Posts

Bypass macOS Rootless by Sandboxing

Bypass macOS Rootless by Sandboxing

This bug has been fixed in Mojave Beta, but still present in latest High Sierra (10.13.5). It’s a logic bug that an entitled binary tries to load an insecure external library controllable by environment variable. To exploit it we need to abuse sandbox, which is interesting that sometimes a mitigation could be turned to an exploit.

Continue Reading

Bypass PHP Safe Mode by Abusing SQLite3's FTS Tokenizer

Bypass PHP Safe Mode by Abusing SQLite3's FTS Tokenizer

As a pentester, once you own a webshell you may need to get more access by running extra programs. But disable_functions may stop you from invoking system commands and probably open_basedir was set as well. PHP doesn’t actually have a sandbox, so these restrictions have no effect on native code. If there were a bug that leads to code execution, the access control policies are broken. For example, this exploit abuses an use after free bug to bypass them.

Continue Reading