macos-security-bypass

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

SKILL: macOS Security Bypass — Expert Attack Playbook

SKILL: macOS 安全绕过——专业攻击操作手册

AI LOAD INSTRUCTION: Expert macOS security bypass techniques. Covers TCC bypass, Gatekeeper evasion, SIP restrictions, sandbox escape, and entitlement abuse. Base models miss version-specific bypass nuances and protection interaction effects.

AI加载说明：专业macOS安全绕过技术，覆盖TCC绕过、Gatekeeper规避、SIP限制绕过、沙箱逃逸和权限滥用。基础模型缺少版本特定的绕过细节以及防护机制之间的交互影响。

0. RELATED ROUTING

0. 相关参考内容

Before going deep, consider loading:

macos-process-injection when you need dylib injection, XPC exploitation, or Electron abuse after achieving initial access
linux-privilege-escalation for Unix-layer privesc techniques that also apply to macOS (SUID, cron, writable paths)
linux-security-bypass for shared Unix security bypass concepts

深入阅读前，建议加载以下内容：

macos-process-injection：当你获取初始访问后需要进行dylib注入、XPC漏洞利用或者Electron滥用时参考
linux-privilege-escalation：适用于macOS的Unix层提权技术（SUID、cron、可写路径）
linux-security-bypass：通用Unix安全绕过概念

Advanced Reference

高级参考

Also load TCC_BYPASS_MATRIX.md when you need:

Per-macOS-version TCC bypass mapping
Protection-type-specific techniques (Camera, Microphone, FDA, Automation)
MDM/configuration profile abuse patterns

当你需要以下内容时，也可加载TCC_BYPASS_MATRIX.md：

各macOS版本对应的TCC绕过映射
特定防护类型的技术（摄像头、麦克风、FDA、自动化）
MDM/配置文件滥用模式

1. TCC (TRANSPARENCY, CONSENT, CONTROL) OVERVIEW

1. TCC（透明度、同意、控制）概述

TCC is macOS's permission framework controlling access to sensitive resources (camera, microphone, contacts, full disk access, etc.).

TCC是macOS的权限框架，用于控制对敏感资源（摄像头、麦克风、联系人、全磁盘访问等）的访问。

1.1 TCC Database Locations

1.1 TCC数据库位置

Database	Path	Controls	Protection
User-level	`~/Library/Application Support/com.apple.TCC/TCC.db`	Per-user consent decisions	SIP-protected since Catalina
System-level	`/Library/Application Support/com.apple.TCC/TCC.db`	System-wide consent decisions	SIP-protected
MDM-managed	Via configuration profiles	Push PPPC (Privacy Preferences Policy Control)	Device management

sql

-- Query TCC database (requires FDA or SIP off)
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \
  "SELECT service, client, allowed FROM access;"

数据库	路径	控制范围	防护机制
用户级	`~/Library/Application Support/com.apple.TCC/TCC.db`	单用户同意决策	自Catalina版本起受SIP保护
系统级	`/Library/Application Support/com.apple.TCC/TCC.db`	全系统同意决策	受SIP保护
MDM托管	通过配置文件	推送PPPC（隐私偏好策略控制）	设备管理

sql

-- Query TCC database (requires FDA or SIP off)
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \
  "SELECT service, client, allowed FROM access;"

1.2 TCC Bypass Categories

1.2 TCC绕过分类

Category	Mechanism	Typical Prerequisite
FDA app exploitation	Piggyback on apps already granted Full Disk Access	Write access to FDA app's bundle or plugin dir
Direct DB modification	Edit TCC.db to grant consent	SIP disabled or FDA
Inherited permissions	Child process inherits parent's TCC grants	Code execution in context of FDA-granted app
Automation abuse	Apple Events / osascript to control TCC-granted app	Automation permission (lower bar than direct TCC)
Mounting tricks	Mount a crafted disk image containing modified TCC.db	Local access, pre-Ventura
SQL injection in TCC	Malformed bundle IDs triggering SQL injection in TCC subsystem	CVE-2023-32364 and similar

