Something About #realworldctf doc2own

The challenge is to get a shell when the victim opens a Dash docset. Both Dash and Adobe Brackets are up to date. Actually the intended solution involves no zero day at all. This writeup from Team 217 Real World CTF 2018 — doc2own (in Traditional Chinese) is the expected solution.


Bypass macOS Rootless by Sandboxing

This bug has been fixed in Mojave Beta, but still present in latest High Sierra (10.13.5). It’s a logic bug that an entitled binary tries to load an insecure external library controllable by environment variable. To exploit it we need to abuse sandbox, which is interesting that sometimes a mitigation could be turned to an exploit.

CoreSymbolication(/System/Library/PrivateFrameworks/CoreSymbolication.framework) has some private api for symbolication. When demangling swift application symbols, it tries to load external library in following order:

  • /System/Library/PrivateFrameworks/Swift/libswiftDemangle.dylib
  • /Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/libswiftDemangle.dylib
  • /usr/lib/libswiftDemangle.dylib
  • ${xcselect_get_developer_dir_path()}/Toolchains/XcodeDefault.xctoolchain/usr/lib/libswiftDemangle.dylib

Visual Studio Code silently Fixed a Remote Code Execution Vulnerability

I occasionally noticed that Visual Studio Code was listening on a fixed TCP port 9333. After upgrading to 1.19.3, it’s gone.

➜ ~ netstat -an | grep 9333
tcp4 0 0 *.* LISTEN

Looks like it’s a bug that affects VSCode 1.19.0~1.19.2. Extension process always run in debug mode, because of an accidentally added --inspect argument.

Actually this is not just a bug. It is exploitable.


Electron's Bug, ShellExecute to Blame?

So you have probably heard of Electron’s remote command injection vulnerability CVE-2018-1000006 in custom protocol handler. It’s not too hard to reproduce the bug since the proof of concept is easily found in the patch. Actually the exploit has already been made public: Exploiting Electron RCE in Exodus wallet.

Since there’s enough detail for the vulnerability itself, let’s talk about something else.


There’s two quirks in Win32 Api ShellExecute that leads developers to misuse, or even vulnerabilities:

  • URI association command line can be broken by non-encoded spaces, quotes, and backslashes in the URI
  • It’s possible to confuse an application that a local path is a valid url, which leads to command execution

Bypass PHP Safe Mode by Abusing SQLite3's FTS Tokenizer

As a pentester, once you own a webshell you may need to get more access by running extra programs. But disable_functions may stop you from invoking system commands and probably open_basedir was set as well. PHP doesn’t actually have a sandbox, so these restrictions have no effect on native code. If there were a bug that leads to code execution, the access control policies are broken. For example, this exploit abuses an use after free bug to bypass them.