Interesting macOS Chrome Browser Files

This blog will take a quick look at Chrome files on macOS that are not protected by TCC and do not require root access to read from. As these files are not protected by TCC, any non-sandboxed macOS payload will be able to access these files without needing TCC permissions.

Chrome Files Not Protected by TCC

Note: Some Chrome files are locked when Chrome is running. However, as these files are not protected by TCC you can simply copy the locked file to another location and read from it there.

Keychains

A lot of good research has already been done around extracting Chrome cookies. Ex:

Definitely check those blogs out for more info around Cookie extraction.

The user level keychain databases themselves (ex: ~/Library/Keychains/login.keychain-db or ~/Library/Keychains/login.keychain) are not protected by TCC. However, you do need the user’s macOS password in order to read keychain database sensitive contents (ex: usernames, passwords, etc.). This presents an interesting attack path that still works on modern versions of macOS:

  1. Gain non-sandboxed remote access. Several payload options would provided non sandboxed access, including installer packages or shell scripts masqueraded as .app packages (ex: CVE-2021–30657, which I reported to Apple and worked with them to validate the fix). Gatekeeper checks both file types for valid developer signatures and notarization when the com.apple.quarantine extended attribute is present but the user can still Right Click → Open to run.
  2. Prompt the user for credentials. This can be done via the on disk osascript binary or can be done programmatically (several open source projects exist that demonstrate ways of doing each).
  3. Download the keychain database file
  4. Use forensic tool chainbreaker (https://github.com/n0fate/chainbreaker) and provide the user’s password to access keychain contents.
  5. Generic password content, internet password content, keychain password hash, and other info is captured and displayed.

Red teamer with blue team roots🤓👨🏽‍💻 Twitter: @cedowens