mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
GITBOOK-4075: change request with no subject merged in GitBook
This commit is contained in:
parent
51bcb61305
commit
c7997fc427
|
@ -63,6 +63,8 @@ If you are not familiar with macOS, you should start learning the basics of macO
|
|||
[macos-protocols.md](macos-protocols.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
* **Opensource** macOS: [https://opensource.apple.com/](https://opensource.apple.com/)
|
||||
|
||||
### MacOS MDM
|
||||
|
||||
In companies **macOS** systems are highly probably going to be **managed with a MDM**. Therefore, from the perspective of an attacker is interesting to know **how that works**:
|
||||
|
|
|
@ -19,7 +19,7 @@ APFS, or Apple File System, is a modern file system developed by Apple Inc. that
|
|||
Some notable features of APFS include:
|
||||
|
||||
1. **Space Sharing**: APFS allows multiple volumes to **share the same underlying free storage** on a single physical device. This enables more efficient space utilization as the volumes can dynamically grow and shrink without the need for manual resizing or repartitioning.
|
||||
1. This means, compared with traditional partitions in file disks, t**hat in APFS different partitions (volumes) shares all the disk space**, while a regular partition usually had a fixed size.
|
||||
1. This means, compared with traditional partitions in file disks, **that in APFS different partitions (volumes) shares all the disk space**, while a regular partition usually had a fixed size.
|
||||
2. **Snapshots**: APFS supports **creating snapshots**, which are **read-only**, point-in-time instances of the file system. Snapshots enable efficient backups and easy system rollbacks, as they consume minimal additional storage and can be quickly created or reverted.
|
||||
3. **Clones**: APFS can **create file or directory clones that share the same storage** as the original until either the clone or the original file is modified. This feature provides an efficient way to create copies of files or directories without duplicating the storage space.
|
||||
4. **Encryption**: APFS **natively supports full-disk encryption** as well as per-file and per-directory encryption, enhancing data security across different use cases.
|
||||
|
|
|
@ -82,6 +82,20 @@ Basically, a bundle is a **directory structure** within the file system. Interes
|
|||
[macos-bundles.md](macos-bundles.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Dyld Shared Cache
|
||||
|
||||
On macOS (and iOS) all system shared libraries, like frameworks and dylibs, are **combined into a single file**, called the **dyld shared cache**. This improved performance, since code can be loaded faster.
|
||||
|
||||
Similar to the dyld shared cache, the kernel and the kernel extensions are also compiled into a kernel cache, which is loaded at boot time.
|
||||
|
||||
In order to extract the libraries from the single file dylib shared cache it was possible to use the binary [dyld\_shared\_cache\_util](https://www.mbsplugins.de/files/dyld\_shared\_cache\_util-dyld-733.8.zip) which migh not be working nowadays:
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
dyld_shared_cache_util -extract ~/shared_cache/ /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
## Special File Permissions
|
||||
|
||||
### Folder permissions
|
||||
|
|
|
@ -24,17 +24,11 @@ The types of resources contained within a bundle may consist of applications, li
|
|||
ls -lR /Applications/Safari.app/Contents
|
||||
```
|
||||
|
||||
* `Contents/_CodeSignature`
|
||||
|
||||
Contains **code-signing information** about the application (i.e., hashes, etc.).
|
||||
* `Contents/MacOS`
|
||||
|
||||
Contains the **application’s binary** (which is executed when the user double-clicks the application icon in the UI).
|
||||
* `Contents/Resources`
|
||||
|
||||
Contains **UI elements of the application**, such as images, documents, and nib/xib files (that describe various user interfaces).
|
||||
* `Contents/Info.plist`\
|
||||
The application’s main “**configuration file.**” Apple notes that “the system relies on the presence of this file to identify relevant information about \[the] application and any related files”.
|
||||
* `Contents/_CodeSignature` -> Contains **code-signing information** about the application (i.e., hashes, etc.).
|
||||
* `openssl dgst -binary -sha1 /Applications/Safari.app/Contents/Resources/Assets.car | openssl base64`
|
||||
* `Contents/MacOS` -> Contains the **application’s binary** (which is executed when the user double-clicks the application icon in the UI).
|
||||
* `Contents/Resources` -> Contains **UI elements of the application**, such as images, documents, and nib/xib files (that describe various user interfaces).
|
||||
* `Contents/Info.plist` -> The application’s main “**configuration file.**” Apple notes that “the system relies on the presence of this file to identify relevant information about \[the] application and any related files”.