分类	机制	典型前置条件
FDA应用漏洞利用	借用已获得全磁盘访问权限的应用	对FDA应用的安装包或插件目录有写入权限
直接数据库修改	编辑TCC.db授予权限	SIP已关闭或拥有FDA权限
权限继承	子进程继承父进程的TCC授权	在已获得FDA授权的应用上下文中执行代码
自动化滥用	通过Apple Events / osascript控制已获得TCC授权的应用	拥有自动化权限（门槛低于直接获取TCC权限）
挂载技巧	挂载包含修改后TCC.db的特制磁盘镜像	本地访问权限，Ventura之前版本
TCC SQL注入	畸形包ID触发TCC子系统的SQL注入漏洞	存在CVE-2023-32364等类似漏洞

1.3 Known TCC Bypass Patterns

1.3 已知TCC绕过模式

Terminal / iTerm FDA inheritance: Terminal.app granted FDA → any command run inherits FDA → read any file.

bash

undefined

Terminal / iTerm FDA继承：Terminal.app已获得FDA权限 → 运行的任何命令都会继承FDA权限 → 可读取任意文件。

bash

undefined

If Terminal has FDA, this reads protected files directly

cat ~/Library/Mail/V*/MailData/Envelope\ Index cat ~/Library/Messages/chat.db


**Finder automation**: Automate Finder (lower permission bar) to access files in protected locations.

```applescript
tell application "Finder"
  set f to POSIX file "/Users/target/Library/Mail/V9/MailData/Envelope Index"
  duplicate f to desktop
end tell

System Preferences / System Settings injection: Inject into a process that already has TCC permissions by writing to its Application Scripts folder.

MDM profile abuse: PPPC profiles can pre-approve TCC permissions. Rogue MDM enrollment or compromised MDM server → push PPPC payload.

cat ~/Library/Mail/V*/MailData/Envelope\ Index cat ~/Library/Messages/chat.db


**Finder自动化**：自动化操作Finder（权限门槛更低）来访问受保护位置的文件。

```applescript
tell application "Finder"
  set f to POSIX file "/Users/target/Library/Mail/V9/MailData/Envelope Index"
  duplicate f to desktop
end tell

系统偏好设置/系统设置注入：通过写入应用脚本文件夹，向已拥有TCC权限的进程注入代码。

MDM配置文件滥用：PPPC配置文件可预先批准TCC权限。恶意MDM注册或被攻陷的MDM服务器可推送PPPC payload。

2. GATEKEEPER BYPASS

2. GATEKEEPER绕过

Gatekeeper blocks unsigned or unnotarized apps from executing. Core enforcement depends on the

com.apple.quarantine

extended attribute.

Gatekeeper会阻止未签名或未公证的应用执行。核心执行逻辑依赖

com.apple.quarantine

扩展属性。

2.1 Quarantine Attribute Removal

2.1 移除隔离属性

bash

undefined

bash

undefined

Check quarantine attribute

xattr -l /path/to/app

Output: com.apple.quarantine: 0083;...

Remove quarantine (requires write access)

xattr -d com.apple.quarantine /path/to/app

Recursive for app bundles

xattr -rd com.apple.quarantine /path/to/MyApp.app

undefined

xattr -rd com.apple.quarantine /path/to/MyApp.app

undefined

2.2 Bypass Techniques

2.2 绕过技术

Technique	How It Works	macOS Version
`xattr -d` removal	Remove quarantine before execution	All (requires local access)
App translocation bypass	Apps in certain locations skip translocation	Pre-Catalina
Archive tools that strip quarantine	Some unarchiver apps don't propagate quarantine	Varies by tool
Unsigned code in signed bundle	Notarized app bundles with unsigned nested helpers	Pre-Ventura (CVE-2022-42821)
Safari auto-extract + open	Downloaded ZIP auto-extracted, app opened before quarantine fully applied	Safari-specific, patched
ACL abuse	`com.apple.quarantine` can be blocked by ACLs set before download	Requires pre-positioning
Disk image (DMG) tricks	DMG mounted from network share may not carry quarantine	Network share context
BOM (Bill of Materials) bypass	Crafted BOM in pkg skips quarantine for extracted files	CVE-2022-22616

