SKILL: macOS Security Bypass — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert macOS security bypass techniques. Covers TCC bypass, Gatekeeper evasion, SIP restrictions, sandbox escape, and entitlement abuse. Base models miss version-specific bypass nuances and protection interaction effects.
0. RELATED ROUTING
Before going deep, consider loading:
- macos-process-injection when you need dylib injection, XPC exploitation, or Electron abuse after achieving initial access
- linux-privilege-escalation for Unix-layer privesc techniques that also apply to macOS (SUID, cron, writable paths)
- linux-security-bypass for shared Unix security bypass concepts
Advanced Reference
Also load TCC_BYPASS_MATRIX.md when you need:
- Per-macOS-version TCC bypass mapping
- Protection-type-specific techniques (Camera, Microphone, FDA, Automation)
- MDM/configuration profile abuse patterns
1. TCC (TRANSPARENCY, CONSENT, CONTROL) OVERVIEW
TCC is macOS's permission framework controlling access to sensitive resources (camera, microphone, contacts, full disk access, etc.).
1.1 TCC Database Locations
| Database | Path | Controls | Protection |
|---|---|---|---|
| User-level | ~/Library/Application Support/com.apple.TCC/TCC.db | Per-user consent decisions | SIP-protected since Catalina |
| System-level | /Library/Application Support/com.apple.TCC/TCC.db | System-wide consent decisions | SIP-protected |
| MDM-managed | Via configuration profiles | Push PPPC (Privacy Preferences Policy Control) | Device management |
-- Query TCC database (requires FDA or SIP off)
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \
"SELECT service, client, allowed FROM access;"
1.2 TCC Bypass Categories
| Category | Mechanism | Typical Prerequisite |
|---|---|---|
| FDA app exploitation | Piggyback on apps already granted Full Disk Access | Write access to FDA app's bundle or plugin dir |
| Direct DB modification | Edit TCC.db to grant consent | SIP disabled or FDA |
| Inherited permissions | Child process inherits parent's TCC grants | Code execution in context of FDA-granted app |
| Automation abuse | Apple Events / osascript to control TCC-granted app | Automation permission (lower bar than direct TCC) |
| Mounting tricks | Mount a crafted disk image containing modified TCC.db | Local access, pre-Ventura |
| SQL injection in TCC | Malformed bundle IDs triggering SQL injection in TCC subsystem | CVE-2023-32364 and similar |
1.3 Known TCC Bypass Patterns
Terminal / iTerm FDA inheritance: Terminal.app granted FDA → any command run inherits FDA → read any file.
# If Terminal has FDA, this reads protected files directly
cat ~/Library/Mail/V*/MailData/Envelope\ Index
cat ~/Library/Messages/chat.db
Finder automation: Automate Finder (lower permission bar) to access files in protected locations.
tell application "Finder"
set f to POSIX file "/Users/target/Library/Mail/V9/MailData/Envelope Index"
duplicate f to desktop
end tell
System Preferences / System Settings injection: Inject into a process that already has TCC permissions by writing to its Application Scripts folder.
MDM profile abuse: PPPC profiles can pre-approve TCC permissions. Rogue MDM enrollment or compromised MDM server → push PPPC payload.
2. GATEKEEPER BYPASS
Gatekeeper blocks unsigned or unnotarized apps from executing. Core enforcement depends on the com.apple.quarantine extended attribute.
2.1 Quarantine Attribute Removal
# Check quarantine attribute
xattr -l /path/to/app
# Output: com.apple.quarantine: 0083;...
# Remove quarantine (requires write access)
xattr -d com.apple.quarantine /path/to/app
# Recursive for app bundles
xattr -rd com.apple.quarantine /path/to/MyApp.app
2.2 Bypass Techniques
| Technique | How It Works | macOS Version |
|---|---|---|
xattr -d removal | Remove quarantine before execution | All (requires local access) |
| App translocation bypass | Apps in certain locations skip translocation | Pre-Catalina |
| Archive tools that strip quarantine | Some unarchiver apps don't propagate quarantine | Varies by tool |
| Unsigned code in signed bundle | Notarized app bundles with unsigned nested helpers | Pre-Ventura (CVE-2022-42821) |
| Safari auto-extract + open | Downloaded ZIP auto-extracted, app opened before quarantine fully applied | Safari-specific, patched |
| ACL abuse | com.apple.quarantine can be blocked by ACLs set before download | Requires pre-positioning |
| Disk image (DMG) tricks | DMG mounted from network share may not carry quarantine | Network share context |
| BOM (Bill of Materials) bypass | Crafted BOM in pkg skips quarantine for extracted files | CVE-2022-22616 |
2.3 Gatekeeper Check Flow
App launched
│
├── com.apple.quarantine attribute present?