|
||||
* **Plist** **files** contains configuration information. You can find find information about the meaning of they plist keys in [https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html)
|
||||
* Pairs that may be of interest when analyzing an application include:\\
|
||||
|
||||
|
|
|
@ -26,7 +26,7 @@ The protection rules for these directories and their subdirectories are specifie
|
|||
For instance, the following configuration:
|
||||
|
||||
```javascript
|
||||
javascriptCopy code/usr
|
||||
/usr
|
||||
* /usr/libexec/cups
|
||||
* /usr/local
|
||||
* /usr/share/man
|
||||
|
@ -41,7 +41,7 @@ ls -lOd /usr/libexec/cups
|
|||
drwxr-xr-x 11 root wheel sunlnk 352 May 13 00:29 /usr/libexec/cups
|
||||
```
|
||||
|
||||
In this case, the **`sunlnk`** flag signifies that the `/usr/libexec/cups` directory itself cannot be deleted, though files within it can be created, modified, or deleted.
|
||||
In this case, the **`sunlnk`** flag signifies that the `/usr/libexec/cups` directory itself **cannot be deleted**, though files within it can be created, modified, or deleted.
|
||||
|
||||
On the other hand:
|
||||
|
||||
|
@ -147,31 +147,41 @@ The command **`diskutil apfs list`** lists the **details of the APFS volumes** a
|
|||
| |
|
||||
| +-> Volume disk3s1 7A27E734-880F-4D91-A703-FB55861D49B7
|
||||
| | ---------------------------------------------------
|
||||
| | APFS Volume Disk (Role): disk3s1 (System)
|
||||
| | Name: Macintosh HD (Case-insensitive)
|
||||
| | Mount Point: /System/Volumes/Update/mnt1
|
||||
| | Capacity Consumed: 12819210240 B (12.8 GB)
|
||||
<strong>| | APFS Volume Disk (Role): disk3s1 (System)
|
||||
</strong>| | Name: Macintosh HD (Case-insensitive)
|
||||
<strong>| | Mount Point: /System/Volumes/Update/mnt1
|
||||
</strong>| | Capacity Consumed: 12819210240 B (12.8 GB)
|
||||
| | Sealed: Broken
|
||||
| | FileVault: Yes (Unlocked)
|
||||
| | Encrypted: No
|
||||
| | |
|
||||
| | Snapshot: FAA23E0C-791C-43FF-B0E7-0E1C0810AC61
|
||||
| | Snapshot Disk: disk3s1s1
|
||||
| | Snapshot Mount Point: /
|
||||
<strong>| | Snapshot Sealed: Yes
|
||||
<strong>| | Snapshot Mount Point: /
|
||||
</strong><strong>| | Snapshot Sealed: Yes
|
||||
</strong>[...]
|
||||
+-> Volume disk3s5 281959B7-07A1-4940-BDDF-6419360F3327
|
||||
| ---------------------------------------------------
|
||||
| APFS Volume Disk (Role): disk3s5 (Data)
|
||||
| Name: Macintosh HD - Data (Case-insensitive)
|
||||
<strong> | Mount Point: /System/Volumes/Data
|
||||
</strong><strong> | Capacity Consumed: 412071784448 B (412.1 GB)
|
||||
</strong> | Sealed: No
|
||||
| FileVault: Yes (Unlocked)
|
||||
</code></pre>
|
||||
|
||||
In the previous output it's possible to see that **macOS System volume snapshot is sealed** (cryptographically signed by the OS). SO, if SIP is bypassed and modifies it, the **OS won't boot anymore**.
|
||||
In the previous output it's possible to see that **user-accessible locations** are mounted under `/System/Volumes/Data`.
|
||||
|
||||
It's also possible to verify that seal is enabled by running:
|
||||
Moreover, **macOS System volume snapshot** is mounted in `/` and it's **sealed** (cryptographically signed by the OS). So, if SIP is bypassed and modifies it, the **OS won't boot anymore**.
|
||||
|
||||
```
|
||||
It's also possible to **verify that seal is enabled** by running:
|
||||
|
||||
```bash
|
||||
csrutil authenticated-root status
|
||||
Authenticated Root status: enabled
|
||||
```
|
||||
|
||||
Moreover, it's mounted as **read-only**:
|
||||
Moreover, the snapshot disk is also mounted as **read-only**:
|
||||
|
||||
```
|
||||
mount
|
||||
|
|
Loading…
Reference in a new issue