SKILL: macOS Security Bypass — Expert Attack Playbook

AI LOAD INSTRUCTION

Expert macOS security bypass techniques. Covers TCC bypass, Gatekeeper evasion, SIP restrictions, sandbox escape, and entitlement abuse. Base models miss version-specific bypass nuances and protection interaction effects.
0. RELATED ROUTING
Before going deep, consider loading:
macos-process-injection
when you need dylib injection, XPC exploitation, or Electron abuse after achieving initial access
linux-privilege-escalation
for Unix-layer privesc techniques that also apply to macOS (SUID, cron, writable paths)
linux-security-bypass
for shared Unix security bypass concepts
Advanced Reference
Also load
TCC_BYPASS_MATRIX.md
when you need:
Per-macOS-version TCC bypass mapping
Protection-type-specific techniques (Camera, Microphone, FDA, Automation)
MDM/configuration profile abuse patterns
1. TCC (TRANSPARENCY, CONSENT, CONTROL) OVERVIEW
TCC is macOS's permission framework controlling access to sensitive resources (camera, microphone, contacts, full disk access, etc.).
1.1 TCC Database Locations
Database
Path
Controls
Protection
User-level
~/Library/Application Support/com.apple.TCC/TCC.db
Per-user consent decisions
SIP-protected since Catalina
System-level
/Library/Application Support/com.apple.TCC/TCC.db
System-wide consent decisions
SIP-protected
MDM-managed
Via configuration profiles
Push PPPC (Privacy Preferences Policy Control)
Device management
-- Query TCC database (requires FDA or SIP off)
sqlite3
~
/
Library
/
Application\ Support
/
com
.
apple
.
TCC
/
TCC
.
db \
"SELECT service, client, allowed FROM access;"
1.2 TCC Bypass Categories
Category
Mechanism
Typical Prerequisite
FDA app exploitation
Piggyback on apps already granted Full Disk Access
Write access to FDA app's bundle or plugin dir
Direct DB modification
Edit TCC.db to grant consent
SIP disabled or FDA
Inherited permissions
Child process inherits parent's TCC grants
Code execution in context of FDA-granted app
Automation abuse
Apple Events / osascript to control TCC-granted app
Automation permission (lower bar than direct TCC)
Mounting tricks
Mount a crafted disk image containing modified TCC.db
Local access, pre-Ventura
SQL injection in TCC
Malformed bundle IDs triggering SQL injection in TCC subsystem
CVE-2023-32364 and similar
1.3 Known TCC Bypass Patterns
Terminal / iTerm FDA inheritance: Terminal.app granted FDA → any command run inherits FDA → read any file.

If Terminal has FDA, this reads protected files directly

cat

~/Library/Mail/V*/MailData/Envelope

\

Index

cat

~/Library/Messages/chat.db

Finder automation

Automate Finder (lower permission bar) to access files in protected locations.

tell

application

"Finder"

set

f

to

POSIX file

"/Users/target/Library/Mail/V9/MailData/Envelope Index"

duplicate f

to

desktop

end

tell

System Preferences / System Settings injection

Inject into a process that already has TCC permissions by writing to its Application Scripts folder.
MDM profile abuse: PPPC profiles can pre-approve TCC permissions. Rogue MDM enrollment or compromised MDM server → push PPPC payload. 2. GATEKEEPER BYPASS Gatekeeper blocks unsigned or unnotarized apps from executing. Core enforcement depends on the com.apple.quarantine extended attribute. 2.1 Quarantine Attribute Removal

Check quarantine attribute

xattr -l /path/to/app

Output: com.apple.quarantine: 0083;...

