GITBOOK-4125: change request with no subject merged in GitBook
This commit is contained in:
parent
feebc0c63d
commit
c383ffed62
|
@ -79,6 +79,8 @@ However, at the moment there are 2 limitations:
|
|||
Making this attack path more complicated (or impossible).
|
||||
{% endhint %}
|
||||
|
||||
Note that it's possible to bypass the requirement of **`kTCCServiceSystemPolicyAppBundles`** by copying the application to another directory (like **`/tmp`**), renaming the folder **`app.app/Contents`** to **`app.app/NotCon`**, **modifying** the **asar** file with your **malicious** code, renaming it back to **`app.app/Contents`** and executing it.
|
||||
|
||||
## RCE with `ELECTRON_RUN_AS_NODE` <a href="#electron_run_as_node" id="electron_run_as_node"></a>
|
||||
|
||||
According to [**the docs**](https://www.electronjs.org/docs/latest/api/environment-variables#electron\_run\_as\_node), if this env variable is set, it will start the process as a normal Node.js process.
|
||||
|
|
|
@ -22,19 +22,6 @@ More information in:
|
|||
[macos-gatekeeper.md](macos-gatekeeper.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## MRT - Malware Removal Tool
|
||||
|
||||
The Malware Removal Tool (MRT) is another part of macOS's security infrastructure. As the name suggests, MRT's main function is to **remove known malware from infected systems**.
|
||||
|
||||
Once malware is detected on a Mac (either by XProtect or by some other means), MRT can be used to automatically **remove the malware**. MRT operates silently in the background and typically runs whenever the system is updated or when a new malware definition is downloaded (it looks like the rules MRT has to detect malware are inside the binary).
|
||||
|
||||
While both XProtect and MRT are part of macOS's security measures, they perform different functions:
|
||||
|
||||
* **XProtect** is a preventative tool. It **checks files as they're downloaded** (via certain applications), and if it detects any known types of malware, it **prevents the file from opening**, thereby preventing the malware from infecting your system in the first place.
|
||||
* **MRT**, on the other hand, is a **reactive tool**. It operates after malware has been detected on a system, with the goal of removing the offending software to clean up the system.
|
||||
|
||||
The MRT application is located in **`/Library/Apple/System/Library/CoreServices/MRT.app`**
|
||||
|
||||
## Processes Limitants
|
||||
|
||||
### SIP - System Integrity Protection
|
||||
|
@ -59,13 +46,7 @@ MacOS Sandbox **limits applications** running inside the sandbox to the **allowe
|
|||
[macos-tcc](macos-tcc/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Trust Cache
|
||||
|
||||
The Apple macOS trust cache, sometimes also referred to as the AMFI (Apple Mobile File Integrity) cache, is a security mechanism in macOS designed to **prevent unauthorized or malicious software from running**. Essentially, it is a list of cryptographic hashes that the operating system uses to v**erify the integrity and authenticity of the software**.
|
||||
|
||||
When an application or executable file tries to run on macOS, the operating system checks the AMFI trust cache. If the **hash of the file is found in the trust cache**, the system **allows** the program to run because it recognises it as trusted.
|
||||
|
||||
## Launch Constraints
|
||||
### Launch Constraints
|
||||
|
||||
It controls **from where and what** can launch an **Apple signed binary**:
|
||||
|
||||
|
@ -86,6 +67,52 @@ Then, you could use a script such as [**this one**](https://gist.github.com/xpn/
|
|||
|
||||
From that data you can check the Apps with a **launch constraints value of `0`** , which are the ones that aren't constrained ([**check here**](https://gist.github.com/LinusHenze/4cd5d7ef057a144cda7234e2c247c056) for what each value is).
|
||||
|
||||
## MRT - Malware Removal Tool
|
||||
|
||||
The Malware Removal Tool (MRT) is another part of macOS's security infrastructure. As the name suggests, MRT's main function is to **remove known malware from infected systems**.
