diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png index 0ea2dbdc69b..e70bceed6fa 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png index e70bceed6fa..d798d9edcbc 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png index d798d9edcbc..1ec78aebd66 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png index 1ec78aebd66..020fb69e267 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png index 020fb69e267..e3657baf300 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1).png index e3657baf300..f95e8e4d567 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1).png index f95e8e4d567..9dcb86f817b 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1).png index 9dcb86f817b..f3314db22a0 100644 Binary files a/.gitbook/assets/image (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png index f3314db22a0..7a07c334339 100644 Binary files a/.gitbook/assets/image (1) (1).png and b/.gitbook/assets/image (1) (1).png differ diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png index 7a07c334339..b40c8ed4a61 100644 Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png index b40c8ed4a61..5fa35d5f4dc 100644 Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ diff --git a/SUMMARY.md b/SUMMARY.md index 2a85d5d7c90..5d1d36615fe 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -189,6 +189,7 @@ * [macOS Default Sandbox Debug](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-default-sandbox-debug.md) * [macOS Sandbox Debug & Bypass](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md) * [macOS Office Sandbox Bypasses](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.md) + * [macOS Authorizations DB & Authd](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-authorizations-db-and-authd.md) * [macOS SIP](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md) * [macOS TCC](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md) * [macOS Apple Events](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-apple-events.md) @@ -196,7 +197,8 @@ * [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md) * [macOS TCC Payloads](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.md) * [macOS Dangerous Entitlements & TCC perms](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md) - * [macOS MACF](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf.md) + * [macOS - AMFI - AppleMobileFileIntegrity](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.md) + * [macOS MACF - Mandatory Access Control Framework](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md) * [macOS Code Signing](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.md) * [macOS FS Tricks](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md) * [macOS xattr-acls extra stuff](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md) diff --git a/binary-exploitation/libc-heap/README.md b/binary-exploitation/libc-heap/README.md index 41f74fdb7a5..11ad0f8d084 100644 --- a/binary-exploitation/libc-heap/README.md +++ b/binary-exploitation/libc-heap/README.md @@ -498,11 +498,11 @@ int main() { Debugging the previous example it's possible to see how at the beginning there is only 1 arena: -
+
Then, after calling the first thread, the one that calls malloc, a new arena is created: -
+
and inside of it some chunks can be found: diff --git a/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md b/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md index 1fbbe9db986..15a95b9542e 100644 --- a/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md +++ b/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md @@ -41,7 +41,7 @@ This gadget basically allows to confirm that something interesting was executed This technique uses the [**ret2csu**](ret2csu.md) gadget. And this is because if you access this gadget in the middle of some instructions you get gadgets to control **`rsi`** and **`rdi`**: -

https://www.scs.stanford.edu/brop/bittau-brop.pdf

+

https://www.scs.stanford.edu/brop/bittau-brop.pdf

These would be the gadgets: diff --git a/generic-methodologies-and-resources/external-recon-methodology/README.md b/generic-methodologies-and-resources/external-recon-methodology/README.md index 3c3cd6cb729..dd13a690526 100644 --- a/generic-methodologies-and-resources/external-recon-methodology/README.md +++ b/generic-methodologies-and-resources/external-recon-methodology/README.md @@ -15,7 +15,7 @@ Learn & practice GCP Hacking: {% endhint %} -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -731,7 +731,7 @@ There are several tools out there that will perform part of the proposed actions * All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI) -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/generic-methodologies-and-resources/pentesting-methodology.md b/generic-methodologies-and-resources/pentesting-methodology.md index 69cd060d0a0..c073c550004 100644 --- a/generic-methodologies-and-resources/pentesting-methodology.md +++ b/generic-methodologies-and-resources/pentesting-methodology.md @@ -15,7 +15,7 @@ Learn & practice GCP Hacking: {% endhint %} -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -151,7 +151,7 @@ Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be ve * [**CBC-MAC**](../crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md) * [**Padding Oracle**](../crypto-and-stego/padding-oracle-priv.md) -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md b/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md index 0818e17478b..b505ae375bf 100644 --- a/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md +++ b/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md @@ -15,7 +15,7 @@ Learn & practice GCP Hacking: </details> {% endhint %} -<figure><img src=
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -134,7 +134,7 @@ However, in this kind of containers these protections will usually exist, but yo You can find **examples** on how to **exploit some RCE vulnerabilities** to get scripting languages **reverse shells** and execute binaries from memory in [**https://github.com/carlospolop/DistrolessRCE**](https://github.com/carlospolop/DistrolessRCE). -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.md new file mode 100644 index 00000000000..22260ca49a4 --- /dev/null +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.md @@ -0,0 +1,159 @@ +# macOS - AMFI - AppleMobileFileIntegrity + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + + + +## AppleMobileFileIntegrity.kext and amfid + +It focuses on enforcing the integrity of the code running on the system providing the logic behind XNU's code signature verification. It's also able to check entitlements and handle other sensitive tasks such as allowing debugging or obtaining task ports. + +Moreover, for some operations, the kext prefers to contact the user space running daemon `/usr/libexec/amfid`. This trust relationship has been abused in several jailbreaks. + +AMFI uses **MACF** policies and it registers its hooks the moment it's started. Also, preventing its loading or unloading it could trigger a kernel panic. However, there are some boot arguments that allow to debilitate AMFI: + +* `amfi_unrestricted_task_for_pid`: Allow task\_for\_pid to be allowed without required entitlements +* `amfi_allow_any_signature`: Allow any code signature +* `cs_enforcement_disable`: System-wide argument used to disable code signing enforcement +* `amfi_prevent_old_entitled_platform_binaries`: Void platform binaries with entitlements +* `amfi_get_out_of_my_way`: Disables amfi completely + +These are some of the MACF policies it registers: + +* **`cred_check_label_update_execve:`** Label update will be performed and return 1 +* **`cred_label_associate`**: Update AMFI's mac label slot with label +* **`cred_label_destroy`**: Remove AMFI’s mac label slot +* **`cred_label_init`**: Move 0 in AMFI's mac label slot +* **`cred_label_update_execve`:** It checks the entitlements of the process to see it should be allowed to modify the labels. +* **`file_check_mmap`:** It checks if mmap is acquiring memory and setting it as executable. In that case it check if library validation is needed and if so, it calls the library validation function. +* **`file_check_library_validation`**: Calls the library validation function which checks among other things if a platform binary is loading another platform binary or if the process and the new loaded file have the same TeamID. Certain entitlements will also allow to load any library. +* **`policy_initbsd`**: Sets up trusted NVRAM Keys +* **`policy_syscall`**: It checks DYLD policies like if the binary has unrestricted segments, if it should allow env vars... this is also called when a process is started via `amfi_check_dyld_policy_self()`. +* **`proc_check_inherit_ipc_ports`**: It checks if when a processes executes a new binary other