Although we can manipulate the Privileged Helper and invoke any exposed methods, it is not useful unless these methods offer an opportunity for exploitation. The protocol used between the XPC service and client was called ClientServiceProtocol.

This protocol exposed the following methods:

– (void)requestShutdown; – (void)removeOldClientService;



– (void)fillProcessInformationForPids:(NSArray *)arg1 authorization: (NSData

*)arg2 withReply:(void (^)(NSArray *))arg3;



– (void)createFolderAtPath:(NSString *)arg1 authorization:(NSData *)arg2

withReply:(void (^)(NSError *))arg3;

– (void)renameClientBundleAtPath:(NSString *)arg1 withReply:(void (^)

(NSError *))arg2;

– (void)changeFolderPermissionsAtPath:(NSString *)arg1 authorization:

(NSData *)arg2 withReply:(void (^)(NSError *))arg3;

– (void)getVersionWithReply:(void (^)(NSString *))arg1;

While multiple methods were exposed, the most interesting one was changeFolderPermissionsAtPath, which required three arguments.

Arg1 – Authorization data

Arg2 – The path to change permissions to

Arg3 – An array for the response

The function first checks the authorization data which can be bypassed by creating an authorization structure without any rights. After authorization is checked, the function performs a variety of actions, but the most important is calling the chmod function. The chmod function is called with the path provided in arg2 and 0x1ff, which makes any targeted file globally readable, writable, and executable.

-(void)changeFolderPermissionsAtPath:(void *)arg2 authorization:(void *)arg3

withReply:(void *)arg4 {

r13 = [arg2 retain];

r14 = [arg3 retain];

var_C8 = [arg4 retain];

rax = objc_retainAutorelease(r13); <—- RAX is initated from r13, which

is initiated from arg2

var_F8 = rax;

[REDACTED]

rax = [NSFileManager defaultManager];

rax = [rax retain];

r13 = rax;

var_E8 = [[rax subpathsAtPath:var_F8] retain];

rax = objc_retainAutorelease(var_F8);

var_E0 = rax;

rax = [rax UTF8String];

rax = chmod(rax, 0x1ff); <— Permissions are changed using chmod

var_B4 = rax;

if (rax == 0x0) goto loc_1000c1be9;

[REDACTED]

As a low-privileged user, we can communicate with the XPC service and change the permissions of any file in the system. This can be used to abuse the system in several ways, such as by modifying a Launch Daemon to execute a malicious binary when the daemon is loaded. However, this method requires a restart, so a better alternative is to modify the /etc/pam.d/login file.

The /etc/pam.d/login file is a configuration file for the Pluggable Authentication Modules (PAM) system on macOS. It contains the default authentication configuration for all services that use PAM. Modifying the auth entries to use the pam_permit.so module will allow any authentication attempt to succeed. This means that we will be able to run sudo on the target machine without entering a password.