技术	实现原理	适用macOS版本
`xattr -d` 移除	执行前移除隔离属性	所有版本（需要本地访问权限）
应用转移绕过	特定位置的应用会跳过转移检查	Catalina之前版本
解压缩工具剥离隔离属性	部分解压缩工具不会传播隔离属性	依工具而定
签名包中嵌套未签名代码	已公证的应用包中包含未签名的嵌套助手程序	Ventura之前版本（CVE-2022-42821）
Safari自动提取+打开	下载的ZIP自动解压，在隔离属性完全应用前打开应用	Safari专属，已修复
ACL滥用	下载前设置的ACL可阻止 `com.apple.quarantine` 属性写入	需要提前部署
磁盘镜像（DMG）技巧	从网络共享挂载的DMG可能不带隔离属性	网络共享场景
BOM（物料清单）绕过	Pkg中特制的BOM可让提取的文件跳过隔离检查	CVE-2022-22616

2.3 Gatekeeper Check Flow

2.3 Gatekeeper检查流程

App launched
│
├── com.apple.quarantine attribute present?
│   ├── No → execute (no Gatekeeper check)
│   └── Yes ↓
│
├── Code signature valid?
│   ├── No → block
│   └── Yes ↓
│
├── Notarized (stapled ticket or online check)?
│   ├── No → block (Catalina+)
│   └── Yes → execute
│
└── User override? (right-click → Open → confirm)
    └── Bypasses Gatekeeper once for this app

应用启动
│
├── 存在com.apple.quarantine属性?
│   ├── 否 → 执行（不触发Gatekeeper检查）
│   └── 是 ↓
│
├── 代码签名有效?
│   ├── 否 → 阻止执行
│   └── 是 ↓
│
├── 已公证（绑定票据或在线检查通过）?
│   ├── 否 → 阻止执行（Catalina及以上版本）
│   └── 是 → 执行
│
└── 用户手动覆盖?（右键 → 打开 → 确认）
    └── 本次针对该应用绕过Gatekeeper

3. SIP (SYSTEM INTEGRITY PROTECTION)

3. SIP（系统完整性保护）

SIP restricts root from modifying protected system locations, loading unsigned kernel extensions, and debugging system processes.

SIP限制root用户修改受保护的系统位置、加载未签名的内核扩展、调试系统进程。

3.1 SIP-Protected Locations

3.1 SIP受保护位置

/System/
/usr/ (except /usr/local/)
/bin/
/sbin/
/var/ (selected subdirs)
/Applications/ (pre-installed Apple apps)

/System/
/usr/ (除了/usr/local/)
/bin/
/sbin/
/var/ (部分子目录)
/Applications/ (苹果预装应用)

3.2 SIP Status & Configuration

3.2 SIP状态与配置

bash

csrutil status              # Check SIP status
csrutil disable             # Recovery Mode only
csrutil enable --without fs # Partial disable (risky)

bash

csrutil status              # Check SIP status
csrutil disable             # Recovery Mode only
csrutil enable --without fs # Partial disable (risky)

3.3 Entitlements That Bypass SIP

3.3 可绕过SIP的权限

Entitlement	Effect
`com.apple.rootless.install`	Write to SIP-protected paths
`com.apple.rootless.install.heritable`	Child processes inherit SIP bypass
`com.apple.security.cs.allow-unsigned-executable-memory`	JIT/unsigned code in memory
`com.apple.private.security.clear-library-validation`	Load unsigned libraries

权限	作用
`com.apple.rootless.install`	写入SIP保护路径
`com.apple.rootless.install.heritable`	子进程继承SIP绕过权限
`com.apple.security.cs.allow-unsigned-executable-memory`	内存中运行JIT/未签名代码
`com.apple.private.security.clear-library-validation`	加载未签名库

3.4 Historical SIP Bypasses

3.4 历史SIP绕过漏洞

CVE	macOS	Technique
CVE-2021-30892 (Shrootless)	Monterey pre-12.0.1	`system_installd` + post-install script in signed pkg
CVE-2022-22583	Monterey pre-12.2	`packagekit` + mount point manipulation
CVE-2022-46689 (MacDirtyCow)	Ventura pre-13.1	Race condition on copy-on-write, overwrite SIP files
CVE-2023-32369 (Migraine)	Ventura pre-13.4	Migration Assistant TCC/SIP bypass via systemmigrationd
CVE-2024-44243	Sequoia pre-15.2	StorageKit daemon exploitation