|
||||
|
||||
Once malware is detected on a Mac (either by XProtect or by some other means), MRT can be used to automatically **remove the malware**. MRT operates silently in the background and typically runs whenever the system is updated or when a new malware definition is downloaded (it looks like the rules MRT has to detect malware are inside the binary).
|
||||
|
||||
While both XProtect and MRT are part of macOS's security measures, they perform different functions:
|
||||
|
||||
* **XProtect** is a preventative tool. It **checks files as they're downloaded** (via certain applications), and if it detects any known types of malware, it **prevents the file from opening**, thereby preventing the malware from infecting your system in the first place.
|
||||
* **MRT**, on the other hand, is a **reactive tool**. It operates after malware has been detected on a system, with the goal of removing the offending software to clean up the system.
|
||||
|
||||
The MRT application is located in **`/Library/Apple/System/Library/CoreServices/MRT.app`**
|
||||
|
||||
## Background Tasks Management
|
||||
|
||||
**macOS** now **alerts** every time a tool uses a well known **technique to persist code execution** (such as Login Items, Daemons...), so the user knows better **which software is persisting**.
|
||||
|
||||
It's possible to **enumerate all** the configured background items running the Apple cli tool:
|
||||
|
||||
```bash
|
||||
# The tool will always ask for the users password
|
||||
sfltool dumpbtm
|
||||
```
|
||||
|
||||
Moreover, it's also possible to list this information with [**DumpBTM**](https://github.com/objective-see/DumpBTM).
|
||||
|
||||
```bash
|
||||
# You need to grant the Terminal Full Disk Access for this to work
|
||||
chmod +x dumpBTM
|
||||
xattr -rc dumpBTM # Remove quarantine attr
|
||||
./dumpBTM
|
||||
```
|
||||
|
||||
This information is being stored in **`/private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v4.btm`** and the Terminal needs FDA.
|
||||
|
||||
You can find more information:
|
||||
|
||||
* [https://www.patreon.com/posts/new-developer-77420730?l=fr](https://www.patreon.com/posts/new-developer-77420730?l=fr)
|
||||
* [https://support.apple.com/en-gb/guide/deployment/depdca572563/web](https://support.apple.com/en-gb/guide/deployment/depdca572563/web)
|
||||
|
||||
## Trust Cache
|
||||
|
||||
The Apple macOS trust cache, sometimes also referred to as the AMFI (Apple Mobile File Integrity) cache, is a security mechanism in macOS designed to **prevent unauthorized or malicious software from running**. Essentially, it is a list of cryptographic hashes that the operating system uses to v**erify the integrity and authenticity of the software**.
|
||||
|
||||
When an application or executable file tries to run on macOS, the operating system checks the AMFI trust cache. If the **hash of the file is found in the trust cache**, the system **allows** the program to run because it recognises it as trusted.
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
|
|
@ -319,6 +319,12 @@ python3 -m http.server
|
|||
|
||||
Check the [**original report**](https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/) for more information.
|
||||
|
||||
## [2023-27943](https://blog.f-secure.com/discovery-of-gatekeeper-bypass-cve-2023-27943/)
|
||||
|
||||
It was discovered that **Google Chrome wasn't setting the quarantine attribute** to downloaded files because of some macOS internal problems.
|
||||
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
|
|
@ -36,7 +36,7 @@ ps -ef | grep tcc
|
|||
|
||||
Permissions are **inherited from the parent** application and the **permissions** are **tracked** based on the **Bundle ID** and the **Developer ID**.
|
||||
|
||||
### TCC DatabaseS
|
||||
### TCC Databases
|
||||
|
||||
The selections is then stored in the TCC system-wide database in **`/Library/Application Support/com.apple.TCC/TCC.db`** or in **`$HOME/Library/Application Support/com.apple.TCC/TCC.db`** for per-user preferences. The databases are **protected from editing with SIP**(System Integrity Protection), but you can read them.
|
||||
|
||||
|
@ -135,6 +135,12 @@ tccutil reset All app.some.id
|
|||
tccutil reset All
|
||||
```
|
||||
|
||||
### Privesc from User TCC DB to FDA
|
||||
|
||||
Obtaining **write permissions** over the **user TCC** database you **can'**t grant yourself **`FDA`** permissions, only the one that lives in the system database can grant that.
|
||||
|
||||
But you can **can** give yourself **`Automation rights to Finder`, and since `Finder` has `FDA`, so do you.**
|
||||
|
||||
### TCC Signature Checks
|
||||
|
||||
The TCC **database** stores the **Bundle ID** of the application, but it also **stores** **information** about the **signature** to **make sure** the App asking to use the a permission is the correct one.
|
||||
|
|
|
@ -157,6 +157,15 @@ The binary `/usr/libexec/lsd` with the library `libsecurity_translocate` had the
|
|||
|
||||
It was possible to add the quarantine attribute to "Library", call the **`com.apple.security.translocation`** XPC service and then it would map Library to **`$TMPDIR/AppTranslocation/d/d/Library`** where all the documents inside Library could be **accessed**.
|
||||
|
||||
## CVE-2023-38571 - Music & TV <a href="#cve-2023-38571-a-macos-tcc-bypass-in-music-and-tv" id="cve-2023-38571-a-macos-tcc-bypass-in-music-and-tv"></a>
|
||||
|
||||
**`Music`** has an interesting feature: When it's running, it will **import** the files dropped to **`~/Music/Music/Media.localized/Automatically Add to Music.localized`** into the user's "media library". Moreover, it calls something like: **`rename(a, b);`** where `a` and `b` are:
|
||||
|
||||
* `a = "~/Music/Music/Media.localized/Automatically Add to Music.localized/myfile.mp3"`
|
||||
* `b = "~/Music/Music/Media.localized/Automatically Add to Music.localized/Not Added.localized/2023-09-25 11.06.28/myfile.mp3`
|
||||
|
||||
This **`rename(a, b);`** bevabiour is vulnerable to a **Race Condition**, as it's possible to put inside the `Automatically Add to Music.localized` folder a fake **TCC.db** file and then when the new forder(b) is created to copy the file, delete it, and point it to **`~/Library/Application Support/com.apple.TCC`**/.
|
||||
|
||||
### SQL Tracing
|
||||
|
||||
If the environment variable **`SQLITE_AUTO_TRACE`** is set, the library **`libsqlite3.dylib`** will start **logging** all the SQL queries. Many applications used this library, so it was possible to log all their SQLite queries.
|
||||
|
|
|
@ -87,6 +87,15 @@ If _/path_ is blocked:
|
|||
* {"user\_id":"\<legit\_id>","user\_id":"\<victims\_id>"} (JSON Parameter Pollution)
|
||||
* user\_id=ATTACKER\_ID\&user\_id=VICTIM\_ID (Parameter Pollution)
|
||||
|
||||
## **Parameter Manipulation**
|
||||
|
||||
* Change **param value**: From **`id=123` --> `id=124`**
|
||||
* Add additional parameters to the URL: `?`**`id=124` —-> `id=124&isAdmin=true`**
|
||||
* Remove the parameters
|
||||
* Re-order parameters
|
||||
* Use special characters.
|
||||
* Perform boundary testing in the parameters — provide values like _-234_ or _0_ or _99999999_ (just some example values).
|
||||
|
||||
## **Protocol version**
|
||||
|
||||
If using HTTP/1.1 **try to use 1.0** or even test if it **supports 2.0**.
|
||||
|
@ -104,7 +113,6 @@ If using HTTP/1.1 **try to use 1.0** or even test if it **supports 2.0**.
|
|||
* [**Brute force**](../../generic-methodologies-and-resources/brute-force.md#http-brute)**:** Try basic, digest and NTLM auth.
|
||||
|
||||
{% code title="Common creds" %}
|
||||
````
|
||||
```
|
||||
admin admin
|
||||
admin password
|
||||
|
@ -115,7 +123,6 @@ root toor
|
|||
test test
|
||||
guest guest
|
||||
```
|
||||
````
|
||||
{% endcode %}
|
||||
|
||||
## Automatic Tools
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
WebSocket connections are initiated over **HTTP** and are typically **long-lived**. Messages can be sent in **either direction at any time** and are not transactional in nature. The connection will normally stay open and idle until either the client or the server is ready to send a message.\
|
||||
WebSockets are particularly useful in situations where **low-latency or server-initiated messages** are required, such as real-time feeds of financial data.
|
||||
|
||||
## How are WebSocket connections established?
|
||||
### How are WebSocket connections established?
|
||||
|
||||
(Here you will find a summary but a **more detailed guide about how a web socket connection** is created can be found [**here**](https://infosecwriteups.com/cross-site-websocket-hijacking-cswsh-ce2a6b0747fc)).\
|
||||
WebSocket connections are normally created using client-side JavaScript like the following:
|
||||
|
@ -64,7 +64,7 @@ The **`Sec-WebSocket-Key`** header contains a **random value** to prevent errors
|
|||
|
||||
### Linux console
|
||||
|
||||
You can use `websocat` to stablish a raw connection with a websocket.
|
||||
You can use `websocat` to establish a raw connection with a websocket.
|
||||
|
||||
```bash
|
||||
websocat --insecure wss://10.10.10.10:8000 -v
|
||||
|
@ -76,7 +76,7 @@ Or to create a websocat server:
|
|||
websocat -s 0.0.0.0:8000 #Listen in port 8000
|
||||
```
|
||||
|
||||
## MitM websocket connections
|
||||
### MitM websocket connections
|
||||
|
||||
If you find that clients are connected to a **HTTP websocket** from your current local network you could try an [ARP Spoofing Attack ](../generic-methodologies-and-resources/pentesting-network/#arp-spoofing)to perform a MitM attack between the client and the server.\
|
||||
Once the client is trying to connect to you can then use:
|
||||
|
@ -85,13 +85,14 @@ Once the client is trying to connect to you can then use:
|
|||
websocat -E --insecure --text ws-listen:0.0.0.0:8000 wss://10.10.10.10:8000 -v
|
||||
```
|
||||
|
||||
## Websockets enumeration
|
||||
### Websockets enumeration
|
||||
|
||||
You can use the **tool** [**https://github.com/PalindromeLabs/STEWS**](https://github.com/PalindromeLabs/STEWS) **to discover, fingerprint and search for known** **vulnerabilities** in websockets automatically.
|
||||
|
||||
## Websocket Debug tools
|
||||
### Websocket Debug tools
|
||||
|
||||
* **Burp Suite** supports MitM websockets communication in a very similar way it does it for regular HTTP communication.
|
||||
* The [**socketsleuth**](https://github.com/snyk/socketsleuth) **Burp Suite extension** will allow you to manage better Websocket communications in Burp by getting the **history**, setting **interception rules**, using **match and replace** rules, using **Intruder** and **AutoRepeater.**
|
||||
* [**WSSiP**](https://github.com/nccgroup/wssip)**:** Short for "**WebSocket/Socket.io Proxy**", this tool, written in Node.js, provides a user interface to **capture, intercept, send custom** messages and view all WebSocket and Socket.IO communications between the client and server.
|
||||
* [**wsrepl**](https://github.com/doyensec/wsrepl) is an **interactive websocket REPL** designed specifically for penetration testing. It provides an interface for observing **incoming websocket messages and sending new ones**, with an easy-to-use framework for **automating** this communication. 
|
||||
* [**https://websocketking.com/**](https://websocketking.com/) it's a **web to communicate** with other webs using **websockets**.
|
||||
|
|
Loading…
Reference in New Issue