《苹果磁盘派对.pdf》由会员分享,可在线阅读,更多相关《苹果磁盘派对.pdf(95页珍藏版)》请在三个皮匠报告上搜索。
1、Apple Disk-O PartyCsaba Fitzl Twitter:theevilbitwhoamiPrincipal macOS Security Researcher Kandji author of EXP-312-macOS Exploitation training()at OffSec ex red/blue teamer macOS bug hunter husband,father hiking,trail running agenda1.disk arbitration service 2.CVE-2023-42838-Sandbox Escape via diska
2、rbitrationd 3.typical mount call flows 4.CVE-2024-44175-LPE+Sandbox Escape via diskarbitrationd 5.CVE-2024-40855-TCC Bypass and Sandbox Escape via diskarbitrationd 6.CVE-2024-27848-LPE via StorageKit 7.CVE-2024-44210-LPE and TCC bypass via StorageKit 8.CVE-2024-40783-bypass TM data protection via AP
3、FS 9.LPE via Disk Utility 10.conclusiondisk arbitration servicediskarbitrationd-the basicssystem wide service,defined in:/System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist Mach Service:com.apple.DiskArbitration.diskarbitrationd manage disk mounting,unmounting calls mount/unmount under th
4、e hooddiskarbitrationd-why we like it?runs as root unsandboxed full disk access rights Mach service accessible from application sandbox opensourcediskarbitrationd-MIGMIG service DA framework abstracts the MIG servicediskarbitrationd-mount call flowCVE-2023-42838-Sandbox EscapeWhere is the problem?NO
5、 QUARANTINE FLAG!why is that a problem?no quarantine extended attribute=files not quarantined files not quarantined=no GateKeeper(technically there is)no GK=we can launch anything,included unsandboxed apps can be used for SB escapeCVE-2023-42838-the issuediskarbitrationd doesnt add quarantine flag t
6、o the quarantined disk image when mounted ioreg does show the property da should check the propertyCVE-2023-42838-what goes on?how to get a/dev/disk in Sandbox?CVE-2023-42838-fixthe kernel will add quarantine flag to every mount if the device is quarantined basically the IOReg qu