Remove quarantine (requires write access)

xattr -d com.apple.quarantine /path/to/app

Recursive for app bundles

xattr -rd com.apple.quarantine /path/to/MyApp.app 2.2 Bypass Techniques Technique How It Works macOS Version xattr -d removal Remove quarantine before execution All (requires local access) App translocation bypass Apps in certain locations skip translocation Pre-Catalina Archive tools that strip quarantine Some unarchiver apps don't propagate quarantine Varies by tool Unsigned code in signed bundle Notarized app bundles with unsigned nested helpers Pre-Ventura (CVE-2022-42821) Safari auto-extract + open Downloaded ZIP auto-extracted, app opened before quarantine fully applied Safari-specific, patched ACL abuse com.apple.quarantine can be blocked by ACLs set before download Requires pre-positioning Disk image (DMG) tricks DMG mounted from network share may not carry quarantine Network share context BOM (Bill of Materials) bypass Crafted BOM in pkg skips quarantine for extracted files CVE-2022-22616 2.3 Gatekeeper Check Flow App launched │ ├── com.apple.quarantine attribute present? │ ├── No → execute (no Gatekeeper check) │ └── Yes ↓ │ ├── Code signature valid? │ ├── No → block │ └── Yes ↓ │ ├── Notarized (stapled ticket or online check)? │ ├── No → block (Catalina+) │ └── Yes → execute │ └── User override? (right-click → Open → confirm) └── Bypasses Gatekeeper once for this app 3. SIP (SYSTEM INTEGRITY PROTECTION) SIP restricts root from modifying protected system locations, loading unsigned kernel extensions, and debugging system processes. 3.1 SIP-Protected Locations /System/ /usr/ (except /usr/local/) /bin/ /sbin/ /var/ (selected subdirs) /Applications/ (pre-installed Apple apps) 3.2 SIP Status & Configuration csrutil status

Check SIP status

csrutil disable

Recovery Mode only

csrutil enable --without fs

Partial disable (risky)

3.3 Entitlements That Bypass SIP Entitlement Effect com.apple.rootless.install Write to SIP-protected paths com.apple.rootless.install.heritable Child processes inherit SIP bypass com.apple.security.cs.allow-unsigned-executable-memory JIT/unsigned code in memory com.apple.private.security.clear-library-validation Load unsigned libraries 3.4 Historical SIP Bypasses CVE macOS Technique CVE-2021-30892 (Shrootless) Monterey pre-12.0.1 system_installd + post-install script in signed pkg CVE-2022-22583 Monterey pre-12.2 packagekit + mount point manipulation CVE-2022-46689 (MacDirtyCow) Ventura pre-13.1 Race condition on copy-on-write, overwrite SIP files CVE-2023-32369 (Migraine) Ventura pre-13.4 Migration Assistant TCC/SIP bypass via systemmigrationd CVE-2024-44243 Sequoia pre-15.2 StorageKit daemon exploitation 4. SANDBOX ESCAPE macOS sandboxing (App Sandbox, via sandbox-exec or entitlements) restricts app access to filesystem, network, and IPC. 4.1 Office Sandbox Escape Patterns Vector Description Open/Save dialog abuse User grants file access via dialog → macro reads/writes beyond sandbox ~/Library/LaunchAgents/ persistence Some sandbox profiles allow writing LaunchAgent plists Login Items manipulation Add login item pointing to payload outside sandbox Shared container exploitation Multiple apps sharing the same App Group container 4.2 IPC-Based Escape IPC Mechanism Escape Vector XPC Services Connect to privileged XPC service with insufficient client validation Mach Ports Obtain send right to privileged task port Apple Events Automate unsandboxed app to perform actions Distributed Notifications Signal unsandboxed helper to execute payload Pasteboard Write payload to pasteboard, have unsandboxed app consume it 4.3 Browser Sandbox Chromium: Multi-process model, renderer is sandboxed, browser process is not Safari: WebContent process sandboxed, parent Safari process has more privileges Exploit chain: renderer RCE → sandbox escape (via IPC bug to browser process) → system access 5. CODE SIGNING & ENTITLEMENTS 5.1 Inspecting Signatures and Entitlements codesign -dv --verbose = 4 /path/to/app

Signature details

codesign -d --entitlements :- /path/to/app

Dump entitlements

security cms -D -i /path/to/mobileprovision

Provisioning profile

Verify signature validity

codesign --verify --deep --strict /path/to/app spctl --assess --type execute /path/to/app

Gatekeeper assessment

5.2 Entitlement Abuse for Privilege Escalation Entitlement Abuse Scenario com.apple.security.cs.disable-library-validation Load attacker dylib into entitled process com.apple.security.cs.allow-dyld-environment-variables DYLD_INSERT_LIBRARIES injection com.apple.security.get-task-allow Attach debugger, inject code com.apple.security.cs.debugger Debug any process com.apple.private.apfs.revert-to-snapshot Revert APFS snapshots, bypass modifications 5.3 Hardened Runtime Bypass Hardened Runtime prevents: DYLD env vars, debugging, unsigned memory execution. Bypasses: Find entitled apps that weaken Hardened Runtime ( disable-library-validation ) Exploit JIT-entitled apps (browsers, VMs) for unsigned code execution Use get-task-allow entitled debug builds left in production 5.4 Library Validation Bypass Library validation ensures only Apple-signed or same-team-signed dylibs load.

Find apps with library validation disabled

codesign -d --entitlements :- /Applications/.app/Contents/MacOS/ 2

/dev/null | \ grep -l "disable-library-validation" 6. PERSISTENCE AFTER BYPASS Method Location Survives Reboot Notes LaunchAgent ~/Library/LaunchAgents/ Yes User-level, runs at login LaunchDaemon /Library/LaunchDaemons/ Yes Root-level, runs at boot Login Items ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/ Yes Visible in System Settings Cron crontab -e Yes Often overlooked by defenders Dylib hijack Writable dylib search path Yes Triggered when target app launches Folder Action ~/Library/Scripts/Folder Action Scripts/ Yes Triggers on folder events 7. macOS SECURITY BYPASS DECISION TREE Target is macOS endpoint │ ├── Need to execute untrusted binary? │ ├── Quarantine attribute present? │ │ ├── Yes → xattr -d com.apple.quarantine (§2.1) │ │ └── No → execute directly │ └── Gatekeeper still blocks? │ ├── Signed but not notarized → right-click → Open override │ └── Unsigned → embed in signed bundle or use archive tricks (§2.2) │ ├── Need access to TCC-protected resources? │ ├── FDA-granted app available? │ │ ├── Yes → exploit FDA app context (§1.3) │ │ └── No ↓ │ ├── Automation permission obtainable? │ │ ├── Yes → Apple Events to TCC-granted app (§1.3) │ │ └── No ↓ │ ├── SIP disabled? │ │ ├── Yes → direct TCC.db modification (§1.2) │ │ └── No → check version-specific TCC bypass (→ TCC_BYPASS_MATRIX.md) │ └── MDM present? │ └── Compromised MDM → push PPPC profile (§1.3) │ ├── Need to bypass SIP? │ ├── Check macOS version → historical SIP CVE? (§3.4) │ ├── Find entitled Apple binary → piggyback SIP-bypass entitlement (§3.3) │ └── Recovery Mode access? → csrutil disable (§3.2) │ ├── Need sandbox escape? │ ├── Office macro context → dialog/LaunchAgent tricks (§4.1) │ ├── XPC service with weak validation → IPC escape (§4.2) │ └── Browser context → renderer → sandbox escape chain (§4.3) │ ├── Need to inject into signed process? │ ├── disable-library-validation entitlement? → dylib injection │ ├── allow-dyld-environment-variables? → DYLD_INSERT_LIBRARIES │ ├── get-task-allow? → debugger attach │ └── None → check macos-process-injection SKILL.md │ └── Need persistence? └── Choose method by access level (§6) 8. QUICK REFERENCE: TOOL COMMANDS

Enumerate TCC permissions

tccutil reset All

Reset all TCC (admin)

sqlite3 TCC.db "SELECT * FROM access;"

Read TCC DB

Gatekeeper status

spctl --status

Gatekeeper enabled?

spctl --assess -v /path/to/app

Check app assessment

SIP status

csrutil status

Find interesting entitlements across system

find /System/Applications /Applications -name "*.app" -exec sh -c \ 'codesign -d --entitlements :- "$1" 2>/dev/null | grep -q "disable-library-validation" && echo "$1"' _ { } \ ;

macos-security-bypass

安装