CVE	macOS版本	技术
CVE-2021-30892 (Shrootless)	Monterey 12.0.1之前版本	`system_installd` + 签名包中的后置安装脚本
CVE-2022-22583	Monterey 12.2之前版本	`packagekit` + 挂载点操纵
CVE-2022-46689 (MacDirtyCow)	Ventura 13.1之前版本	写时复制竞争条件，覆盖SIP保护文件
CVE-2023-32369 (Migraine)	Ventura 13.4之前版本	通过systemmigrationd实现迁移助手TCC/SIP绕过
CVE-2024-44243	Sequoia 15.2之前版本	StorageKit守护进程漏洞利用

4. SANDBOX ESCAPE

4. 沙箱逃逸

macOS sandboxing (App Sandbox, via

sandbox-exec

or entitlements) restricts app access to filesystem, network, and IPC.

macOS沙箱（应用沙箱，通过

sandbox-exec

或权限实现）限制应用访问文件系统、网络和IPC。

4.1 Office Sandbox Escape Patterns

4.1 Office沙箱逃逸模式

Vector	Description
Open/Save dialog abuse	User grants file access via dialog → macro reads/writes beyond sandbox
`~/Library/LaunchAgents/` persistence	Some sandbox profiles allow writing LaunchAgent plists
Login Items manipulation	Add login item pointing to payload outside sandbox
Shared container exploitation	Multiple apps sharing the same App Group container

向量	描述
打开/保存对话框滥用	用户通过对话框授予文件访问权限 → 宏可读写沙箱外的文件
`~/Library/LaunchAgents/` 持久化	部分沙箱配置允许写入LaunchAgent plist文件
登录项操纵	添加指向沙箱外payload的登录项
共享容器漏洞利用	多个应用共享同一个App Group容器

4.2 IPC-Based Escape

4.2 基于IPC的逃逸

IPC Mechanism	Escape Vector
XPC Services	Connect to privileged XPC service with insufficient client validation
Mach Ports	Obtain send right to privileged task port
Apple Events	Automate unsandboxed app to perform actions
Distributed Notifications	Signal unsandboxed helper to execute payload
Pasteboard	Write payload to pasteboard, have unsandboxed app consume it

IPC机制	逃逸向量
XPC服务	连接客户端校验不足的高权限XPC服务
Mach端口	获取高权限任务端口的发送权限
Apple Events	自动化操作未沙箱化的应用执行操作
分布式通知	通知未沙箱化的助手程序执行payload
剪贴板	写入payload到剪贴板，让未沙箱化的应用读取执行

4.3 Browser Sandbox

4.3 浏览器沙箱

Chromium: Multi-process model, renderer is sandboxed, browser process is not
Safari: WebContent process sandboxed, parent Safari process has more privileges
Exploit chain: renderer RCE → sandbox escape (via IPC bug to browser process) → system access

Chromium：多进程模型，渲染进程沙箱化，浏览器进程未沙箱化
Safari：WebContent进程沙箱化，父Safari进程拥有更多权限
利用链：渲染进程RCE → 沙箱逃逸（通过IPC漏洞访问浏览器进程） → 系统访问权限

5. CODE SIGNING & ENTITLEMENTS

5. 代码签名与权限

5.1 Inspecting Signatures and Entitlements

5.1 检查签名与权限

bash

codesign -dv --verbose=4 /path/to/app       # Signature details
codesign -d --entitlements :- /path/to/app   # Dump entitlements
security cms -D -i /path/to/mobileprovision  # Provisioning profile

bash

codesign -dv --verbose=4 /path/to/app       # Signature details
codesign -d --entitlements :- /path/to/app   # Dump entitlements
security cms -D -i /path/to/mobileprovision  # Provisioning profile

Verify signature validity

codesign --verify --deep --strict /path/to/app spctl --assess --type execute /path/to/app # Gatekeeper assessment

undefined

codesign --verify --deep --strict /path/to/app spctl --assess --type execute /path/to/app # Gatekeeper assessment

undefined

5.2 Entitlement Abuse for Privilege Escalation

5.2 权限滥用提权

Entitlement	Abuse Scenario
`com.apple.security.cs.disable-library-validation`	Load attacker dylib into entitled process
`com.apple.security.cs.allow-dyld-environment-variables`	DYLD_INSERT_LIBRARIES injection
`com.apple.security.get-task-allow`	Attach debugger, inject code
`com.apple.security.cs.debugger`	Debug any process
`com.apple.private.apfs.revert-to-snapshot`	Revert APFS snapshots, bypass modifications

