From c383ffed62273087582e577eed4b9ffdae9c886e Mon Sep 17 00:00:00 2001 From: CPol Date: Sun, 15 Oct 2023 15:23:24 +0000 Subject: [PATCH] GITBOOK-4125: change request with no subject merged in GitBook --- .../macos-electron-applications-injection.md | 2 + .../macos-security-protections/README.md | 67 +++++++++++++------ .../macos-gatekeeper.md | 6 ++ .../macos-tcc/README.md | 8 ++- .../macos-tcc/macos-tcc-bypasses/README.md | 9 +++ .../pentesting-web/403-and-401-bypasses.md | 11 ++- pentesting-web/websocket-attacks.md | 11 +-- 7 files changed, 86 insertions(+), 28 deletions(-) diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md index 3a44d892..c26f0a04 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md @@ -79,6 +79,8 @@ However, at the moment there are 2 limitations: Making this attack path more complicated (or impossible). {% endhint %} +Note that it's possible to bypass the requirement of **`kTCCServiceSystemPolicyAppBundles`** by copying the application to another directory (like **`/tmp`**), renaming the folder **`app.app/Contents`** to **`app.app/NotCon`**, **modifying** the **asar** file with your **malicious** code, renaming it back to **`app.app/Contents`** and executing it. + ## RCE with `ELECTRON_RUN_AS_NODE` According to [**the docs**](https://www.electronjs.org/docs/latest/api/environment-variables#electron\_run\_as\_node), if this env variable is set, it will start the process as a normal Node.js process. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md index 141a85c2..98066d82 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md @@ -22,19 +22,6 @@ More information in: [macos-gatekeeper.md](macos-gatekeeper.md) {% endcontent-ref %} -## MRT - Malware Removal Tool - -The Malware Removal Tool (MRT) is another part of macOS's security infrastructure. As the name suggests, MRT's main function is to **remove known malware from infected systems**. - -Once malware is detected on a Mac (either by XProtect or by some other means), MRT can be used to automatically **remove the malware**. MRT operates silently in the background and typically runs whenever the system is updated or when a new malware definition is downloaded (it looks like the rules MRT has to detect malware are inside the binary). - -While both XProtect and MRT are part of macOS's security measures, they perform different functions: - -* **XProtect** is a preventative tool. It **checks files as they're downloaded** (via certain applications), and if it detects any known types of malware, it **prevents the file from opening**, thereby preventing the malware from infecting your system in the first place. -* **MRT**, on the other hand, is a **reactive tool**. It operates after malware has been detected on a system, with the goal of removing the offending software to clean up the system. - -The MRT application is located in **`/Library/Apple/System/Library/CoreServices/MRT.app`** - ## Processes Limitants ### SIP - System Integrity Protection @@ -59,13 +46,7 @@ MacOS Sandbox **limits applications** running inside the sandbox to the **allowe [macos-tcc](macos-tcc/) {% endcontent-ref %} -## Trust Cache - -The Apple macOS trust cache, sometimes also referred to as the AMFI (Apple Mobile File Integrity) cache, is a security mechanism in macOS designed to **prevent unauthorized or malicious software from running**. Essentially, it is a list of cryptographic hashes that the operating system uses to v**erify the integrity and authenticity of the software**. - -When an application or executable file tries to run on macOS, the operating system checks the AMFI trust cache. If the **hash of the file is found in the trust cache**, the system **allows** the program to run because it recognises it as trusted. - -## Launch Constraints +### Launch Constraints It controls **from where and what** can launch an **Apple signed binary**: @@ -86,6 +67,52 @@ Then, you could use a script such as [**this one**](https://gist.github.com/xpn/ From that data you can check the Apps with a **launch constraints value of `0`** , which are the ones that aren't constrained ([**check here**](https://gist.github.com/LinusHenze/4cd5d7ef057a144cda7234e2c247c056) for what each value is). +## MRT - Malware Removal Tool + +The Malware Removal Tool (MRT) is another part of macOS's security infrastructure. As the name suggests, MRT's main function is to **remove known malware from infected systems**. + +Once malware is detected on a Mac (either by XProtect or by some other means), MRT can be used to automatically **remove the malware**. MRT operates silently in the background and typically runs whenever the system is updated or when a new malware definition is downloaded (it looks like the rules MRT has to detect malware are inside the binary). + +While both XProtect and MRT are part of macOS's security measures, they perform different functions: + +* **XProtect** is a preventative tool. It **checks files as they're downloaded** (via certain applications), and if it detects any known types of malware, it **prevents the file from opening**, thereby preventing the malware from infecting your system in the first place. +* **MRT**, on the other hand, is a **reactive tool**. It operates after malware has been detected on a system, with the goal of removing the offending software to clean up the system. + +The MRT application is located in **`/Library/Apple/System/Library/CoreServices/MRT.app`** + +## Background Tasks Management + +**macOS** now **alerts** every time a tool uses a well known **technique to persist code execution** (such as Login Items, Daemons...), so the user knows better **which software is persisting**. + +It's possible to **enumerate all** the configured background items running the Apple cli tool: + +```bash +# The tool will always ask for the users password +sfltool dumpbtm +``` + +Moreover, it's also possible to list this information with [**DumpBTM**](https://github.com/objective-see/DumpBTM). + +```bash +# You need to grant the Terminal Full Disk Access for this to work +chmod +x dumpBTM +xattr -rc dumpBTM # Remove quarantine attr +./dumpBTM +``` + +This information is being stored in **`/private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v4.btm`** and the Terminal needs FDA. + +You can find more information: + +* [https://www.patreon.com/posts/new-developer-77420730?l=fr](https://www.patreon.com/posts/new-developer-77420730?l=fr) +* [https://support.apple.com/en-gb/guide/deployment/depdca572563/web](https://support.apple.com/en-gb/guide/deployment/depdca572563/web) + +## Trust Cache + +The Apple macOS trust cache, sometimes also referred to as the AMFI (Apple Mobile File Integrity) cache, is a security mechanism in macOS designed to **prevent unauthorized or malicious software from running**. Essentially, it is a list of cryptographic hashes that the operating system uses to v**erify the integrity and authenticity of the software**. + +When an application or executable file tries to run on macOS, the operating system checks the AMFI trust cache. If the **hash of the file is found in the trust cache**, the system **allows** the program to run because it recognises it as trusted. +
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md index cfa82e31..abd83c16 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md @@ -319,6 +319,12 @@ python3 -m http.server Check the [**original report**](https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/) for more information. +## [2023-27943](https://blog.f-secure.com/discovery-of-gatekeeper-bypass-cve-2023-27943/) + +It was discovered that **Google Chrome wasn't setting the quarantine attribute** to downloaded files because of some macOS internal problems. + + +
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md index f05ff838..7b1b9f8c 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md @@ -36,7 +36,7 @@ ps -ef | grep tcc Permissions are **inherited from the parent** application and the **permissions** are **tracked** based on the **Bundle ID** and the **Developer ID**. -### TCC DatabaseS +### TCC Databases The selections is then stored in the TCC system-wide database in **`/Library/Application Support/com.apple.TCC/TCC.db`** or in **`$HOME/Library/Application Support/com.apple.TCC/TCC.db`** for per-user preferences. The databases are **protected from editing with SIP**(System Integrity Protection), but you can read them. @@ -135,6 +135,12 @@ tccutil reset All app.some.id tccutil reset All ``` +### Privesc from User TCC DB to FDA + +Obtaining **write permissions** over the **user TCC** database you **can'**t grant yourself **`FDA`** permissions, only the one that lives in the system database can grant that. + +But you can **can** give yourself **`Automation rights to Finder`, and since `Finder` has `FDA`, so do you.** + ### TCC Signature Checks The TCC **database** stores the **Bundle ID** of the application, but it also **stores** **information** about the **signature** to **make sure** the App asking to use the a permission is the correct one. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md index 010582ed..613433cb 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md @@ -157,6 +157,15 @@ The binary `/usr/libexec/lsd` with the library `libsecurity_translocate` had the It was possible to add the quarantine attribute to "Library", call the **`com.apple.security.translocation`** XPC service and then it would map Library to **`$TMPDIR/AppTranslocation/d/d/Library`** where all the documents inside Library could be **accessed**. +## CVE-2023-38571 - Music & TV + +**`Music`** has an interesting feature: When it's running, it will **import** the files dropped to **`~/Music/Music/Media.localized/Automatically Add to Music.localized`** into the user's "media library". Moreover, it calls something like: **`rename(a, b);`** where `a` and `b` are: + +* `a = "~/Music/Music/Media.localized/Automatically Add to Music.localized/myfile.mp3"` +* `b = "~/Music/Music/Media.localized/Automatically Add to Music.localized/Not Added.localized/2023-09-25 11.06.28/myfile.mp3` + +This **`rename(a, b);`** bevabiour is vulnerable to a **Race Condition**, as it's possible to put inside the `Automatically Add to Music.localized` folder a fake **TCC.db** file and then when the new forder(b) is created to copy the