GITBOOK-4097: change request with no subject merged in GitBook
This commit is contained in:
parent
7d1cde6b91
commit
6822e550ab
Binary file not shown.
After Width: | Height: | Size: 34 KiB |
Binary file not shown.
After Width: | Height: | Size: 49 KiB |
|
@ -129,6 +129,12 @@ osascript -e 'tell application "System Events" to delete login item "itemname"'
|
|||
|
||||
These items are stored in the file /Users/\<username>/Library/Application Support/com.apple.backgroundtaskmanagementagent
|
||||
|
||||
### ZIP as Login Item
|
||||
|
||||
If you store a **ZIP** file as a **Login Item** the **`Archive Utility`** will open it and if the zip was for example stored in **`~/Library`** and contained the Folder **`LaunchAgents/file.plist`** with a backdoor, that folder will be created (it isn't by default) and the plist will be added so the next time the user logs in again, the **backdoor indicated in the plist will be executed**.
|
||||
|
||||
Another options would be to create the files **`.bash_profile`** and **`.zshenv`** inside the user HOME so if the folder LaunchAgents already exist this technique would still work.
|
||||
|
||||
### At
|
||||
|
||||
“At tasks” are used to **schedule tasks at specific times**.\
|
||||
|
@ -184,6 +190,34 @@ In the previous example we have created and deleted a **LoginHook**, it's also p
|
|||
|
||||
The root user one is stored in `/private/var/root/Library/Preferences/com.apple.loginwindow.plist`
|
||||
|
||||
### Applications Preferences
|
||||
|
||||
In **`~/Library/Preferences`** are store the preferences of the user in the Applications. Some of these preferences can hold a configuration to **execute other applications/scripts**.
|
||||
|
||||
For example, the Terminal can execute a command in the Startup:
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (676).png" alt="" width="495"><figcaption></figcaption></figure>
|
||||
|
||||
This config is reflected in the file **`~/Library/Preferences/com.apple.Terminal.plist`** like this:
|
||||
|
||||
```bash
|
||||
[...]
|
||||
"Window Settings" => {
|
||||
"Basic" => {
|
||||
"CommandString" => "touch /tmp/terminal_pwn"
|
||||
"Font" => {length = 267, bytes = 0x62706c69 73743030 d4010203 04050607 ... 00000000 000000cf }
|
||||
"FontAntialias" => 1
|
||||
"FontWidthSpacing" => 1.004032258064516
|
||||
"name" => "Basic"
|
||||
"ProfileCurrentVersion" => 2.07
|
||||
"RunCommandAsShell" => 0
|
||||
"type" => "Window Settings"
|
||||
}
|
||||
[...]
|
||||
```
|
||||
|
||||
So, if the plist of the preferences of the terminal in the system could be overwritten, the the **`open`** functionality can be used to **open the terminal and that command will be executed**.
|
||||
|
||||
### Emond
|
||||
|
||||
Apple introduced a logging mechanism called **emond**. It appears it was never fully developed, and development may have been **abandoned** by Apple for other mechanisms, but it remains **available**.
|
||||
|
@ -200,7 +234,9 @@ ls -l /private/var/db/emondClients
|
|||
|
||||
### Startup Items
|
||||
|
||||
\{% hint style="danger" %\} **This is deprecated, so nothing should be found in the following directories.** \{% endhint %\}
|
||||
{% hint style="danger" %}
|
||||
**This is deprecated, so nothing should be found in the following directories.**
|
||||
{% endhint %}
|
||||
|
||||
A **StartupItem** is a **directory** that gets **placed** in one of these two folders. `/Library/StartupItems/` or `/System/Library/StartupItems/`
|
||||
|
||||
|
|
|
@ -22,11 +22,11 @@ Check the [**original report here**](https://www.mdsec.co.uk/2018/08/escaping-th
|
|||
|
||||
### Word Sandbox bypass via Login Items and zip
|
||||
|
||||
(Remember that from the first escape, Word can write arbitrary files whose name start with `~$`).
|
||||
(Remember that from the first escape, Word can write arbitrary files whose name start with `~$` although after the patch of the previous vuln it wasn't possible to write in `/Library/Application Scripts` or in `/Library/LaunchAgents`).
|
||||
|
||||
It was discovered that from within the sandbox it's possible to create a **Login Item** (apps that will be executed when the user logs in). However, these apps **won't execute unless** they are **notarized** and it's **not possible to add args** (so you cannot just run a reverse shell using **`bash`**).
|
||||
|
||||
From the previous Sandbox bypass, Microsoft disabled the option to write files in `~/Library/LaunchAgents`. However, it was discovered that if you put a **zip file as a Login Item** the `Archive Utility` will just **unzip** it on its current location. So, because by default the folder `LaunchAgents` from `~/Library` is not created, it was possible to **zip a plist in `LaunchAgents/~$escape.plist`** and **place** the zip file in **`~/Library`** so when decompress it will reach the persitence destination.
|
||||
From the previous Sandbox bypass, Microsoft disabled the option to write files in `~/Library/LaunchAgents`. However, it was discovered that if you put a **zip file as a Login Item** the `Archive Utility` will just **unzip** it on its current location. So, because by default the folder `LaunchAgents` from `~/Library` is not created, it was possible to **zip a plist in `LaunchAgents/~$escape.plist`** and **place** the zip file in **`~/Library`** so when decompress it will reach the persistence destination.
|
||||
|
||||
Check the [**original report here**](https://objective-see.org/blog/blog\_0x4B.html).
|
||||
|
||||
|
@ -36,7 +36,7 @@ Check the [**original report here**](https://objective-see.org/blog/blog\_0x4B.h
|
|||
|
||||
However, the previous technique had a limitation, if the folder **`~/Library/LaunchAgents`** exists because some other software created it, it would fail. So a different Login Items chain was discovered for this.
|
||||
|
||||
An attacker could crate the the files **`.bash_profile`** and **`.zshenv`** with the payload to execute and then zip them and **write the zip in the victims** user folder: \~/\~$escape.zip.
|
||||
An attacker could create the the files **`.bash_profile`** and **`.zshenv`** with the payload to execute and then zip them and **write the zip in the victims** user folder: **`~/~$escape.zip`**.
|
||||
|
||||
Then, add the zip file to the **Login Items** and then the **`Terminal`** app. When the user relogins, the zip file would be uncompressed in the users file, overwriting **`.bash_profile`** and **`.zshenv`** and therefore, the terminal will execute one of these files (depending if bash or zsh is used).
|
||||
|
||||
|
|
Loading…
Reference in New Issue