权限	滥用场景
`com.apple.security.cs.disable-library-validation`	向拥有该权限的进程加载攻击者dylib
`com.apple.security.cs.allow-dyld-environment-variables`	通过DYLD_INSERT_LIBRARIES注入
`com.apple.security.get-task-allow`	附加调试器，注入代码
`com.apple.security.cs.debugger`	调试任意进程
`com.apple.private.apfs.revert-to-snapshot`	回滚APFS快照，绕过修改检测

5.3 Hardened Runtime Bypass

5.3 强化运行时绕过

Hardened Runtime prevents: DYLD env vars, debugging, unsigned memory execution. Bypasses:

Find entitled apps that weaken Hardened Runtime (
```
disable-library-validation
```
)
Exploit JIT-entitled apps (browsers, VMs) for unsigned code execution
Use
```
get-task-allow
```
entitled debug builds left in production

强化运行时禁止：DYLD环境变量、调试、未签名内存执行。绕过方法：

找到弱化了强化运行时的权限应用（
```
disable-library-validation
```
）
利用拥有JIT权限的应用（浏览器、虚拟机）执行未签名代码
使用生产环境中遗留的带有
```
get-task-allow
```
权限的调试构建版本

5.4 Library Validation Bypass

5.4 库验证绕过

Library validation ensures only Apple-signed or same-team-signed dylibs load.

bash

undefined

库验证确保仅加载苹果签名或同团队签名的dylib。

bash

undefined

Find apps with library validation disabled

codesign -d --entitlements :- /Applications/.app/Contents/MacOS/ 2>/dev/null |
grep -l "disable-library-validation"

---

codesign -d --entitlements :- /Applications/.app/Contents/MacOS/ 2>/dev/null |
grep -l "disable-library-validation"

---

6. PERSISTENCE AFTER BYPASS

6. 绕过之后的持久化

Method	Location	Survives Reboot	Notes
LaunchAgent	`~/Library/LaunchAgents/`	Yes	User-level, runs at login
LaunchDaemon	`/Library/LaunchDaemons/`	Yes	Root-level, runs at boot
Login Items	`~/Library/Application Support/com.apple.backgroundtaskmanagementagent/`	Yes	Visible in System Settings
Cron	`crontab -e`	Yes	Often overlooked by defenders
Dylib hijack	Writable dylib search path	Yes	Triggered when target app launches
Folder Action	`~/Library/Scripts/Folder Action Scripts/`	Yes	Triggers on folder events

方法	位置	重启后留存	备注
LaunchAgent	`~/Library/LaunchAgents/`	是	用户级，登录时运行
LaunchDaemon	`/Library/LaunchDaemons/`	是	root级，开机时运行
登录项	`~/Library/Application Support/com.apple.backgroundtaskmanagementagent/`	是	系统设置中可见
Cron	`crontab -e`	是	通常会被防御者忽略
Dylib劫持	可写的dylib搜索路径	是	目标应用启动时触发
文件夹动作	`~/Library/Scripts/Folder Action Scripts/`	是	文件夹事件触发

7. macOS SECURITY BYPASS DECISION TREE

7. macOS安全绕过决策树

Target is macOS endpoint
│
├── Need to execute untrusted binary?
│   ├── Quarantine attribute present?
│   │   ├── Yes → xattr -d com.apple.quarantine (§2.1)
│   │   └── No → execute directly
│   └── Gatekeeper still blocks?
│       ├── Signed but not notarized → right-click → Open override
│       └── Unsigned → embed in signed bundle or use archive tricks (§2.2)
│
├── Need access to TCC-protected resources?
│   ├── FDA-granted app available?
│   │   ├── Yes → exploit FDA app context (§1.3)
│   │   └── No ↓
│   ├── Automation permission obtainable?
│   │   ├── Yes → Apple Events to TCC-granted app (§1.3)
│   │   └── No ↓
│   ├── SIP disabled?
│   │   ├── Yes → direct TCC.db modification (§1.2)
│   │   └── No → check version-specific TCC bypass (→ TCC_BYPASS_MATRIX.md)
│   └── MDM present?
│       └── Compromised MDM → push PPPC profile (§1.3)
│
├── Need to bypass SIP?
│   ├── Check macOS version → historical SIP CVE? (§3.4)
│   ├── Find entitled Apple binary → piggyback SIP-bypass entitlement (§3.3)
│   └── Recovery Mode access? → csrutil disable (§3.2)
│
├── Need sandbox escape?
│   ├── Office macro context → dialog/LaunchAgent tricks (§4.1)
│   ├── XPC service with weak validation → IPC escape (§4.2)
│   └── Browser context → renderer → sandbox escape chain (§4.3)
│
├── Need to inject into signed process?
│   ├── disable-library-validation entitlement? → dylib injection
│   ├── allow-dyld-environment-variables? → DYLD_INSERT_LIBRARIES
│   ├── get-task-allow? → debugger attach
│   └── None → check macos-process-injection SKILL.md
│
└── Need persistence?
    └── Choose method by access level (§6)

目标为macOS终端
│
├── 需要执行未信任二进制?
│   ├── 存在隔离属性?
│   │   ├── 是 → xattr -d com.apple.quarantine (§2.1)
│   │   └── 否 → 直接执行
│   └── Gatekeeper仍然阻止?
│       ├── 已签名但未公证 → 右键 → 打开手动覆盖
│       └── 未签名 → 嵌入签名包或使用解压缩技巧 (§2.2)
│
├── 需要访问TCC保护资源?
│   ├── 有已获得FDA权限的应用可用?
│   │   ├── 是 → 利用FDA应用上下文 (§1.3)
│   │   └── 否 ↓
│   ├── 可获得自动化权限?
│   │   ├── 是 → 通过Apple Events操作已获得TCC权限的应用 (§1.3)
│   │   └── 否 ↓
│   ├── SIP已关闭?
│   │   ├── 是 → 直接修改TCC.db (§1.2)
│   │   └── 否 → 检查对应版本的TCC绕过方法 (→ TCC_BYPASS_MATRIX.md)
│   └── 存在MDM?
│       └── MDM已被攻陷 → 推送PPPC配置文件 (§1.3)
│
├── 需要绕过SIP?
│   ├── 检查macOS版本 → 存在历史SIP CVE? (§3.4)
│   ├── 找到带权限的苹果二进制程序 → 借用SIP绕过权限 (§3.3)
│   └── 可访问恢复模式? → csrutil disable (§3.2)
│
├── 需要沙箱逃逸?
│   ├── Office宏上下文 → 对话框/LaunchAgent技巧 (§4.1)
│   ├── 存在校验薄弱的XPC服务 → IPC逃逸 (§4.2)
│   └── 浏览器上下文 → 渲染进程 → 沙箱逃逸链 (§4.3)
│
├── 需要注入签名进程?
│   ├── 存在disable-library-validation权限? → dylib注入
│   ├── 存在allow-dyld-environment-variables权限? → DYLD_INSERT_LIBRARIES
│   ├── 存在get-task-allow权限? → 调试器附加
│   └── 无 → 参考macos-process-injection SKILL.md
│
└── 需要持久化?
    └── 根据访问级别选择方法 (§6)

8. QUICK REFERENCE: TOOL COMMANDS

8. 快速参考：工具命令

bash

undefined

bash

undefined

Enumerate TCC permissions

tccutil reset All # Reset all TCC (admin) sqlite3 TCC.db "SELECT * FROM access;" # Read TCC DB

Gatekeeper status

spctl --status # Gatekeeper enabled? spctl --assess -v /path/to/app # Check app assessment

SIP status

csrutil status

Find interesting entitlements across system

find /System/Applications /Applications -name "*.app" -exec sh -c
'codesign -d --entitlements :- "$1" 2>/dev/null | grep -q "disable-library-validation" && echo "$1"' _ {} ;

List loaded kexts (kernel extensions)

kextstat | grep -v com.apple

Sandbox profile inspection

sandbox-exec -p "(version 1)(allow default)" /bin/ls # Test sandbox rules

undefined

sandbox-exec -p "(version 1)(allow default)" /bin/ls # Test sandbox rules

undefined