#MALWAREBYTES FOR MAC 10.13.1 CODE#
When the AuthorizationExecuteWithPrivileges function is invoked, looking at its source code (see: libsecurity_authorization/lib/trampolineClient.cpp), we can see it first “externalizes” the authorization reference, via a call to the AuthorizationMakeExternalForm function: Let’s now take a closer look at the steps relevant to understand the flaw. This “ Security Agent” displays the actual authentication dialog to the user.Īssuming valid authentication credentials are provided, the privileged action is allowed. The daemon consults the authorization database and can decide “Ok - but need you to (re)authenticate first”, which results in another XPC message sent to the “ Security Agent” AuthorizationExecuteWithPrivileges) which generates an XPC message to an “Authorization Daemon” ( authd). It invokes the “authentication API” (i.e. an installer) invokes the AuthorizationExecuteWithPrivileges API:Īs shown in the above image, when an installer (or anybody else) wants to perform privileged action via AuthorizationExecuteWithPrivileges: Here, we have an overview of what goes on when program (i.e.
Let’s dive a little deeper to understand what happens behind the scenes, as this will ultimately lead to the flaw in the API’s implementation. …assuming the user provides sufficient credentials, the binary (passed into the function via the path parameter) will be executed with elevated privileges! 8 AuthorizationRef authorizatioRef = Ģ0 osStatus = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment,Ģ1 kAuthorizationFlagDefaults, &authorizatioRef) Ģ2 if(errAuthorizationSuccess ! = osStatus)Ģ5 NSLog( AuthorizationCreate() failed with %d ", osStatus) ģ0 31 //set flag indicating auth ref was createdģ6 osStatus = AuthorizationExecuteWithPrivileges(authorizatioRef, path, 0, args, NULL) ģ7 if(errAuthorizationSuccess ! = osStatus)Ĥ0 NSLog( AuthorizationExecuteWithPrivileges() failed with %d ", osStatus) ĥ5 AuthorizationFree(authorizatioRef, kAuthorizationFlagDefaults) Īfter creating an AuthorizationRef authorization reference (via the AuthorizationCreate API), the example code invokes AuthorizationExecuteWithPrivileges, which will trigger an authentication dialog:
0 kommentar(er)