│ ├── No → execute (no Gatekeeper check)
│ └── Yes ↓
│
├── Code signature valid?
│ ├── No → block
│ └── Yes ↓
│
├── Notarized (stapled ticket or online check)?
│ ├── No → block (Catalina+)
│ └── Yes → execute
│
└── User override? (right-click → Open → confirm)
└── Bypasses Gatekeeper once for this app
3. SIP (SYSTEM INTEGRITY PROTECTION)
SIP restricts root from modifying protected system locations, loading unsigned kernel extensions, and debugging system processes.
3.1 SIP-Protected Locations
/System/
/usr/ (except /usr/local/)
/bin/
/sbin/
/var/ (selected subdirs)
/Applications/ (pre-installed Apple apps)
3.2 SIP Status & Configuration
csrutil status # Check SIP status
csrutil disable # Recovery Mode only
csrutil enable --without fs # Partial disable (risky)
3.3 Entitlements That Bypass SIP
| Entitlement | Effect |
|---|---|
com.apple.rootless.install | Write to SIP-protected paths |
com.apple.rootless.install.heritable | Child processes inherit SIP bypass |
com.apple.security.cs.allow-unsigned-executable-memory | JIT/unsigned code in memory |
com.apple.private.security.clear-library-validation | Load unsigned libraries |
3.4 Historical SIP Bypasses
| CVE | macOS | Technique |
|---|---|---|
| CVE-2021-30892 (Shrootless) | Monterey pre-12.0.1 | system_installd + post-install script in signed pkg |
| CVE-2022-22583 | Monterey pre-12.2 | packagekit + mount point manipulation |
| CVE-2022-46689 (MacDirtyCow) | Ventura pre-13.1 | Race condition on copy-on-write, overwrite SIP files |
| CVE-2023-32369 (Migraine) | Ventura pre-13.4 | Migration Assistant TCC/SIP bypass via systemmigrationd |
| CVE-2024-44243 | Sequoia pre-15.2 | StorageKit daemon exploitation |
4. SANDBOX ESCAPE
macOS sandboxing (App Sandbox, via sandbox-exec or entitlements) restricts app access to filesystem, network, and IPC.
4.1 Office Sandbox Escape Patterns
| Vector | Description |
|---|---|
| Open/Save dialog abuse | User grants file access via dialog → macro reads/writes beyond sandbox |
~/Library/LaunchAgents/ persistence | Some sandbox profiles allow writing LaunchAgent plists |
| Login Items manipulation | Add login item pointing to payload outside sandbox |
| Shared container exploitation | Multiple apps sharing the same App Group container |
4.2 IPC-Based Escape
| IPC Mechanism | Escape Vector |
|---|---|
| XPC Services | Connect to privileged XPC service with insufficient client validation |
| Mach Ports | Obtain send right to privileged task port |
| Apple Events | Automate unsandboxed app to perform actions |
| Distributed Notifications | Signal unsandboxed helper to execute payload |
| Pasteboard | Write payload to pasteboard, have unsandboxed app consume it |
4.3 Browser Sandbox
- Chromium: Multi-process model, renderer is sandboxed, browser process is not
- Safari: WebContent process sandboxed, parent Safari process has more privileges
- Exploit chain: renderer RCE → sandbox escape (via IPC bug to browser process) → system access
5. CODE SIGNING & ENTITLEMENTS
5.1 Inspecting Signatures and Entitlements
codesign -dv --verbose=4 /path/to/app # Signature details
codesign -d --entitlements :- /path/to/app # Dump entitlements
security cms -D -i /path/to/mobileprovision # Provisioning profile
# Verify signature validity
codesign --verify --deep --strict /path/to/app
spctl --assess --type execute /path/to/app # Gatekeeper assessment
5.2 Entitlement Abuse for Privilege Escalation
| Entitlement | Abuse Scenario |
|---|---|
com.apple.security.cs.disable-library-validation | Load attacker dylib into entitled process |
com.apple.security.cs.allow-dyld-environment-variables | DYLD_INSERT_LIBRARIES injection |
com.apple.security.get-task-allow | Attach debugger, inject code |
com.apple.security.cs.debugger | Debug any process |
com.apple.private.apfs.revert-to-snapshot | Revert APFS snapshots, bypass modifications |
5.3 Hardened Runtime Bypass
Hardened Runtime prevents: DYLD env vars, debugging, unsigned memory execution. Bypasses:
- Find entitled apps that weaken Hardened Runtime (
disable-library-validation) - Exploit JIT-entitled apps (browsers, VMs) for unsigned code execution
- Use
get-task-allowentitled debug builds left in production
5.4 Library Validation Bypass
Library validation ensures only Apple-signed or same-team-signed dylibs load.
