macOS XPC Connecting Process Check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

XPC Connecting Process Check

Wakati muunganisho unapoanzishwa na huduma ya XPC, seva itakagua ikiwa muunganisho unaruhusiwa. Hizi ndizo ukaguzi ambao kawaida hufanywa:

Angalia ikiwa mchakato unaounganisha umeandikwa na cheti kilichosainiwa na Apple (ambacho kinatolewa tu na Apple).

Ikiwa hii haijathibitishwa, mshambuliaji anaweza kuunda cheti bandia ili kufanana na ukaguzi mwingine wowote.

Angalia ikiwa mchakato unaounganisha umeandikwa na cheti cha shirika, (uthibitisho wa kitambulisho cha timu).

Ikiwa hii haijathibitishwa, cheti chochote cha mende kutoka Apple kinaweza kutumika kwa kusaini, na kuungana na huduma.

Angalia ikiwa mchakato unaounganisha una kitambulisho sahihi cha kifurushi.

Ikiwa hii haijathibitishwa, chombo chochote kilichosainiwa na shirika hilo hilo kinaweza kutumika kuingiliana na huduma ya XPC.

(4 au 5) Angalia ikiwa mchakato unaounganisha una nambari sahihi ya toleo la programu.

Ikiwa hii haijathibitishwa, wateja wa zamani, wasio salama, walio hatarini kwa sindano ya mchakato wanaweza kutumika kuungana na huduma ya XPC hata na ukaguzi mwingine ukiwa mahali.

(4 au 5) Angalia ikiwa mchakato unaounganisha una mazingira ya runtime yaliyohakikishwa bila ruhusa hatari (kama zile zinazoruhusu kupakia maktaba za kawaida au kutumia DYLD env vars)
Ikiwa hii haijathibitishwa, mteja anaweza kuwa hatari kwa sindano ya msimbo
Angalia ikiwa mchakato unaounganisha una ruhusa inayoruhusu kuungana na huduma. Hii inatumika kwa binaries za Apple.
Uthibitisho lazima uwe kulingana na tokeni ya ukaguzi ya mteja badala ya kitambulisho chake cha mchakato (PID) kwani ya kwanza inazuia shambulio la upya la PID.

Wandevu hawatumii mara kwa mara tokeni ya ukaguzi API wito kwani ni binafsi, hivyo Apple inaweza kubadilisha wakati wowote. Zaidi ya hayo, matumizi ya API binafsi hayaruhusiwi katika programu za Duka la Mac.
Ikiwa njia processIdentifier inatumika, inaweza kuwa hatari
xpc_dictionary_get_audit_token inapaswa kutumika badala ya xpc_connection_get_audit_token, kwani ya mwisho inaweza pia kuwa hatari katika hali fulani.

Communication Attacks

Kwa maelezo zaidi kuhusu shambulio la upya la PID angalia:

macOS PID Reuse

Kwa maelezo zaidi xpc_connection_get_audit_token shambulio angalia:

macOS xpc_connection_get_audit_token Attack

Trustcache - Downgrade Attacks Prevention

Trustcache ni njia ya kujihami iliyowekwa katika mashine za Apple Silicon ambayo inahifadhi hifadhidata ya CDHSAH ya binaries za Apple ili tu binaries zisizobadilishwa zinazoruhusiwa ziweze kutekelezwa. Hii inazuia utekelezaji wa toleo la kudharau.

Code Examples

Seva itatekeleza uthibitisho huu katika kazi inayoitwa shouldAcceptNewConnection.

- (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection {
//Check connection
return YES;
}

Kitu NSXPCConnection kina mali ya faragha auditToken (ile ambayo inapaswa kutumika lakini inaweza kubadilika) na mali ya umma processIdentifier (ile ambayo haipaswi kutumika).

Mchakato unaounganisha unaweza kuthibitishwa kwa kitu kama:

[...]
SecRequirementRef requirementRef = NULL;
NSString requirementString = @"anchor apple generic and identifier \"xyz.hacktricks.service\" and certificate leaf [subject.CN] = \"TEAMID\" and info [CFBundleShortVersionString] >= \"1.0\"";
/* Check:
- Signed by a cert signed by Apple
- Check the bundle ID
- Check the TEAMID of the signing cert
- Check the version used
*/

// Check the requirements with the PID (vulnerable)
SecRequirementCreateWithString(requirementString, kSecCSDefaultFlags, &requirementRef);
SecCodeCheckValidity(code, kSecCSDefaultFlags, requirementRef);

// Check the requirements wuing the auditToken (secure)
SecTaskRef taskRef = SecTaskCreateWithAuditToken(NULL, ((ExtendedNSXPCConnection*)newConnection).auditToken);
SecTaskValidateForRequirement(taskRef, (__bridge CFStringRef)(requirementString))

Ikiwa mendelevu hataki kuangalia toleo la mteja, anaweza kuangalia kwamba mteja si hatarini kwa sindano ya mchakato angalau:

[...]
CFDictionaryRef csInfo = NULL;
SecCodeCopySigningInformation(code, kSecCSDynamicInformation, &csInfo);
uint32_t csFlags = [((__bridge NSDictionary *)csInfo)[(__bridge NSString *)kSecCodeInfoStatus] intValue];
const uint32_t cs_hard = 0x100;        // don't load invalid page.
const uint32_t cs_kill = 0x200;        // Kill process if page is invalid
const uint32_t cs_restrict = 0x800;    // Prevent debugging
const uint32_t cs_require_lv = 0x2000; // Library Validation
const uint32_t cs_runtime = 0x10000;   // hardened runtime
if ((csFlags & (cs_hard | cs_require_lv)) {
return Yes; // Accept connection
}

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousmacOS XPC Authorization NextmacOS PID Reuse

Last updated 4 months ago