Skip to content

Instantly share code, notes, and snippets.

@kenchan0130

kenchan0130/note.md

Last active December 19, 2017 13:49
Show Gist options
  • Save kenchan0130/12823fd78320e92d014ca33cb831bdb9 to your computer and use it in GitHub Desktop.
Save kenchan0130/12823fd78320e92d014ca33cb831bdb9 to your computer and use it in GitHub Desktop.
Download ZIP
maybe mas command vulnerability
Raw
note.md

Summary

I also thought that only administrators can install applications in /Applications. However, I have learned that a standard user can overthrow this premise without administrator privilege even if I restrict by profile.

Steps to Reproduce

First, prepare a Brewfile like this:

# Brewfile
mas 'xcode', id: 497799835

And execute the following command:

brew bundle

Then, we can install applications on App Store even the user without administrator privileges.

Expected Results

I hoped that I could not install the application if I restricted by the profile.

Observed Results

I have learned that a standard user can overthrow this premise without administrator privilege even if I restrict by profile.

Version

OS version: 10.12.6

brew version: 1.2.6-38-g2aa5674

Notes

Cause

The mas command is calling API with CommerceKit and StoreFoundation.

I think that a standard user can call some APIs of App Store.app with administrator privileges. Even if you restrict by profile, it will be meaningless.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment