07 Aug 2018
The challenge is to get a shell when the victim opens a Dash docset. Both Dash and Adobe Brackets are up to date. Actually the intended solution involves no zero day at all. This writeup from Team 217 Real World CTF 2018 — doc2own (in Traditional Chinese) is the expected solution.
18 Jun 2018
This bug has been fixed in Mojave Beta, but still present in latest High Sierra (10.13.5). It’s a logic bug that an entitled binary tries to load an insecure external library controllable by environment variable. To exploit it we need to abuse sandbox, which is interesting that sometimes a mitigation could be turned to an exploit.
/System/Library/PrivateFrameworks/CoreSymbolication.framework) has some private api for symbolication. When demangling swift application symbols, it tries to load external library in following order:
16 Mar 2018
I occasionally noticed that Visual Studio Code was listening on a fixed TCP port 9333. After upgrading to 1.19.3, it’s gone.
➜ ~ netstat -an | grep 9333
tcp4 0 0 127.0.0.1.9333 *.* LISTEN
Looks like it’s a bug that affects VSCode 1.19.0~1.19.2. Extension process always run in debug mode, because of an accidentally added
Actually this is not just a bug. It is exploitable.
28 Jan 2018
So you have probably heard of Electron’s remote command injection vulnerability CVE-2018-1000006 in custom protocol handler. It’s not too hard to reproduce the bug since the proof of concept is easily found in the patch. Actually the exploit has already been made public: Exploiting Electron RCE in Exodus wallet.
Since there’s enough detail for the vulnerability itself, let’s talk about something else.
There’s two quirks in Win32 Api ShellExecute that leads developers to misuse, or even vulnerabilities:
- URI association command line can be broken by non-encoded spaces, quotes, and backslashes in the URI
- It’s possible to confuse an application that a local path is a valid url, which leads to command execution
20 Jan 2016
As a pentester, once you own a webshell you may need to get more access by running extra programs. But
disable_functions may stop you from invoking system commands and probably
open_basedir was set as well. PHP doesn’t actually have a sandbox, so these restrictions have no effect on native code. If there were a bug that leads to code execution, the access control policies are broken. For example, this exploit abuses an use after free bug to bypass them.