GITBOOK-4161: change request with no subject merged in GitBook

2023-12-14 19:12:55 +01:00 · 2023-11-08 13:34:27 +00:00 · 2023-11-08 13:34:27 +00:00 · 19ea26bd92
commit 19ea26bd92
parent b9aaa576aa
3 changed files with 22 additions and 1 deletions
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md
@ -111,6 +111,12 @@ From macOS Somona, there are some protections **preventing to write inside Apps*
 5. Rename to `/tmp/CarPlay Simulator.app/Contents`
 6. Launch `CarPlay Simulator.app` again

+{% hint style="success" %}
+It looks like this is no longer possible because macOS **prevents modifying files** inside applications bundles.\
+So, after executing the app to cache it with Gatekeeper, you won't be able to modify the bundle.\
+And if you change for example the name of the Contents directory to **NotCon** (as indicated in the exploit), and then execute the main binary of the app to cache it with Gatekeeper, it will **trigger an error and won't execute**.
+{% endhint %}
+
 <details>

 <summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
@ -231,6 +231,11 @@ You could abuse this env variable in a plist to maintain persistence adding thes
 The TCC daemon from macOS doesn't check the executed version of the application. So if you **cannot inject code in an Electron application** with any of the previous techniques you could download a previous version of the APP and inject code on it as it will still get the TCC privileges (unless Trust Cache prevents it).
 {% endhint %}

+## Run non JS Code
+
+The previous techniques will allow you to run **JS code inside the process of the electron application**. However, remember that the **child processes run under the same sandbox profile** as the parent application and **inherit their TCC permissions**.\
+Therefore, if you want to abuse entitlements to access the camera or microphone for example, you could just **run another binary from the process**.
+
 ## Automatic Injection

 The tool [**electroniz3r**](https://github.com/r3ggi/electroniz3r) can be easily used to **find vulnerable electron applications** installed and inject code on them. This tool will try to use the **`--inspect`** technique:
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md
@ -331,7 +331,17 @@ XProtect is located on. SIP protected location at **/Library/Apple/System/Librar
 * **`XProtect.bundle/Contents/Resources/XProtect.yara`**: Yara rules to detect malware.
 * **`XProtect.bundle/Contents/Resources/gk.db`**: SQLite3 database with hashes of blocked applications and TeamIDs.

-Note that there is another App in **`/Library/Apple/System/Library/CoreServices/XProtect.app`** related to XProtect that isn't involved with the Gatekeeper process..
+Note that there is another App in **`/Library/Apple/System/Library/CoreServices/XProtect.app`** related to XProtect that isn't involved with the Gatekeeper process.
+
+### Not Gatekeeper
+
+{% hint style="danger" %}
+Note that Gatekeeper **isn't executed every time** you execute an application, just _**AppleMobileFileIntegrity**_ (AMFI) will only **verify executable code signatures** when you execute an app that has been already executed and verified by Gatekeeper.
+{% endhint %}
+
+Therefore, previously it was possible to execute an app to cache it with Gatekeeper, then **modify not executables files of the application** (like Electron asar or NIB files) and if no other protections were in place, the application was **executed** with the **malicious** additions.
+
+However, now this is not possible because macOS **prevents modifying files** inside applications bundles. So, if you try the [Dirty NIB](../macos-proces-abuse/macos-dirty-nib.md) attack, you will find that it's not longer possible to abuse it because after executing the app to cache it with Gatekeeper, you won't be able to modify the bundle. And if you change for example the name of the Contents directory to NotCon (as indicated in the exploit), and then execute the main binary of the app to cache it with Gatekeeper, it will trigger an error and won't execute.

 ## Gatekeeper Bypasses