SKILL.md
$27
1. TCC (TRANSPARENCY, CONSENT, CONTROL) OVERVIEW
TCC is macOS's permission framework controlling access to sensitive resources (camera, microphone, contacts, full disk access, etc.).
1.1 TCC Database Locations
Database
Path
Controls
Protection
User-level
~/Library/Application Support/com.apple.TCC/TCC.db
Per-user consent decisions
SIP-protected since Catalina
System-level
/Library/Application Support/com.apple.TCC/TCC.db
System-wide consent decisions
SIP-protected
MDM-managed
Via configuration profiles
Push PPPC (Privacy Preferences Policy Control)
Device management
-- Query TCC database (requires FDA or SIP off)
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \
"SELECT service, client, allowed FROM access;"1.2 TCC Bypass Categories
Category
Mechanism
Typical Prerequisite
FDA app exploitation
Piggyback on apps already granted Full Disk Access
Write access to FDA app's bundle or plugin dir
Direct DB modification
Edit TCC.db to grant consent
SIP disabled or FDA
Inherited permissions
Child process inherits parent's TCC grants
Code execution in context of FDA-granted app
Automation abuse
Apple Events / osascript to control TCC-granted app
Automation permission (lower bar than direct TCC)
Mounting tricks
Mount a crafted disk image containing modified TCC.db
Local access, pre-Ventura
SQL injection in TCC
Malformed bundle IDs triggering SQL injection in TCC subsystem
CVE-2023-32364 and similar
1.3 Known TCC Bypass Patterns
Terminal / iTerm FDA inheritance: Terminal.app granted FDA → any command run inherits FDA → read any file.
# If Terminal has FDA, this reads protected files directly
cat ~/Library/Mail/V*/MailData/Envelope\ Index
cat ~/Library/Messages/chat.dbFinder automation: Automate Finder (lower permission bar) to access files in protected locations.
tell application "Finder"
set f to POSIX file "/Users/target/Library/Mail/V9/MailData/Envelope Index"
duplicate f to desktop
end tellSystem Preferences / System Settings injection: Inject into a process that already has TCC permissions by writing to its Application Scripts folder.
MDM profile abuse: PPPC profiles can pre-approve TCC permissions. Rogue MDM enrollment or compromised MDM server → push PPPC payload.
2. GATEKEEPER BYPASS
Gatekeeper blocks unsigned or unnotarized apps from executing. Core enforcement depends on the com.apple.quarantine extended attribute.
2.1 Quarantine Attribute Removal
# Check quarantine attribute
xattr -l /path/to/app
# Output: com.apple.quarantine: 0083;...
# Remove quarantine (requires write access)
xattr -d com.apple.quarantine /path/to/app
# Recursive for app bundles
xattr -rd com.apple.quarantine /path/to/MyApp.app2.2 Bypass Techniques
Technique
How It Works
macOS Version
xattr -d removal
Remove quarantine before execution
All (requires local access)
App translocation bypass
Apps in certain locations skip translocation
Pre-Catalina
Archive tools that strip quarantine
Some unarchiver apps don't propagate quarantine
Varies by tool
Unsigned code in signed bundle
Notarized app bundles with unsigned nested helpers
Pre-Ventura (CVE-2022-42821)
Safari auto-extract + open
Downloaded ZIP auto-extracted, app opened before quarantine fully applied
Safari-specific, patched
ACL abuse
com.apple.quarantine can be blocked by ACLs set before download
Requires pre-positioning
Disk image (DMG) tricks
DMG mounted from network share may not carry quarantine
Network share context
BOM (Bill of Materials) bypass
Crafted BOM in pkg skips quarantine for extracted files
CVE-2022-22616
2.3 Gatekeeper Check Flow
App launched
│
├── com.apple.quarantine attribute present?
│ ├── No → execute (no Gatekeeper check)
│ └── Yes ↓
│
├── Code signature valid?
│ ├── No → block
│ └── Yes ↓
│
├── Notarized (stapled ticket or online check)?