processes with SEND rights over the task port of the process should keep them or not. Platform binaries are allowed, `get-task-allow` entitled allows it, `task_for_pid-allow` entitles are allowed and binaries with the same TeamID. +* **`proc_check_expose_task`**: enforce entitlements +* **`amfi_exc_action_check_exception_send`**: An exception message is sent to debugger +* **`amfi_exc_action_label_associate & amfi_exc_action_label_copy/populate & amfi_exc_action_label_destroy & amfi_exc_action_label_init & amfi_exc_action_label_update`**: Label lifecycle during exception handling (debugging) +* **`proc_check_get_task`**: Checks entitlements like `get-task-allow` which allows other processes to get the tasks port and `task_for_pid-allow`, which allow the process to get other processes tasks ports. If neither of those, it calls up to `amfid permitunrestricteddebugging` to check if it's allowed. +* **`proc_check_mprotect`**: Deny if `mprotect` is called with the flag `VM_PROT_TRUSTED` which indicates that the region must be treated as if it has a valid code signature. +* **`vnode_check_exec`**: Gets called when a executable files are loaded in memory and sets `cs_hard | cs_kill` which will kill the process if any of the pages becomes invalid +* **`vnode_check_getextattr`**: MacOS: Check `com.apple.root.installed` and `isVnodeQuarantined()` +* **`vnode_check_setextattr`**: As get + com.apple.private.allow-bless and internal-installer-equivalent entitlement +* **`vnode_check_signature`**: Code that calls XNU to check the code signature using entitlements, trust cache and `amfid` +* **`proc_check_run_cs_invalid`**: It intercepts `ptrace()` calls (`PT_ATTACH` and `PT_TRACE_ME`). It checks for any of the entitlements `get-task-allow`, `run-invalid-allow` and `run-unsigned-code` and if none, it checks if debugging is permitted. +* **`proc_check_map_anon`**: If mmap is called with the **`MAP_JIT`** flag, AMFI will checks for the `dynamic-codesigning` entitlement. + +`AMFI.kext` also exposes an API for other kernel extensions, and it's possible to find its dependencies with: + +```bash +kextstat | grep " 19 " | cut -c2-5,50- | cut -d '(' -f1 +Executing: /usr/bin/kmutil showloaded +No variant specified, falling back to release + 8 com.apple.kec.corecrypto + 19 com.apple.driver.AppleMobileFileIntegrity + 22 com.apple.security.sandbox + 24 com.apple.AppleSystemPolicy + 67 com.apple.iokit.IOUSBHostFamily + 70 com.apple.driver.AppleUSBTDM + 71 com.apple.driver.AppleSEPKeyStore + 74 com.apple.iokit.EndpointSecurity + 81 com.apple.iokit.IOUserEthernet + 101 com.apple.iokit.IO80211Family + 102 com.apple.driver.AppleBCMWLANCore + 118 com.apple.driver.AppleEmbeddedUSBHost + 134 com.apple.iokit.IOGPUFamily + 135 com.apple.AGXG13X + 137 com.apple.iokit.IOMobileGraphicsFamily + 138 com.apple.iokit.IOMobileGraphicsFamily-DCP + 162 com.apple.iokit.IONVMeFamily +``` + +## amfid + +This is the user mode running daemon that `AMFI.kext` will use to check for code signatures in user mode.\ +For `AMFI.kext` to communicate with the daemon it uses mach messages over the port `HOST_AMFID_PORT` which is the special port `18`. + +Note that in macOS it's no longer possible for root processes to hijack special ports as they are protected by `SIP` and only launchd can get them. In iOS it's checked that the process sending the response back has the CDHash hardcoded of `amfid`. + +It's possible to see when `amfid` is requested to check a binary and the response of it by debugging it and setting a breakpoint in `mach_msg`. + +Once a message is received via the special port **MIG** is used to send each function to the function it's calling. The main functions were reversed and explained inside the book. + +## Provisioning Profiles + +A provisioning profile can be used to sign code. There are **Developer** profiles that can be used to sign code and test it, and **Enterprise** profiles which can be used in all devices. + +After an App is submitted to the Apple Store, if approved, it's signed by Apple and the provisioning profile is no longer needed. + +A profile usually use the extension `.mobileprovision` or `.provisionprofile` and can be dumped with: + +```bash +openssl asn1parse -inform der -in /path/to/profile + +# Or + +security cms -D -i /path/to/profile +``` + +Although sometimes referred as certificated, these provisioning profiles have more than a certificate: + +* **AppIDName:** The Application Identifier +* **AppleInternalProfile**: Designates this as an Apple Internal profile +* **ApplicationIdentifierPrefix**: Prepended to AppIDName (same as TeamIdentifier) +* **CreationDate**: Date in `YYYY-MM-DDTHH:mm:ssZ` format +* **DeveloperCertificates**: An array of (usually one) certificate(s), encoded as Base64 data +* **Entitlements**: The entitlements allowed with entitlements for this profile +* **ExpirationDate**: Expiration date in `YYYY-MM-DDTHH:mm:ssZ` format +* **Name**: The Application Name, the same as AppIDName +* **ProvisionedDevices**: An array (for developer certificates) of UDIDs this profile is valid for +* **ProvisionsAllDevices**: A boolean (true for enterprise certificates) +* **TeamIdentifier**: An array of (usually one) alphanumeric string(s) used to identify the developer for inter-app interaction purposes +* **TeamName**: A human-readable name used to identify the developer +* **TimeToLive**: Validity (in days) of the certificate +* **UUID**: A Universally Unique Identifier for this profile +* **Version**: Currently set to 1 + +Note that the entitlements entry will contain a restricted set of entitlements and the provisioning profile will only be able to give those specific entitlements to prevent giving Apple private entitlements. + +Note that profiles are usually located in `/var/MobileDeviceProvisioningProfiles` and it's possible to check them with **`security cms -D -i /path/to/profile`** + +## **libmis.dyld** + +This is the external library that `amfid` calls i order to ask if it should allow something or not. This has been historically abused in jailbreaking by running a backdoored version of it that would allow everything. + +In macOS this is inside `MobileDevice.framework`. + +## AMFI Trust Caches + +iOS AMFI maintains a lost of known hashes which are signed ad-hoc, called the **Trust Cache** and found in the kext's `__TEXT.__const` section. Note that in very specific and sensitive operations It's possible to extend this Trust Cache with an external file. + +## References + +* [**\*OS Internals Volume III**](https://newosxbook.com/home.html) + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-authorizations-db-and-authd.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-authorizations-db-and-authd.md new file mode 100644 index 00000000000..09ed44717c2 --- /dev/null +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-authorizations-db-and-authd.md @@ -0,0 +1,116 @@ +# macOS Authorizations DB & Authd + + + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## **Athorizarions DB** + +The database located in `/var/db/auth.db` is database used to store permissions to perform sensitive operations. These operations are performed completely in **user space** and are usually used by **XPC services** which need to check **if the calling client is authorized** to perform certain action checking this database. + +Initially this database is created from the content of `/System/Library/Security/authorization.plist`. Then, some services might add or modify this dataabse to add other permissions to it. + +The rules are stored in the `rules` table inside the database and contains the folliwing colmns: + +* **id**: A unique identifier for each rule, automatically incremented and serving as the primary key. +* **name**: The unique name of the rule used to identify and reference it within the authorization system. +* **type**: Specifies the type of the rule, restricted to values 1 or 2 to define its authorization logic. +* **class**: Categorizes the rule into a specific class, ensuring it is a positive integer. + * "allow" for allow, "deny" for deny, "user" if the group property indicated a group which membership allows the access, "rule" indicates in an array a rule to be fulfilled, "evaluate-mechanisms" followed by a `mechanisms` array which are either builtins or a name of a bundle inside `/System/Library/CoreServices/SecurityAgentPlugins/` or /Library/Security//SecurityAgentPlugins +* **group**: Indicates the user group associated with the rule for group-based authorization. +* **kofn**: Represents the "k-of-n" parameter, determining how many subrules must be satisfied out of a total number. +* **timeout**: Defines the duration in seconds before the authorization granted by the rule expires. +* **flags**: Contains various flags that modify the behavior and