![]() ![]() ![]() Why Use AppleScript for Spoofing?Įffective social engineering is all about context. Rather, we’re going to exploit the fact that there’s a high chance the user will be familiar with the parent apps of these privileged processes and inherently trust requests for authorization that appear to be coming from them. Here’s a few from my own system that use Privileged Helper Tools:Ībuses of this trust mechanism between parent process and privileged helper tool are possible (CVE-2019-13013), but that’s not the route we’re going to take today. ![]() Since orphaned Privileged Helper Tools are not removed by the OS itself, there’s a reasonable chance that you’ll find some of these in use if you’re engaging with an organisation with Mac power users. However, some very popular and widespread macOS software either does or has made use of such tools. Since they are only installed by 3rd party programs sourced from outside of the App Store, you may or may not have some installed on a given system. These privileged helper tools live in a folder in the local domain Library folder: At least in theory, the tool can only perform specific tasks and only at behest of the parent program. The helper tool always runs with elevated privileges, but it is coded with limited functionality. You’ve likely seen permission requests that look something like this: By creating a separate “helper program” with limited functionality to carry out these tasks, the user need only be asked at install time for permission to install the helper tool. Privilege separation is a technique that developers can use to solve this problem. Users are not fond of repeated dialog alerts or of repeatedly having to type in a password just to get things done. While this may improve security, it is also not the most convenient if the program in question is going to need to perform one or more of these actions more than once in any particular session. Often, programs that need to perform any of these functions only need to do so occasionally, and in that context it makes sense to simply ask the user for authorization at the time. opening privileged ports for TCP and UDP connections.creating, reading, updating, or deleting files.manipulating file permissions, ownership.Here’s a short list, from Apple’s own documentation: Despite that, there are times when apps have quite legitimate reasons for needing privileges greater than that possessed by the currently logged in user. Most applications on a Mac don’t require elevated privileges to do their work, and indeed, if the application is sourced from Apple’s App Store, they are – at least technically – not allowed to do so. Although this in itself is not a new technique, in this post I will explore some novel ways we can (ab)use the abilities of AppleScript to spoof privileged processes the user already trusts on the local system. Looking at it from from the perspective of a red team engagement, one native tool that can be useful in this regard is AppleScript, which has the ability to quickly and easily produce fake authorization requests that can appear quite convincing to the user. You do not have enough power to install macOS Sierra.As we saw in previous posts, macOS privilege escalation typically occurs by manipulating the user rather than exploiting zero days or unpatched vulnerabilities. Jamf displayMessage -message "Please plug your laptop in while installing. OfficeVer=$(defaults read /Applications/Microsoft Word.app/Contents/ist CFBundleShortVersionString | cut -c 4-5)įileVaultStatus=$(fdesetup status | awk '' | tr -d "%") So the part that you may want is this specifically /Applications/Install macOS High Sierra.app/Contents/Resources/startosinstall -applicationpath "/Applications/Install macOS High Sierra.app" -agreetolicenseīut here is my whole High Sierra script #!/bin/sh ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |