Skip to content

Commit d4bc148

Browse files
carlospolopcarlospolop
authored
Merge pull request #2034 from HackTricks-wiki/research_update_src_macos-hardening_macos-security-and-privilege-escalation_macos-privilege-escalation_20260319_210607
Research Update Enhanced src/macos-hardening/macos-security-...
2 parents 84abd89 + ac2dc0a commit d4bc148

1 file changed

Lines changed: 45 additions & 0 deletions

File tree

src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -260,6 +260,49 @@ chmod +x /Users/me/Library/Application\ Support/Target/helper
260260

261261
Combine with the **masquerading tricks above** to present a believable password dialog.
262262

263+
264+
### Privileged helper / XPC triage
265+
266+
A lot of modern third-party macOS privescs follow the same pattern: a **root LaunchDaemon** exposes a **Mach/XPC service** from **`/Library/PrivilegedHelperTools`**, then the helper either **doesn't validate the client**, validates it **too late** (PID race), or exposes a **root method** that consumes a **user-controlled path/script**. This is the bug class behind many recent helper bugs in VPN clients, game launchers and updaters.
267+
268+
Quick triage checklist:
269+
270+
```bash
271+
ls -l /Library/PrivilegedHelperTools /Library/LaunchDaemons
272+
plutil -p /Library/LaunchDaemons/*.plist 2>/dev/null | rg 'MachServices|Program|ProgramArguments|Label'
273+
for f in /Library/PrivilegedHelperTools/*; do
274+
echo "== $f =="
275+
codesign -dvv --entitlements :- "$f" 2>&1 | rg 'identifier|TeamIdentifier|com.apple'
276+
strings "$f" | rg 'NSXPC|xpc_connection|AuthorizationCopyRights|authTrampoline|/Applications/.+\.sh'
277+
done
278+
```
279+
280+
Pay special attention to helpers that:
281+
282+
- keep accepting requests **after uninstall** because the job stayed loaded in `launchd`
283+
- execute scripts or read configuration from **`/Applications/...`** or other paths writable by non-root users
284+
- rely on **PID-based** or **bundle-id-only** peer validation that may be raceable
285+
286+
For more details on helper authorization bugs check [this page](macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md).
287+
288+
### PackageKit script environment inheritance (CVE-2024-27822)
289+
290+
Until Apple fixed it in **Sonoma 14.5**, **Ventura 13.6.7** and **Monterey 12.7.5**, user-initiated installs via **`Installer.app`** / **`PackageKit.framework`** could execute **PKG scripts as root inside the current user's environment**. That means a package using **`#!/bin/zsh`** would load the attacker's **`~/.zshenv`** and run it as **root** when the victim installed the package.
291+
292+
This is especially interesting as a **logic bomb**: you only need a foothold in the user's account and a writable shell startup file, then you wait for any vulnerable **zsh-based** installer to be executed by the user. This does **not** generally apply to **MDM/Munki** deployments because those run inside the root user's environment.
293+
294+
```bash
295+
# inspect a vendor pkg for shell-based install scripts
296+
pkgutil --expand-full Target.pkg /tmp/target-pkg
297+
find /tmp/target-pkg -type f \( -name preinstall -o -name postinstall \) -exec head -n1 {} \;
298+
rg -n '^#!/bin/(zsh|bash)' /tmp/target-pkg
299+
300+
# logic bomb example for vulnerable zsh-based installers
301+
echo 'id > /tmp/pkg-root' >> ~/.zshenv
302+
```
303+
304+
If you want a deeper dive into installer-specific abuse, also check [this page](macos-files-folders-and-binaries/macos-installers-abuse.md).
305+
263306
### LaunchDaemon plist hijack (CVE-2025-24085 pattern)
264307

265308
If a LaunchDaemon plist or its `ProgramArguments` target is **user-writable**, you can escalate by swapping it then forcing launchd to reload:
@@ -355,5 +398,7 @@ macos-files-folders-and-binaries/macos-sensitive-locations.md
355398

356399
- [Microsoft "Migraine" SIP bypass (CVE-2023-32369)](https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/)
357400
- [CVE-2025-24118 SMR credential race write-up & PoC](https://github.com/jprx/CVE-2025-24118)
401+
- [CVE-2024-27822: macOS PackageKit Privilege Escalation](https://khronokernel.com/macos/2024/06/03/CVE-2024-27822.html)
402+
- [CVE-2024-30165: AWS Client VPN for macOS Local Privilege Escalation](https://blog.emkay64.com/macos/CVE-2024-30165-finding-and-exploiting-aws-client-vpn-on-macos-for-local-privilege-escalation/)
358403

359404
{{#include ../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)