characteristics of the rule. +* **tries**: Limits the number of allowed authorization attempts to enhance security. +* **version**: Tracks the version of the rule for version control and updates. +* **created**: Records the timestamp when the rule was created for auditing purposes. +* **modified**: Stores the timestamp of the last modification made to the rule. +* **hash**: Holds a hash value of the rule to ensure its integrity and detect tampering. +* **identifier**: Provides a unique string identifier, such as a UUID, for external references to the rule. +* **requirement**: Contains serialized data defining the rule's specific authorization requirements and mechanisms. +* **comment**: Offers a human-readable description or comment about the rule for documentation and clarity. + +### Example + +```bash +# List by name and comments +sudo sqlite3 /var/db/auth.db "select name, comment from rules" + +# Get rules for com.apple.tcc.util.admin +security authorizationdb read com.apple.tcc.util.admin + + + + + class + rule + comment + For modification of TCC settings. + created + 701369782.01043606 + modified + 701369782.01043606 + rule + + authenticate-admin-nonshared + + version + 0 + + +``` + +Moreover in [https://www.dssw.co.uk/reference/authorization-rights/authenticate-admin-nonshared/](https://www.dssw.co.uk/reference/authorization-rights/authenticate-admin-nonshared/) it's possible to see the meaning of `authenticate-admin-nonshared`: + +```json +{ + 'allow-root' : 'false', + 'authenticate-user' : 'true', + 'class' : 'user', + 'comment' : 'Authenticate as an administrator.', + 'group' : 'admin', + 'session-owner' : 'false', + 'shared' : 'false', + 'timeout' : '30', + 'tries' : '10000', + 'version' : '1' +} +``` + +## Authd + +It's a deamon that will receive requests to authorize clients to perform sensitive actions. It works as a XPC service defined inside the `XPCServices/` folder and use to write its logs in `/var/log/authd.log`. + +Moreover using the security tool it's possible to test many `Security.framework` APIs. For example the `AuthorizationExecuteWithPrivileges` running: `security execute-with-privileges /bin/ls` + +That will fork and exec `/usr/libexec/security_authtrampoline /bin/ls` as root, which will ask for permissions in a prompt to execute ls as root: + +
+ +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.md index 4ae631d88ce..51825ab21ed 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.md @@ -19,7 +19,7 @@ Learn & practice GCP Hacking: Mach-o binaries contains a load command called **`LC_CODE_SIGNATURE`** that indicates the **offset** and **size** of the signatures inside the binary. Actually, using the GUI tool MachOView, it's possible to find at the end of the binary a section called **Code Signature** with this information: -<figure><img src=
+
The magic header of the Code Signature is **`0xFADE0CC0`**. Then you have information such as the length and the number of blobs of the superBlob that contains them.\ It's possible to find this information in the [source code here](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/osfmk/kern/cs\_blobs.h#L276): diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md index 82b2c2c1e09..eb1781de789 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md @@ -1,8 +1,8 @@ # macOS Gatekeeper / Quarantine / XProtect {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -70,11 +70,13 @@ If the software **passes** this inspection without raising any concerns, the Not Upon the user's first installation or execution of the software, the existence of the notarization ticket - whether stapled to the executable or found online - **informs Gatekeeper that the software has been notarized by Apple**. As a result, Gatekeeper displays a descriptive message in the initial launch dialog, indicating that the software has undergone checks for malicious content by Apple. This process thereby enhances user confidence in the security of the software they install or run on their systems. -### Enumerating GateKeeper +### spctl & syspolicyd -GateKeeper is both, **several security components** that prevent untrusted apps from being executed and also **one of the components**. +{% hint style="danger" %} +Note that from Sequoia version, **`spctl`** doesn't allow to modify Gatekeeper configuration anymore. +{% endhint %} -It's possible to see the **status** of GateKeeper with: +**`spctl`** is the CLI tool to enumerate and interact with Gatekeeper (with the `syspolicyd` daemon via XPC messages). For example, it's possible to see the **status** of GateKeeper with: ```bash # Check the status @@ -89,7 +91,9 @@ GateKeeper will check if according to the **preferences & the signature** a bina
