of vulnerabilities don't forget to **check vulnerable `.pkg` installers**: -{% content-ref url="macos-files-folders-and-binaries/macos-installer-packages-pkg.md" %} -[macos-installer-packages-pkg.md](macos-files-folders-and-binaries/macos-installer-packages-pkg.md) +{% content-ref url="macos-files-folders-and-binaries/macos-installers-abuse.md" %} +[macos-installers-abuse.md](macos-files-folders-and-binaries/macos-installers-abuse.md) {% endcontent-ref %} ### Entitlements and Privileges abuse via process abuse diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md index 60e51ae5..0635578a 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md @@ -51,8 +51,8 @@ MacOS stores information such as passwords in several places: ### Vulnerable pkg installers -{% content-ref url="macos-installer-packages-pkg.md" %} -[macos-installer-packages-pkg.md](macos-installer-packages-pkg.md) +{% content-ref url="macos-installers-abuse.md" %} +[macos-installers-abuse.md](macos-installers-abuse.md) {% endcontent-ref %} ## OS X Specific Extensions diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installer-packages-pkg.md b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md similarity index 87% rename from macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installer-packages-pkg.md rename to macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md index 44d747b3..0f25ea4c 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installer-packages-pkg.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md @@ -1,4 +1,4 @@ -# macOS Installer Packages (pkg) +# macOS Installers Abuse
@@ -52,6 +52,18 @@ If a pre or post installation script is for example executing from **`/var/tmp/I
+### AuthorizationExecuteWithPrivileges + +This is a [public function](https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg) that several installers and updaters will call to **execute something as root**. This function accepts the **path** of the **file** to **execute** as parameter, however, if an attacker could **modify** this file, he will be able to **abuse** its execution with root to **escalate privileges**. + +```bash +# Breakpoint in the function to check wich file is loaded +(lldb) b AuthorizationExecuteWithPrivileges +# You could also check FS events to find this missconfig +``` + +For more info check this talk: [https://www.youtube.com/watch?v=lTOItyjTTkw](https://www.youtube.com/watch?v=lTOItyjTTkw) + ## References * [https://www.youtube.com/watch?v=iASSG0\_zobQ](https://www.youtube.com/watch?v=iASSG0\_zobQ)