# Find apps with library validation disabled
codesign -d --entitlements :- /Applications/*.app/Contents/MacOS/* 2>/dev/null | \
grep -l "disable-library-validation"
6. PERSISTENCE AFTER BYPASS
| Method | Location | Survives Reboot | Notes |
|---|---|---|---|
| LaunchAgent | ~/Library/LaunchAgents/ | Yes | User-level, runs at login |
| LaunchDaemon | /Library/LaunchDaemons/ | Yes | Root-level, runs at boot |
| Login Items | ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/ | Yes | Visible in System Settings |
| Cron | crontab -e | Yes | Often overlooked by defenders |
| Dylib hijack | Writable dylib search path | Yes | Triggered when target app launches |
| Folder Action | ~/Library/Scripts/Folder Action Scripts/ | Yes | Triggers on folder events |
7. macOS SECURITY BYPASS DECISION TREE
Target is macOS endpoint
│
├── Need to execute untrusted binary?
│ ├── Quarantine attribute present?
│ │ ├── Yes → xattr -d com.apple.quarantine (§2.1)
│ │ └── No → execute directly
│ └── Gatekeeper still blocks?
│ ├── Signed but not notarized → right-click → Open override
│ └── Unsigned → embed in signed bundle or use archive tricks (§2.2)
│
├── Need access to TCC-protected resources?
│ ├── FDA-granted app available?
│ │ ├── Yes → exploit FDA app context (§1.3)
│ │ └── No ↓
│ ├── Automation permission obtainable?
│ │ ├── Yes → Apple Events to TCC-granted app (§1.3)
│ │ └── No ↓
│ ├── SIP disabled?
│ │ ├── Yes → direct TCC.db modification (§1.2)
│ │ └── No → check version-specific TCC bypass (→ TCC_BYPASS_MATRIX.md)
│ └── MDM present?
│ └── Compromised MDM → push PPPC profile (§1.3)
│
├── Need to bypass SIP?
│ ├── Check macOS version → historical SIP CVE? (§3.4)
│ ├── Find entitled Apple binary → piggyback SIP-bypass entitlement (§3.3)
│ └── Recovery Mode access? → csrutil disable (§3.2)
│
├── Need sandbox escape?
│ ├── Office macro context → dialog/LaunchAgent tricks (§4.1)
│ ├── XPC service with weak validation → IPC escape (§4.2)
│ └── Browser context → renderer → sandbox escape chain (§4.3)
│
├── Need to inject into signed process?
│ ├── disable-library-validation entitlement? → dylib injection
│ ├── allow-dyld-environment-variables? → DYLD_INSERT_LIBRARIES
│ ├── get-task-allow? → debugger attach
│ └── None → check macos-process-injection SKILL.md
│
└── Need persistence?
└── Choose method by access level (§6)
8. QUICK REFERENCE: TOOL COMMANDS
# Enumerate TCC permissions
tccutil reset All # Reset all TCC (admin)
sqlite3 TCC.db "SELECT * FROM access;" # Read TCC DB
# Gatekeeper status
spctl --status # Gatekeeper enabled?
spctl --assess -v /path/to/app # Check app assessment
# SIP status
csrutil status
# Find interesting entitlements across system
find /System/Applications /Applications -name "*.app" -exec sh -c \
'codesign -d --entitlements :- "$1" 2>/dev/null | grep -q "disable-library-validation" && echo "$1"' _ {} \;
# List loaded kexts (kernel extensions)
kextstat | grep -v com.apple
# Sandbox profile inspection
sandbox-exec -p "(version 1)(allow default)" /bin/ls # Test sandbox rules