│ ├── No → block (Catalina+)
│ └── Yes → execute
│
└── User override? (right-click → Open → confirm)
└── Bypasses Gatekeeper once for this app3. SIP (SYSTEM INTEGRITY PROTECTION)
SIP restricts root from modifying protected system locations, loading unsigned kernel extensions, and debugging system processes.
3.1 SIP-Protected Locations
/System/
/usr/ (except /usr/local/)
/bin/
/sbin/
/var/ (selected subdirs)
/Applications/ (pre-installed Apple apps)3.2 SIP Status & Configuration
csrutil status # Check SIP status
csrutil disable # Recovery Mode only
csrutil enable --without fs # Partial disable (risky)3.3 Entitlements That Bypass SIP
Entitlement
Effect
com.apple.rootless.install
Write to SIP-protected paths
com.apple.rootless.install.heritable
Child processes inherit SIP bypass
com.apple.security.cs.allow-unsigned-executable-memory
JIT/unsigned code in memory
com.apple.private.security.clear-library-validation
Load unsigned libraries
3.4 Historical SIP Bypasses
CVE
macOS
Technique
CVE-2021-30892 (Shrootless)
Monterey pre-12.0.1
system_installd + post-install script in signed pkg
CVE-2022-22583
Monterey pre-12.2
packagekit + mount point manipulation
CVE-2022-46689 (MacDirtyCow)
Ventura pre-13.1
Race condition on copy-on-write, overwrite SIP files
CVE-2023-32369 (Migraine)
Ventura pre-13.4
Migration Assistant TCC/SIP bypass via systemmigrationd
CVE-2024-44243
Sequoia pre-15.2
StorageKit daemon exploitation
4. SANDBOX ESCAPE
macOS sandboxing (App Sandbox, via sandbox-exec or entitlements) restricts app access to filesystem, network, and IPC.
4.1 Office Sandbox Escape Patterns
Vector
Description
Open/Save dialog abuse
User grants file access via dialog → macro reads/writes beyond sandbox
~/Library/LaunchAgents/ persistence
Some sandbox profiles allow writing LaunchAgent plists
Login Items manipulation
Add login item pointing to payload outside sandbox
Shared container exploitation
Multiple apps sharing the same App Group container
4.2 IPC-Based Escape
IPC Mechanism
Escape Vector
XPC Services
Connect to privileged XPC service with insufficient client validation
Mach Ports
Obtain send right to privileged task port
Apple Events
Automate unsandboxed app to perform actions
Distributed Notifications
Signal unsandboxed helper to execute payload
Pasteboard
Write payload to pasteboard, have unsandboxed app consume it
4.3 Browser Sandbox
- Chromium: Multi-process model, renderer is sandboxed, browser process is not
- Safari: WebContent process sandboxed, parent Safari process has more privileges
- Exploit chain: renderer RCE → sandbox escape (via IPC bug to browser process) → system access
5. CODE SIGNING & ENTITLEMENTS
5.1 Inspecting Signatures and Entitlements
codesign -dv --verbose=4 /path/to/app # Signature details
codesign -d --entitlements :- /path/to/app # Dump entitlements
security cms -D -i /path/to/mobileprovision # Provisioning profile
# Verify signature validity
codesign --verify --deep --strict /path/to/app
spctl --assess --type execute /path/to/app # Gatekeeper assessment5.2 Entitlement Abuse for Privilege Escalation
Entitlement
Abuse Scenario
com.apple.security.cs.disable-library-validation
Load attacker dylib into entitled process
com.apple.security.cs.allow-dyld-environment-variables
DYLD_INSERT_LIBRARIES injection
com.apple.security.get-task-allow
Attach debugger, inject code
com.apple.security.cs.debugger
Debug any process
com.apple.private.apfs.revert-to-snapshot
Revert APFS snapshots, bypass modifications
5.3 Hardened Runtime Bypass
Hardened Runtime prevents: DYLD env vars, debugging, unsigned memory execution. Bypasses:
- Find entitled apps that weaken Hardened Runtime (
disable-library-validation)
- Exploit JIT-entitled apps (browsers, VMs) for unsigned code execution
- Use
get-task-allowentitled debug builds left in production
5.4 Library Validation Bypass
Library validation ensures only Apple-signed or same-team-signed dylibs load.