-The database that keeps this configuration ins located in **`/var/db/SystemPolicy`**. You can check this database as root with: +**`syspolicyd`** is the main daemon responsible to enforcing Gatekeeper. It maintains a database located in `/var/db/SystemPolicy` and it's possible to find the code to support the [database here](https://opensource.apple.com/source/Security/Security-58286.240.4/OSX/libsecurity\_codesigning/lib/policydb.cpp) and the [SQL template here](https://opensource.apple.com/source/Security/Security-58286.240.4/OSX/libsecurity\_codesigning/lib/syspolicy.sql). Note that the database is unrestricted by SIP and writable by root and the database `/var/db/.SystemPolicy-default` is used as an original backup in case the other gets corrupted. + +Moreover, the bundles **`/var/db/gke.bundle`** and **`/var/db/gkopaque.bundle`** contains files with rules that are inserted in the database. You can check this database as root with: ```bash # Open database @@ -105,10 +109,12 @@ anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists an [...] ``` +**`syspolicyd`** also exposes a XPC server with different operations like `assess`, `update`, `record` and `cancel` which are also reachable using **`Security.framework`'s `SecAssessment*`** APIs and **`xpctl`** actually talks to **`syspolicyd`** via XPC. + Note how the first rule ended in "**App Store**" and the second one in "**Developer ID**" and that in the previous imaged it was **enabled to execute apps from the App Store and identified developers**.\ If you **modify** that setting to App Store, the "**Notarized Developer ID" rules will disappear**. -There are also thousands of rules of **type GKE**: +There are also thousands of rules of **type GKE** : ```bash SELECT requirement,allow,disabled,label from authority where label = 'GKE' limit 5; @@ -119,7 +125,11 @@ cdhash H"0a71962e7a32f0c2b41ddb1fb8403f3420e1d861"|1|0|GKE cdhash H"8d0d90ff23c3071211646c4c9c607cdb601cb18f"|1|0|GKE ``` -These are hashes that come from **`/var/db/SystemPolicyConfiguration/gke.bundle/Contents/Resources/gke.auth`, `/var/db/gke.bundle/Contents/Resources/gk.db`** and **`/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db`** +These are hashes that from: + +* `/var/db/SystemPolicyConfiguration/gke.bundle/Contents/Resources/gke.auth` +* `/var/db/gke.bundle/Contents/Resources/gk.db` +* `/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db` Or you could list the previous info with: @@ -166,6 +176,8 @@ spctl --assess -v /Applications/App.app /Applications/App.app: accepted ``` +Regarding **kernel extensions**, the folder `/var/db/SystemPolicyConfiguration` contains files with lists of kexts allowed to be loaded. Moreover, `spctl` has the entitlement `com.apple.private.iokit.nvram-csr` because it's capable of adding new pre-approved kernel extensions which need to be saved also in NVRAM in a `kext-allowed-teams` key. + ### Quarantine Files Upon **downloading** an application or file, specific macOS **applications** such as web browsers or email clients **attach an extended file attribute**, commonly known as the "**quarantine flag**," to the downloaded file. This attribute acts as a security measure to **mark the file** as coming from an untrusted source (the internet), and potentially carrying risks. However, not all applications attach this attribute, for instance, common BitTorrent client software usually bypasses this process. @@ -225,7 +237,7 @@ com.apple.quarantine: 00C1;607842eb;Brave;F643CD5F-6071-46AB-83AB-390BA944DEC5 # F643CD5F-6071-46AB-83AB-390BA944DEC5 -- UID assigned to the file downloaded ``` -Actually a process "could set quarantine flags to the files it creates" (i tried to apply the USER\_APPROVED flag in a created file but it won't apply it): +Actually a process "could set quarantine flags to the files it creates" (I already tried to apply the USER\_APPROVED flag in a created file but it won't apply it):
