Some good resources I found on code signing: (Yes I spent some time to explore this option :)). This means that you can’t use this launcher to bypass Gatekeeper in a generic way. It will only do this if the application was already run once, if not then the entire package, including the embedded game’s file hashes will be verified, because there is a list of all files in the Contents/_CodeSignature/CodeResources file, which can’t be altered, although this is an XML plist file as its hash is in the app’s signature. BUT! There is always a BUT! It is not as good as it looks for first sight. This is a signed launcher, which will launch code embedded within the app. The open command would invoke Gatekeeper, but only if the attribute is not removed! What this means, that you can replace the game-to-be-launched with anything you want (!!!) and it will be executed, even if it has a quarantine flag set. Upon starting the launcher script, it will look for apps in the game/ folder, remove the quarantine attribute and launch the app with the open command. Stop for a minute and let the script sink in :) Here is what does it do in human language: # GOG.com (# GOGLauncher Script FIND_GAME = `find game/ -type d -maxdepth 1 -name "*.app" ` xattr -r -d " $FIND_GAME " open " $ " I used to buy games from I like that they are DRM free, I can backup the game, don’t need to rely on online connectivity, etc… It turns out that they have very interesting script in one of the main packages to launch games: If I run the same search on my private MacBook there are a whole lot of other apps that has scripts inside, and I found one particularly funny. In short macOS will only verify code signature upon first execution, anything changes after that will be undetected. Sublime has a code signature and hash for this script, the reason macOS will not block tampering with the script, was covered by Thomas Reed in his talk about “Code Signing flaw in macOS“: You will get a prompt on Mojave to grant access, but you can add other code, which would do something else to avoid this prompt, and even if you get it, an average user will just grant access. system( "osascript -e 'Tell application \" System Events \" to display dialog \" Message \" '") Second, you install it by drag & drop to the application folder, so the user has the rights to edit the script file. This is a very popular text editor application, so you are likely to find it somewhere. So it’s not that ideal, but it works if really needed. Even if you persist, you will only maintain yourself as the user and not as root. I have two problems with this, one is that finding this app somewhere is very unlikely, the second is that as you have to install this, the folder permissions are set for root access only. The app or the OS doesn’t verify if the script was tampered with. This application has a idlemain.py script in the resources folder, that is executed upon starting Idle. Python3 Idle.appĪlthough it’s probably not that common people installing Python on a macOS system, as it’s present by default, but if so, it contains the Idle.app editor. The question is if there are any other scripts that will always run, and the answer is yes. You could also go about infecting every possible script you find, increasing the chances of being executed. There is a chance that you can find a frequently run script somewhere, but those would require a check one by one, which I didn’t do. The problem with these that we don’t know when they will be called, possibly it’s not so frequent, so they are not ideal for persistence, as we want something that is always invoked when an applications starts. Applications//BBEdit.app/Contents/PlugIns/Language Modules/ManPage.bblm/Contents/Resources/man2html.sh Applications//VMware Fusion.app/Contents/Library/shares/adduser.sh Applications//BBEdit.app/Contents/PlugIns/Language Modules/Python.bblm/Contents/SharedSupport/py_check_syntax.py Applications//Hopper Disassembler v4.app/Contents/Resources/script_disassemble.py
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |