Skip to content

MASTG-TECH-0111: Extraindo Entitlements de Binários MachO

Várias ferramentas podem ser usadas para extrair entitlements de binários MachO no iOS. Isso é útil para avaliações de segurança, pois os entitlements podem revelar permissões e funcionalidades concedidas a um aplicativo.

Usando rabin2

Use rabin2 para extrair entitlements de binários MachO usando rabin2 -OC <binário>:

rabin2 -OC MASTestApp

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>application-identifier</key>
        <string>AYRP7NNB54.org.owasp.mastestapp.MASTestApp-iOS</string>
        <key>com.apple.developer.team-identifier</key>
        <string>AYRP7NNB54</string>
        <key>get-task-allow</key>
        <true/>
</dict>
</plist>

Usando ldid

Use ldid para extrair entitlements de binários MachO. A flag -e é usada para especificar que os entitlements devem ser extraídos, e a flag -A é adicionada para especificar a arquitetura desejada (16777228:0, que corresponde a CPU_TYPE_ARM64:CPU_SUBTYPE_ARM64_ALL):

ldid -e -A16777228:0 iGoat-Swift.app/iGoat-Swift

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>TNAJ496RHB.OWASP.iGoat-Swift</string>
    <key>com.apple.developer.team-identifier</key>
    <string>TNAJ496RHB</string>
    <key>get-task-allow</key>
    <true/>
    <key>keychain-access-groups</key>
    <array>
        <string>TNAJ496RHB.OWASP.iGoat-Swift</string>
    </array>
</dict>
</plist>

Usando ipsw

Use ipsw para extrair entitlements de binários MachO usando o comando ipsw macho info -e:

ipsw macho info -e iGoat-Swift.app/iGoat-Swift

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>TNAJ496RHB.OWASP.iGoat-Swift</string>
    <key>com.apple.developer.team-identifier</key>
    <string>TNAJ496RHB</string>
    <key>get-task-allow</key>
    <true/>
    <key>keychain-access-groups</key>
    <array>
        <string>TNAJ496RHB.OWASP.iGoat-Swift</string>
    </array>
</dict>
</plist>

Usando codesign

Use codesign para extrair entitlements de um binário MachO usando codesign -d --entitlements - <binário>. Certifique-se de incluir o - como argumento para a flag --entitlements:

codesign -d --entitlements - iGoat-Swift.app/iGoat-Swift

Executable=/Users/owasp/iGoat/Payload/iGoat-Swift.app/iGoat-Swift
[Dict]
    [Key] application-identifier
    [Value]
        [String] TNAJ496RHB.OWASP.iGoat-Swift
    [Key] com.apple.developer.team-identifier
    [Value]
        [String] TNAJ496RHB
    [Key] get-task-allow
    [Value]
        [Bool] true
    [Key] keychain-access-groups
    [Value]
        [Array]
            [String] TNAJ496RHB.OWASP.iGoat-Swift