@@ -309,11 +321,24 @@ find / -exec ls -ld {} \; 2>/dev/null | grep -E "[x\-]@ " | awk '{printf $9; pri ``` {% endcode %} -Quarantine information is also stored in a central database managed by LaunchServices in **`~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`**. +Quarantine information is also stored in a central database managed by LaunchServices in **`~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`** which allows the GUI to obtain data about the file origins. Moreover this can be overwritten by applications which might be interested in hiding its origins. Moreover, this can be done from LaunchServices APIS. + +#### **libquarantine.dylb** + +This library exports several functions that allow to manipulate the extended attribute fields. + +The `qtn_file_*` APIs deal with file quarantine policies, the `qtn_proc_*` APIs are applied to processes (files created by the process). The unexported `__qtn_syscall_quarantine*` functions are the ones that applies the policies which calls `mac_syscall` with "Quarantine" as first argument which sends the requests to `Quarantine.kext`. #### **Quarantine.kext** -The kernel extension is only available through the **kernel cache on the system**; however, you _can_ download the **Kernel Debug Kit from https://developer.apple.com/**, which will contain a symbolicated version of the extension. +The kernel extension is only available through the **kernel cache on the system**; however, you _can_ download the **Kernel Debug Kit from** [**https://developer.apple.com/**](https://developer.apple.com/), which will contain a symbolicated version of the extension. + +This Kext will hook via MACF several calls in order to traps all file lifecycle events: Creation, opening, renaming, hard-linkning... even `setxattr` to prevent it from setting the `com.apple.quarantine` extended attribute. + +It also uses a couple of MIBs: + +* `security.mac.qtn.sandbox_enforce`: Enforce quarantine along Sandbox +* `security.mac.qtn.user_approved_exec`: Querantined procs can only execute approved files ### XProtect @@ -482,8 +507,8 @@ In an ".app" bundle if the quarantine xattr is not added to it, when executing i {% embed url="https://websec.nl/" %} {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md similarity index 100% rename from macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf.md rename to macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md diff --git a/network-services-pentesting/pentesting-snmp/README.md b/network-services-pentesting/pentesting-snmp/README.md index ef4bdbe3032..97cebcf4f24 100644 --- a/network-services-pentesting/pentesting-snmp/README.md +++ b/network-services-pentesting/pentesting-snmp/README.md @@ -15,7 +15,7 @@ Learn & practice GCP Hacking: {% endhint %} -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -261,7 +261,7 @@ If there is an ACL that only allows some IPs to query the SMNP service, you can * snmpd.conf * snmp-config.xml -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/network-services-pentesting/pentesting-snmp/cisco-snmp.md b/network-services-pentesting/pentesting-snmp/cisco-snmp.md index 157ee035169..b55a63400b1 100644 --- a/network-services-pentesting/pentesting-snmp/cisco-snmp.md +++ b/network-services-pentesting/pentesting-snmp/cisco-snmp.md @@ -15,7 +15,7 @@ Learn & practice GCP Hacking: {% endhint %} -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -56,7 +56,7 @@ msf6 auxiliary(scanner/snmp/snmp_enum) > exploit * [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9) -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/network-services-pentesting/pentesting-web/README.md b/network-services-pentesting/pentesting-web/README.md index f904d451c13..21a9e00d5c7 100644 --- a/network-services-pentesting/pentesting-web/README.md +++ b/network-services-pentesting/pentesting-web/README.md @@ -15,7 +15,7 @@ Learn & practice GCP Hacking: {% endhint %} -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -367,7 +367,7 @@ Find more info about web vulns in: You can use tools such as [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) to monitor pages for modifications that might insert vulnerabilities. -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/network-services-pentesting/pentesting-web/drupal/drupal-rce.md b/network-services-pentesting/pentesting-web/drupal/drupal-rce.md index 77d92e24e8d..8c90376a863 100644 --- a/network-services-pentesting/pentesting-web/drupal/drupal-rce.md +++ b/network-services-pentesting/pentesting-web/drupal/drupal-rce.md @@ -107,7 +107,7 @@ Before activation: After activation: -
