~$ cp /usr/bin/tclsh /Users/$USER/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch For good measure, the tclsh binaries and symlinks have been manually blocked in the firewall.Īs a low privileged user, the tclsh binary is copied over ksfetch, which completely overrides the file and its functionalities. The following example utilizes the tclsh command, which will create an interactive Bash-like shell the attacker can use to execute commands remotely.
#Hider 2 vs little snitch mac
With this knowledge, we can set up reverse shell payloads and remotely control the Mac from anywhere. But at that point, an attacker would have already exfiltrated sensitive information. Overriding Chrome will, of course, break the browser's functionalities.
Ksfetch is used in this example, but GoogleSoftwareUpdateAgent and Google Chrome itself can be overridden and used to establish connections to a remote server or exfiltrate data. ~$ cp /usr/bin/curl /Users/$USER/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetchĭespite curl not being whitelisted, an attacker can still access the internet this way. The below command will override ksfetch with curl, which is not whitelisted in the LuLu firewall. To be clear, any files in /Users/$USER/Library/ and /Application/Google\ Chrome.app/ are fair game for an attacker and easily modified. In addition to files in the Chrome directory, these binaries can be modified by the user. And with another look at the ksfetch and GoogleSoftwareUpdateAgent rules in LuLu, we'll notice both of the binaries are in the /Users/$USER/Library/ directory. Notice the Google Chrome app is owned by the user and not "root" like other applications.
~$ ls -l /Applications/ĭrwxr-xr-x 3 root admin 96B Jun 12 03:23 1Password 3 root wheel 96B 3 root wheel 96B 3 tokyoneon admin 96B Jun 4 08:50 Google 3 root wheel 96B 3 root wheel 96B Image Capture.app Let's have a look at file permissions for the Google Chrome browser, which was installed directly from Google via DMG installer. The bypass is made possible due to weak file and directory permissions assigned to some third-party applications installed outside the App Store. Step 2: Bypass LuLu with Installed Applications Netcat (nc) process prevented from connecting to the attacker's server.