Search K
Appearance
Appearance
Other ways to support HackTricks:
โ ๏ธ
Note that entitlements starting with com.apple
are not available to third-parties, only Apple can grant them.
com.apple.rootless.install.heritable
โThe entitlement com.apple.rootless.install.heritable
allows to bypass SIP. Check this for more info.
com.apple.rootless.install
โThe entitlement com.apple.rootless.install
allows to bypass SIP. Check this for more info.
com.apple.system-task-ports
(previously called task_for_pid-allow
) โThis entitlement allows to get the task port for any process, except the kernel. Check this for more info.
com.apple.security.get-task-allow
โThis entitlement allows other processes with the com.apple.security.cs.debugger
entitlement to get the task port of the process run by the binary with this entitlement and inject code on it. Check this for more info.
com.apple.security.cs.debugger
โApps with the Debugging Tool Entitlement can call task_for_pid()
to retrieve a valid task port for unsigned and third-party apps with the Get Task Allow
entitlement set to true
. However, even with the debugging tool entitlement, a debugger canโt get the task ports of processes that donโt have the Get Task Allow
entitlement, and that are therefore protected by System Integrity Protection. Check this for more info.
com.apple.security.cs.disable-library-validation
โThis entitlement allows to load frameworks, plug-ins, or libraries without being either signed by Apple or signed with the same Team ID as the main executable, so an attacker could abuse some arbitrary library load to inject code. Check this for more info.
com.apple.private.security.clear-library-validation
โThis entitlement is very similar to com.apple.security.cs.disable-library-validation
but instead of directly disabling library validation, it allows the process to call a csops
system call to disable it.
Check this for more info.
com.apple.security.cs.allow-dyld-environment-variables
โThis entitlement allows to use DYLD environment variables that could be used to inject libraries and code. Check this for more info.
com.apple.private.tcc.manager
or com.apple.rootless.storage
.TCC
โAccording to this blog and this blog, these entitlements allows to modify the TCC database.
system.install.apple-software
and system.install.apple-software.standar-user
โThese entitlements allows to install software without asking for permissions to the user, which can be helpful for a privilege escalation.
com.apple.private.security.kext-management
โEntitlement needed to ask the kernel to load a kernel extension.
com.apple.private.icloud-account-access
โThe entitlement com.apple.private.icloud-account-access
it's possible to communicate with com.apple.iCloudHelper
XPC service which will provide iCloud tokens.
iMovie and Garageband had this entitlement.
For more information about the exploit to get icloud tokens from that entitlement check the talk: #OBTS v5.0: "What Happens on your Mac, Stays on Apple's iCloud?!" - Wojciech Regula
com.apple.private.tcc.manager.check-by-audit-token
โTODO: I don't know what this allows to do
com.apple.private.apfs.revert-to-snapshot
โTODO: In this report is mentioned that this could be used to update the SSV-protected contents after a reboot. If you know how it send a PR please!
com.apple.private.apfs.create-sealed-snapshot
โTODO: In this report is mentioned that this could be used to update the SSV-protected contents after a reboot. If you know how it send a PR please!
keychain-access-groups
โThis entitlement list keychain groups the application has access to:
<key>keychain-access-groups</key>
<array>
<string>ichat</string>
<string>apple</string>
<string>appleaccount</string>
<string>InternetAccounts</string>
<string>IMCore</string>
</array>
kTCCServiceSystemPolicyAllFiles
โGives Full Disk Access permissions, one of the TCC highest permissions you can have.
kTCCServiceAppleEvents
โAllows the app to send events to other applications that are commonly used for automating tasks. Controlling other apps, it can abuse the permissions granted to these other apps.
Like making them ask the user for its password:
osascript -e 'tell app "App Store" to activate' -e 'tell app "App Store" to activate' -e 'tell app "App Store" to display dialog "App Store requires your password to continue." & return & return default answer "" with icon 1 with hidden answer with title "App Store Alert"'
Or making them perform arbitrary actions.
kTCCServiceEndpointSecurityClient
โAllows, among other permissions, to write the users TCC database.
kTCCServiceSystemPolicySysAdminFiles
โAllows to change the NFSHomeDirectory
attribute of a user that changes his home folder path and therefore allows to bypass TCC.
kTCCServiceSystemPolicyAppBundles
โAllow to modify files inside apps bundle (inside app.app), which is disallowed by default.
It's possible to check who has this access in System Settings > Privacy & Security > App Management.
kTCCServiceAccessibility
โThe process will be able to abuse the macOS accessibility features, Which means that for example he will be able to press keystrokes. SO he could request access to control an app like Finder and approve the dialog with this permission.
com.apple.security.cs.allow-jit
โThis entitlement allows to create memory that is writable and executable by passing the MAP_JIT
flag to the mmap()
system function. Check this for more info.
com.apple.security.cs.allow-unsigned-executable-memory
โThis entitlement allows to override or patch C code, use the long-deprecated NSCreateObjectFileImageFromMemory
(which is fundamentally insecure), or use the DVDPlayback framework. Check this for more info.
โ
Including this entitlement exposes your app to common vulnerabilities in memory-unsafe code languages. Carefully consider whether your app needs this exception.
com.apple.security.cs.disable-executable-page-protection
โThis entitlement allows to modify sections of its own executable files on disk to forcefully exit. Check this for more info.
โ
The Disable Executable Memory Protection Entitlement is an extreme entitlement that removes a fundamental security protection from your app, making it possible for an attacker to rewrite your appโs executable code without detection. Prefer narrower entitlements if possible.
com.apple.security.cs.allow-relative-library-loads
โTODO
com.apple.private.nullfs_allow
โThis entitlement allows to mount a nullfs file system (forbidden by default). Tool: mount_nullfs.
kTCCServiceAll
โAccording to this blogpost, this TCC permission usually found in the form:
[Key] com.apple.private.tcc.allow-prompting
[Value]
[Array]
[String] kTCCServiceAll
Allow the process to ask for all the TCC permissions.
kTCCServicePostEvent
โOther ways to support HackTricks: