macOS Authorizations DB & Authd

Tip

AWS ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°:HackTricks Training AWS Red Team Expert (ARTE)
GCP ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training GCP Red Team Expert (GRTE) Azure ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks μ§€μ›ν•˜κΈ°

Authorization DB

/var/db/auth.db에 μœ„μΉ˜ν•œ λ°μ΄ν„°λ² μ΄μŠ€λŠ” λ―Όκ°ν•œ μž‘μ—…μ„ μˆ˜ν–‰ν•˜κΈ° μœ„ν•œ κΆŒν•œμ„ μ €μž₯ν•˜λŠ” 데 μ‚¬μš©λ©λ‹ˆλ‹€. μ΄λŸ¬ν•œ μž‘μ—…μ€ μ‚¬μš©μž κ³΅κ°„μ—μ„œ μ™„μ „νžˆ μˆ˜ν–‰λ˜λ©°, 일반적으둜 XPC μ„œλΉ„μŠ€μ—μ„œ μ‚¬μš©λ˜μ–΄ 호좜 ν΄λΌμ΄μ–ΈνŠΈκ°€ νŠΉμ • μž‘μ—…μ„ μˆ˜ν–‰ν•  수 μžˆλŠ” κΆŒν•œμ΄ μžˆλŠ”μ§€ 이 λ°μ΄ν„°λ² μ΄μŠ€λ₯Ό ν™•μΈν•©λ‹ˆλ‹€.

이 λ°μ΄ν„°λ² μ΄μŠ€λŠ” μ²˜μŒμ— /System/Library/Security/authorization.plist의 λ‚΄μš©μœΌλ‘œ μƒμ„±λ©λ‹ˆλ‹€. 이후 일뢀 μ„œλΉ„μŠ€κ°€ 이 λ°μ΄ν„°λ² μ΄μŠ€μ— λ‹€λ₯Έ κΆŒν•œμ„ μΆ”κ°€ν•˜κ±°λ‚˜ μˆ˜μ •ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

κ·œμΉ™μ€ λ°μ΄ν„°λ² μ΄μŠ€ λ‚΄μ˜ rules ν…Œμ΄λΈ”μ— μ €μž₯되며 λ‹€μŒκ³Ό 같은 열을 ν¬ν•¨ν•©λ‹ˆλ‹€:

  • id: 각 κ·œμΉ™μ— λŒ€ν•œ 고유 μ‹λ³„μžλ‘œ, μžλ™μœΌλ‘œ μ¦κ°€ν•˜λ©° κΈ°λ³Έ ν‚€ 역할을 ν•©λ‹ˆλ‹€.
  • name: κΆŒν•œ μ‹œμŠ€ν…œ λ‚΄μ—μ„œ κ·œμΉ™μ„ μ‹λ³„ν•˜κ³  μ°Έμ‘°ν•˜λŠ” 데 μ‚¬μš©λ˜λŠ” κ³ μœ ν•œ κ·œμΉ™ μ΄λ¦„μž…λ‹ˆλ‹€.
  • type: κ·œμΉ™μ˜ μœ ν˜•μ„ μ§€μ •ν•˜λ©°, κΆŒν•œ 논리λ₯Ό μ •μ˜ν•˜κΈ° μœ„ν•΄ 1 λ˜λŠ” 2의 κ°’μœΌλ‘œ μ œν•œλ©λ‹ˆλ‹€.
  • class: κ·œμΉ™μ„ νŠΉμ • ν΄λž˜μŠ€μ— λΆ„λ₯˜ν•˜λ©°, μ–‘μ˜ μ •μˆ˜μ—¬μ•Ό ν•©λ‹ˆλ‹€.
  • β€œallowβ€œλŠ” ν—ˆμš©μ„ μ˜λ―Έν•˜κ³ , β€œdenyβ€œλŠ” κ±°λΆ€λ₯Ό μ˜λ―Έν•˜λ©°, β€œuserβ€œλŠ” κ·Έλ£Ή 속성이 접근을 ν—ˆμš©ν•˜λŠ” 그룹을 λ‚˜νƒ€λ‚΄λŠ” 경우, β€œruleβ€œμ€ μΆ©μ‘±ν•΄μ•Ό ν•  κ·œμΉ™μ„ λ°°μ—΄λ‘œ λ‚˜νƒ€λ‚΄λ©°, β€œevaluate-mechanismsβ€œλŠ” mechanisms 배열을 λ”°λ₯΄λ©°, μ΄λŠ” λ‚΄μž₯ν˜•μ΄κ±°λ‚˜ /System/Library/CoreServices/SecurityAgentPlugins/ λ˜λŠ” /Library/Security//SecurityAgentPlugins λ‚΄μ˜ λ²ˆλ“€ μ΄λ¦„μž…λ‹ˆλ‹€.
  • group: κ·Έλ£Ή 기반 κΆŒν•œ λΆ€μ—¬λ₯Ό μœ„ν•œ κ·œμΉ™κ³Ό κ΄€λ ¨λœ μ‚¬μš©μž 그룹을 λ‚˜νƒ€λƒ…λ‹ˆλ‹€.
  • kofn: β€œk-of-n” λ§€κ°œλ³€μˆ˜λ₯Ό λ‚˜νƒ€λ‚΄λ©°, 총 μˆ˜μ—μ„œ μ–Όλ§ˆλ‚˜ λ§Žμ€ ν•˜μœ„ κ·œμΉ™μ΄ μΆ©μ‘±λ˜μ–΄μ•Ό ν•˜λŠ”μ§€λ₯Ό κ²°μ •ν•©λ‹ˆλ‹€.
  • timeout: κ·œμΉ™μ— μ˜ν•΄ λΆ€μ—¬λœ κΆŒν•œμ΄ 만료되기 μ „μ˜ 지속 μ‹œκ°„μ„ 초 λ‹¨μœ„λ‘œ μ •μ˜ν•©λ‹ˆλ‹€.
  • flags: κ·œμΉ™μ˜ λ™μž‘ 및 νŠΉμ„±μ„ μˆ˜μ •ν•˜λŠ” λ‹€μ–‘ν•œ ν”Œλž˜κ·Έλ₯Ό ν¬ν•¨ν•©λ‹ˆλ‹€.
  • tries: λ³΄μ•ˆμ„ κ°•ν™”ν•˜κΈ° μœ„ν•΄ ν—ˆμš©λœ κΆŒν•œ μ‹œλ„ 횟수λ₯Ό μ œν•œν•©λ‹ˆλ‹€.
  • version: 버전 관리λ₯Ό μœ„ν•œ κ·œμΉ™μ˜ 버전을 μΆ”μ ν•©λ‹ˆλ‹€.
  • created: 감사 λͺ©μ μœΌλ‘œ κ·œμΉ™μ΄ μƒμ„±λœ νƒ€μž„μŠ€νƒ¬ν”„λ₯Ό κΈ°λ‘ν•©λ‹ˆλ‹€.
  • modified: κ·œμΉ™μ— λŒ€ν•œ λ§ˆμ§€λ§‰ μˆ˜μ •μ˜ νƒ€μž„μŠ€νƒ¬ν”„λ₯Ό μ €μž₯ν•©λ‹ˆλ‹€.
  • hash: κ·œμΉ™μ˜ 무결성을 보μž₯ν•˜κ³  λ³€μ‘°λ₯Ό κ°μ§€ν•˜κΈ° μœ„ν•œ ν•΄μ‹œ 값을 λ³΄μœ ν•©λ‹ˆλ‹€.
  • identifier: κ·œμΉ™μ— λŒ€ν•œ μ™ΈλΆ€ μ°Έμ‘°λ₯Ό μœ„ν•œ 고유 λ¬Έμžμ—΄ μ‹λ³„μž(예: UUID)λ₯Ό μ œκ³΅ν•©λ‹ˆλ‹€.
  • requirement: κ·œμΉ™μ˜ νŠΉμ • κΆŒν•œ μš”κ΅¬ 사항 및 λ©”μ»€λ‹ˆμ¦˜μ„ μ •μ˜ν•˜λŠ” μ§λ ¬ν™”λœ 데이터λ₯Ό ν¬ν•¨ν•©λ‹ˆλ‹€.
  • comment: λ¬Έμ„œν™” 및 λͺ…확성을 μœ„ν•΄ κ·œμΉ™μ— λŒ€ν•œ μ‚¬λžŒμ΄ 읽을 수 μžˆλŠ” μ„€λͺ… λ˜λŠ” 주석을 μ œκ³΅ν•©λ‹ˆλ‹€.

Example

# List by name and comments
sudo sqlite3 /var/db/auth.db "select name, comment from rules"

# Get rules for com.apple.tcc.util.admin
security authorizationdb read com.apple.tcc.util.admin
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For modification of TCC settings.</string>
<key>created</key>
<real>701369782.01043606</real>
<key>modified</key>
<real>701369782.01043606</real>
<key>rule</key>
<array>
<string>authenticate-admin-nonshared</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
</plist>

λ˜ν•œ https://www.dssw.co.uk/reference/authorization-rights/authenticate-admin-nonshared/μ—μ„œ authenticate-admin-nonshared의 의미λ₯Ό 확인할 수 μžˆμŠ΅λ‹ˆλ‹€:

{
"allow-root": "false",
"authenticate-user": "true",
"class": "user",
"comment": "Authenticate as an administrator.",
"group": "admin",
"session-owner": "false",
"shared": "false",
"timeout": "30",
"tries": "10000",
"version": "1"
}

Authd

ν΄λΌμ΄μ–ΈνŠΈκ°€ λ―Όκ°ν•œ μž‘μ—…μ„ μˆ˜ν–‰ν•˜λ„λ‘ 승인 μš”μ²­μ„ 받을 데λͺ¬μž…λ‹ˆλ‹€. XPCServices/ 폴더 내에 μ •μ˜λœ XPC μ„œλΉ„μŠ€λ‘œ μž‘λ™ν•˜λ©°, λ‘œκ·ΈλŠ” /var/log/authd.log에 κΈ°λ‘λ©λ‹ˆλ‹€.

λ˜ν•œ λ³΄μ•ˆ 도ꡬλ₯Ό μ‚¬μš©ν•˜μ—¬ λ§Žμ€ Security.framework APIλ₯Ό ν…ŒμŠ€νŠΈν•  수 μžˆμŠ΅λ‹ˆλ‹€. 예λ₯Ό λ“€μ–΄ AuthorizationExecuteWithPrivilegesλ₯Ό μ‹€ν–‰ν•˜λ©΄: security execute-with-privileges /bin/ls

μ΄λŠ” /usr/libexec/security_authtrampoline /bin/lsλ₯Ό 루트둜 ν¬ν¬ν•˜κ³  μ‹€ν–‰ν•˜λ©°, lsλ₯Ό 루트둜 μ‹€ν–‰ν•˜κΈ° μœ„ν•œ κΆŒν•œμ„ μš”μ²­ν•˜λŠ” ν”„λ‘¬ν”„νŠΈκ°€ ν‘œμ‹œλ©λ‹ˆλ‹€:

Tip

AWS ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°:HackTricks Training AWS Red Team Expert (ARTE)
GCP ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training GCP Red Team Expert (GRTE) Azure ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks μ§€μ›ν•˜κΈ°