file, delete it, and point it to **`~/Library/Application Support/com.apple.TCC`**/. + ### SQL Tracing If the environment variable **`SQLITE_AUTO_TRACE`** is set, the library **`libsqlite3.dylib`** will start **logging** all the SQL queries. Many applications used this library, so it was possible to log all their SQLite queries. diff --git a/network-services-pentesting/pentesting-web/403-and-401-bypasses.md b/network-services-pentesting/pentesting-web/403-and-401-bypasses.md index 612c5437..8686e75f 100644 --- a/network-services-pentesting/pentesting-web/403-and-401-bypasses.md +++ b/network-services-pentesting/pentesting-web/403-and-401-bypasses.md @@ -87,6 +87,15 @@ If _/path_ is blocked: * {"user\_id":"\","user\_id":"\"} (JSON Parameter Pollution) * user\_id=ATTACKER\_ID\&user\_id=VICTIM\_ID (Parameter Pollution) +## **Parameter Manipulation** + +* Change **param value**: From **`id=123` --> `id=124`** +* Add additional parameters to the URL: `?`**`id=124` —-> `id=124&isAdmin=true`** +* Remove the parameters +* Re-order parameters +* Use special characters. +* Perform boundary testing in the parameters — provide values like _-234_ or _0_ or _99999999_ (just some example values). + ## **Protocol version** If using HTTP/1.1 **try to use 1.0** or even test if it **supports 2.0**. @@ -104,7 +113,6 @@ If using HTTP/1.1 **try to use 1.0** or even test if it **supports 2.0**. * [**Brute force**](../../generic-methodologies-and-resources/brute-force.md#http-brute)**:** Try basic, digest and NTLM auth. {% code title="Common creds" %} -```` ``` admin admin admin password @@ -115,7 +123,6 @@ root toor test test guest guest ``` -```` {% endcode %} ## Automatic Tools diff --git a/pentesting-web/websocket-attacks.md b/pentesting-web/websocket-attacks.md index c1f2ced8..a34f47de 100644 --- a/pentesting-web/websocket-attacks.md +++ b/pentesting-web/websocket-attacks.md @@ -17,7 +17,7 @@ WebSocket connections are initiated over **HTTP** and are typically **long-lived**. Messages can be sent in **either direction at any time** and are not transactional in nature. The connection will normally stay open and idle until either the client or the server is ready to send a message.\ WebSockets are particularly useful in situations where **low-latency or server-initiated messages** are required, such as real-time feeds of financial data. -## How are WebSocket connections established? +### How are WebSocket connections established? (Here you will find a summary but a **more detailed guide about how a web socket connection** is created can be found [**here**](https://infosecwriteups.com/cross-site-websocket-hijacking-cswsh-ce2a6b0747fc)).\ WebSocket connections are normally created using client-side JavaScript like the following: @@ -64,7 +64,7 @@ The **`Sec-WebSocket-Key`** header contains a **random value** to prevent errors ### Linux console -You can use `websocat` to stablish a raw connection with a websocket. +You can use `websocat` to establish a raw connection with a websocket. ```bash websocat --insecure wss://10.10.10.10:8000 -v @@ -76,7 +76,7 @@ Or to create a websocat server: websocat -s 0.0.0.0:8000 #Listen in port 8000 ``` -## MitM websocket connections +### MitM websocket connections If you find that clients are connected to a **HTTP websocket** from your current local network you could try an [ARP Spoofing Attack ](../generic-methodologies-and-resources/pentesting-network/#arp-spoofing)to perform a MitM attack between the client and the server.\ Once the client is trying to connect to you can then use: @@ -85,13 +85,14 @@ Once the client is trying to connect to you can then use: websocat -E --insecure --text ws-listen:0.0.0.0:8000 wss://10.10.10.10:8000 -v ``` -## Websockets enumeration +### Websockets enumeration You can use the **tool** [**https://github.com/PalindromeLabs/STEWS**](https://github.com/PalindromeLabs/STEWS) **to discover, fingerprint and search for known** **vulnerabilities** in websockets automatically. -## Websocket Debug tools +### Websocket Debug tools * **Burp Suite** supports MitM websockets communication in a very similar way it does it for regular HTTP communication. + * The [**socketsleuth**](https://github.com/snyk/socketsleuth) **Burp Suite extension** will allow you to manage better Websocket communications in Burp by getting the **history**, setting **interception rules**, using **match and replace** rules, using **Intruder** and **AutoRepeater.** * [**WSSiP**](https://github.com/nccgroup/wssip)**:** Short for "**WebSocket/Socket.io Proxy**", this tool, written in Node.js, provides a user interface to **capture, intercept, send custom** messages and view all WebSocket and Socket.IO communications between the client and server. * [**wsrepl**](https://github.com/doyensec/wsrepl) is an **interactive websocket REPL** designed specifically for penetration testing. It provides an interface for observing **incoming websocket messages and sending new ones**, with an easy-to-use framework for **automating** this communication. * [**https://websocketking.com/**](https://websocketking.com/) it's a **web to communicate** with other webs using **websockets**.