// Code is normal Code for the EvenBetterAuthorization Apple Source Code
1 - (NSError *)checkAuthorization:(NSData *)authData command:(SEL)command
2 {
3 ...
4 error = nil;
5 if ( (authData == nil) || ([authData length] != sizeof(AuthorizationExternalForm)) ) {
6 error = [NSError errorWithDomain:NSOSStatusErrorDomain code:paramErr userInfo:nil];
7 }
8
9 if (error == nil) {
10 err = AuthorizationCreateFromExternalForm([authData bytes], &authRef);
11
12 if (err == errAuthorizationSuccess) {
13 AuthorizationItem oneRight = { NULL, 0, NULL, 0 };
14 AuthorizationRights rights = { 1, &oneRight };
15
16 oneRight.name = [[Common authorizationRightForCommand:command] UTF8String];
17 assert(oneRight.name != NULL);
18
19 err = AuthorizationCopyRights(
20 authRef,
21 &rights,
22 NULL,
23 kAuthorizationFlagExtendRights | kAuthorizationFlagInteractionAllowed,
24 NULL
25 );
26 }
27 if (err != errAuthorizationSuccess) {
28 error = [NSError errorWithDomain:NSOSStatusErrorDomain code:err userInfo:nil];
29 }
30 }
31
32 if (authRef != NULL) {
33 junk = AuthorizationFree(authRef, 0);
34 assert(junk == errAuthorizationSuccess);
35 }
36
37 return error;
38 }
Decompiled ProxyMan Code.
if ((rax == 0x0) || ([r15 length] != 0x20)) goto loc_100001980; // is Line 7
rax = AuthorizationCreateFromExternalForm(rax, &var_30); // Is Line 10(err = AuthorizationCreateFromExternalForm([authData bytes], &authRef))
rax = [Common authorizationRightForCommand:r14]; // is Line 16(oneRight.name = [[Common authorizationRightForCommand:command] UTF8String];)
rax = AuthorizationCopyRights(0x0, &var_40, 0x0, 0x3, 0x0); is Line 19-25 (err = AuthorizationCopyRights(
authRef,
&rights,
NULL,
kAuthorizationFlagExtendRights | kAuthorizationFlagInteractionAllowed,
NULL
25 );
)
To find out the authorization rules that the application has is look into the database using sudo sqlite3 /var/db/auth.db
With the release of OS X Mavericks, /etc/authorization has been removed in favor of a new authorization database, which is a SQLite database located at /var/db/auth.db . There is also an authorization.plist file located in /System/Library/Security , which is used by the OS as a template for a new /var/db/auth.db database file, in the event that the OS detects on boot that /var/db/auth.db does not exist
The authorization right name is com.proxyman.NSProxy.HelperTool.overrideProxySystemPreferences which is what we use to query the authorization database and obtain the rule details
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>636368507.56692803</real>
<key>default-prompt</key>
<dict>
<key></key>
<string>Proxyman is trying to override Proxy config in System Preferences.</string>
</dict>
<key>identifier</key>
<string>com.proxyman.NSProxy</string>
<key>modified</key>
<real>636368507.56692803</real>
<key>requirement</key>
<string>anchor apple generic and identifier "com.proxyman.NSProxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "3X57WP8E8V")</string>
<key>rule</key>
<array>
<string>allow</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
</plist>
YES (0)
So the default rule is set to allow meaning that we dont need to authenticated as admin.
Exploit successfully done and compiled the version to obtain the version via xpc.