# Find apps with library validation disabled
codesign -d --entitlements :- /Applications/*.app/Contents/MacOS/* 2>/dev/null | \
grep -l "disable-library-validation"6. PERSISTENCE AFTER BYPASS
Method
Location
Survives Reboot
Notes
LaunchAgent
~/Library/LaunchAgents/
Yes
User-level, runs at login
LaunchDaemon
/Library/LaunchDaemons/
Yes
Root-level, runs at boot
Login Items
~/Library/Application Support/com.apple.backgroundtaskmanagementagent/
Yes
Visible in System Settings
Cron
crontab -e
Yes
Often overlooked by defenders
Dylib hijack
Writable dylib search path
Yes
Triggered when target app launches
Folder Action
~/Library/Scripts/Folder Action Scripts/
Yes
Triggers on folder events
7. macOS SECURITY BYPASS DECISION TREE
Target is macOS endpoint
│
├── Need to execute untrusted binary?
│ ├── Quarantine attribute present?
│ │ ├── Yes → xattr -d com.apple.quarantine (§2.1)
│ │ └── No → execute directly
│ └── Gatekeeper still blocks?
│ ├── Signed but not notarized → right-click → Open override
│ └── Unsigned → embed in signed bundle or use archive tricks (§2.2)
│
├── Need access to TCC-protected resources?
│ ├── FDA-granted app available?
│ │ ├── Yes → exploit FDA app context (§1.3)
│ │ └── No ↓
│ ├── Automation permission obtainable?
│ │ ├── Yes → Apple Events to TCC-granted app (§1.3)
│ │ └── No ↓
│ ├── SIP disabled?
│ │ ├── Yes → direct TCC.db modification (§1.2)
│ │ └── No → check version-specific TCC bypass (→ TCC_BYPASS_MATRIX.md)
│ └── MDM present?
│ └── Compromised MDM → push PPPC profile (§1.3)
│
├── Need to bypass SIP?
│ ├── Check macOS version → historical SIP CVE? (§3.4)
│ ├── Find entitled Apple binary → piggyback SIP-bypass entitlement (§3.3)
│ └── Recovery Mode access? → csrutil disable (§3.2)
│
├── Need sandbox escape?
│ ├── Office macro context → dialog/LaunchAgent tricks (§4.1)
│ ├── XPC service with weak validation → IPC escape (§4.2)
│ └── Browser context → renderer → sandbox escape chain (§4.3)
│
├── Need to inject into signed process?
│ ├── disable-library-validation entitlement? → dylib injection
│ ├── allow-dyld-environment-variables? → DYLD_INSERT_LIBRARIES
│ ├── get-task-allow? → debugger attach
│ └── None → check macos-process-injection SKILL.md
│
└── Need persistence?
└── Choose method by access level (§6)8. QUICK REFERENCE: TOOL COMMANDS
# Enumerate TCC permissions
tccutil reset All # Reset all TCC (admin)
sqlite3 TCC.db "SELECT * FROM access;" # Read TCC DB
# Gatekeeper status
spctl --status # Gatekeeper enabled?
spctl --assess -v /path/to/app # Check app assessment
# SIP status
csrutil status
# Find interesting entitlements across system
find /System/Applications /Applications -name "*.app" -exec sh -c \
'codesign -d --entitlements :- "$1" 2>/dev/null | grep -q "disable-library-validation" && echo "$1"' _ {} \;
# List loaded kexts (kernel extensions)
kextstat | grep -v com.apple
# Sandbox profile inspection
sandbox-exec -p "(version 1)(allow default)" /bin/ls # Test sandbox rules