This bug has been fixed in Mojave Beta, but still present in latest High Sierra (10.13.5). It’s a logic bug that an entitled binary tries to load an insecure external library controllable by environment variable. To exploit it we need to abuse sandbox, which is interesting that sometimes a mitigation could be turned to an exploit.
I occasionally noticed that Visual Studio Code was listening on a fixed TCP port 9333. After upgrading to 1.19.3, it’s gone.
So you have probably heard of Electron’s remote command injection vulnerability CVE-2018-1000006 in custom protocol handler. It’s not too hard to reproduce the bug since the proof of concept is easily found in the patch. Actually the exploit has already been made public: Exploiting Electron RCE in Exodus wallet.
As a pentester, once you own a webshell you may need to get more access by running extra programs. But
disable_functions may stop you from invoking system commands and probably
open_basedir was set as well. PHP doesn’t actually have a sandbox, so these restrictions have no effect on native code. If there were a bug that leads to code execution, the access control policies are broken. For example, this exploit abuses an use after free bug to bypass them.