+
diff --git a/network-services-pentesting/pentesting-web/jira.md b/network-services-pentesting/pentesting-web/jira.md index 726095a1392..4c1772f8dbe 100644 --- a/network-services-pentesting/pentesting-web/jira.md +++ b/network-services-pentesting/pentesting-web/jira.md @@ -15,7 +15,7 @@ Learn & practice GCP Hacking: {% endhint %} -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -135,7 +135,7 @@ These are some of the actions a malicious plugin could perform: -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/pentesting-web/file-upload/README.md b/pentesting-web/file-upload/README.md index 47cdf197860..bd254494713 100644 --- a/pentesting-web/file-upload/README.md +++ b/pentesting-web/file-upload/README.md @@ -15,7 +15,7 @@ Learn & practice GCP Hacking: {% endhint %} -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -341,7 +341,7 @@ More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-frie * [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/) * [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a) -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/pentesting-web/hacking-jwt-json-web-tokens.md b/pentesting-web/hacking-jwt-json-web-tokens.md index 570fda69990..4d5a485a461 100644 --- a/pentesting-web/hacking-jwt-json-web-tokens.md +++ b/pentesting-web/hacking-jwt-json-web-tokens.md @@ -15,7 +15,7 @@ Learn & practice GCP Hacking: {% endhint %} -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -282,7 +282,7 @@ The token's expiry is checked using the "exp" Payload claim. Given that JWTs are {% embed url="https://github.com/ticarpi/jwt_tool" %} -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/pentesting-web/ldap-injection.md b/pentesting-web/ldap-injection.md index 455b9afdf80..10a0dd0fece 100644 --- a/pentesting-web/ldap-injection.md +++ b/pentesting-web/ldap-injection.md @@ -17,7 +17,7 @@ Learn & practice GCP Hacking: {% endhint %} -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -236,7 +236,7 @@ intitle:"phpLDAPadmin" inurl:cmd.php {% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %} -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/pentesting-web/sql-injection/postgresql-injection/README.md b/pentesting-web/sql-injection/postgresql-injection/README.md index 0311d400061..463348e667e 100644 --- a/pentesting-web/sql-injection/postgresql-injection/README.md +++ b/pentesting-web/sql-injection/postgresql-injection/README.md @@ -15,7 +15,7 @@ Learn & practice GCP Hacking: </details> {% endhint %} -<figure><img src=
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -107,7 +107,7 @@ SELECT $$hacktricks$$; SELECT $TAG$hacktricks$TAG$; ``` -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md index 58c557064b3..7e76d4836a4 100644 --- a/pentesting-web/xss-cross-site-scripting/README.md +++ b/pentesting-web/xss-cross-site-scripting/README.md @@ -1,6 +1,6 @@ # XSS (Cross Site Scripting) -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -1574,7 +1574,7 @@ Find **more SVG payloads in** [**https://github.com/allanlw/svg-cheatsheet**](ht * [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec) * [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html) -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/todo/llm-training-data-preparation/0.-basic-llm-concepts.md b/todo/llm-training-data-preparation/0.-basic-llm-concepts.md index f300c2f8302..6b3e5a221e0 100644 --- a/todo/llm-training-data-preparation/0.-basic-llm-concepts.md +++ b/todo/llm-training-data-preparation/0.-basic-llm-concepts.md @@ -140,7 +140,7 @@ At the heart of automatic differentiation is the **chain rule** from calculus. T Mathematically, if `y=f(u)` and `u=g(x)`, then the derivative of `y` with respect to `x` is: -
+
**2. Computational Graph** @@ -150,7 +150,7 @@ In AD, computations are represented as nodes in a **computational graph**, where Let's consider a simple function: -
+
Where: diff --git a/todo/llm-training-data-preparation/4.-attention-mechanisms.md b/todo/llm-training-data-preparation/4.-attention-mechanisms.md index c7b5cf6b7af..a006b06dee0 100644 --- a/todo/llm-training-data-preparation/4.-attention-mechanisms.md +++ b/todo/llm-training-data-preparation/4.-attention-mechanisms.md @@ -51,7 +51,7 @@ For each word in the sentence, compute the **attention score** with respect to " **Attention Score between "shiny" and "shiny"** -
+
**Attention Score between "sun" and "shiny"**