One-liner Safari Sandbox Escape Exploit

One-liner Safari Sandbox Escape Exploit

I am writing about a dead simple and reliable sandbox escape exploit which only have one line of code. Yeah I am sure it’s an exploit, not just PoC. It has nothing to do with iOS so please stop asking me anything about that.

Continue Reading

CVE-2018-8412: MS Office 2016 for Mac Privilege Escalation via a Legacy Package

CVE-2018-8412: MS Office 2016 for Mac Privilege Escalation via a Legacy Package

This issue affects Microsoft Office for Mac 2016, and SkypeForBusiness (16.17.0.65)

Continue Reading

CVE-2018-4991: Adobe Creative Cloud Desktop Local Privilege Escalation via Signature Bypass

CVE-2018-4991: Adobe Creative Cloud Desktop Local Privilege Escalation via Signature Bypass

This write-up only covers macOS, but this issue may also affects Windows version.

Continue Reading

Something About #realworldctf doc2own

Something About #realworldctf doc2own

The challenge is to get a shell when the victim opens a Dash docset. Both Dash and Adobe Brackets are up to date. Actually the intended solution involves no zero day at all. This writeup from Team 217 Real World CTF 2018 — doc2own (in Traditional Chinese) is the expected solution.

Continue Reading

Bypass macOS Rootless by Sandboxing

Bypass macOS Rootless by Sandboxing

This bug has been fixed in Mojave Beta, but still present in latest High Sierra (10.13.5). It’s a logic bug that an entitled binary tries to load an insecure external library controllable by environment variable. To exploit it we need to abuse sandbox, which is interesting that sometimes a mitigation could be turned to an exploit.

Continue Reading

Visual Studio Code silently Fixed a Remote Code Execution Vulnerability

Visual Studio Code silently Fixed a Remote Code Execution Vulnerability

I occasionally noticed that Visual Studio Code was listening on a fixed TCP port 9333. After upgrading to 1.19.3, it’s gone.

Continue Reading