21 Apr 2019
There’s a general bug type on macOS. When a privileged (or loosely sandboxed) user space process accepts an IPC message from an unprivileged or sandboxed client, it decides whether the operation is valid by enforcing code signature (bundle id, authority or entitlements). If such security check is based on process id, it can be bypassed via pid reuse attack.
13 Apr 2019
macOS Mojave 10.14.4 has patched two LPE flaws I reported:
They are both userspace XPC logic bugs, simple and reliable to get root privilege escalation, just like the Rootpipe. This writeup is for the command injection in TimeMachine diagnose extension, which affects 10.12.x-10.14.3.
Since this exploit is easy to understand and 100% reliable, please upgrade to 10.14.4 ASAP.
This talk revealed some very interesting LPE bugs found in diagnostic tool of the system: $hell on Earth: From Browser to System Compromise — Black Hat
So I started looking at these services:
26 Mar 2019
I am writing about a dead simple and reliable sandbox escape exploit which only have one line of code. Yeah I am sure it’s an exploit, not just PoC. It has nothing to do with iOS so please stop asking me anything about that.
The bug was refactored (or killed) before beta release of Mojave. The latest vulnerable version is macOS High Sierra 10.13.6 (17G65).
Since it’s part of a browser exploit chain you’ll need a renderer exploit to gain shellcode execution first. If not, disable SIP so you can debug, attach lldb to a running
com.apple.WebKit.WebContent.xpc and use the following command:
po CFPreferencesSetAppValue(@"Label", @"You know what should be put here", [(id)NSHomeDirectory() stringByAppendingPathComponent:@"Library/LaunchAgents/evil.plist"])
This line will generate a new plist under
~/Library/LaunchAgents. With the proper arguments you can launch a Calculator or anything you like after re-logging into system.
What the hell? Isn’t writing plist supposed to be blocked by sandbox?
22 Aug 2018
This issue affects Microsoft Office for Mac 2016, and SkypeForBusiness (22.214.171.124)
This report covers two main flaws:
- Code signature validation bypass
- Insecure installer module loading
22 Aug 2018
The patch was addressed in APSB18-12:
Adobe Security Bulletin
This write-up only covers macOS, but this issue may also affects Windows version.
Adobe Creative Cloud installs a daemon with root privilege:
It accepts XPC connections via
NSXPCConnection remote interface. There’s a method
SMJobBlessHelper class that is exposed to non-rooted processes. The messages are serialized in XML.