Today we have a blogpost about a bug that led to RCE in ChakraCore that almost made it to its first birthday from the time I found it. The reason I never reported it is that Chakra did not get a new release for a long time and this bug was therefore never released as part of Edge. As I am independent, I could either still report it to MSRC and probably get a thank you email or just try to wait until it hits WIP to try to get a bounty. Unfortunately for me, it recently got patched once but I bypassed the patch the same day before the dev team killed it for good. Let’s dig into it :)
This is a quick write-up of CVE-2019-8603, a heap out-of-bounds read in Dock
and the com.apple.uninstalld
service, which could lead to a controlled CFRelease
call and escape the WebContent sandbox on macOS, ending up as root.
Today we have our first blog post about CVE-2019-0812 with an honored guest and friend: S0rryMyBad. There has traditionally not been a lot of collaboration between the Chinese researcher community and other researchers. However since we are both addicted to ChakraCore we have been able to exchange ideas around throughout the last months and we are happy to present this blogpost written together today. We hope this can maybe lead to even more collaboration in the future!
Today we have a quick write-up about an infoleak bug inside Safari that was fixed with the recent releases of macOS Mojave and iOS 12. This bug resulted in a powerful leak primitive that could make weak memory corruption bugs exploitable.
RealWorldCTF 2018 had a really fun challenge called “P90 Rush B”, an allusion to a desparate tactic employed in the Valve game “Counter-Strike: Global Offensive”. It was about finding and exploiting a bug in the map file loader used by a CS:GO server. During the CTF, I exploited a stack buffer overflow that was later described well in a writeup by another team.
UPDATE: Exploit code and HGCM/Chromium interface library now on Github.
When playing around with VirtualBox last September, I came across some curious behaviour which I initially thought was a pretty severe vulnerability in VirtualBox: When running an unprivileged program inside a box spawned using Vagrant, it can obtain read and write access to the entire filesystem of the host. Turns out it was not actually a VirtualBox bug, and more of a misconfiguration by Vagrant.
The previous part of this write-up was about a local privilege escalation on
macOS 10.12.4. Two primitives are missing for it to be exploitable from the Safari
sandbox: We need an authorization token with the system.volume.internal.mount
right, as well as the ability to create symlinks in an arbitrary directory. Enter
CVE-2017-2535
/ ZDI-17-356, a logic issue in the
Apple Security framework that allows us to bypass the authorization sandbox, and CVE-2017-2534,
a quirky configuration of the Speech Synthesis service which allows us to
easily execute arbitrary code in its context.
This blog post explores a reference leak that occurs during the handling of shared arrary buffers by the structured clone algorithm. Coupled with a missing overflow check, it can be leveraged to achieve arbitrary code execution. Both issues were discovered by saelo and the corresponding bug report is available on Bugzilla.
Today we have CVE-2017-2533 / ZDI-17-357 for you, a race condition in a macOS system service which could be used to escalate privileges from local admin to root. We used it in combination with other logic bugs to escape the Safari sandbox at this year’s Pwn2Own competition.
This article is about CVE-2017-2536 / ZDI-17-358, a classic integer
overflow while computing an allocation size, leading to a heap-based buffer overflow. It was introduced in
99ed479
,
which improved the way JavaScriptCore handled ECMAScript 6 spreading operations, and discovered by
saelo in February. The PoC is short enough to fit into a tweet, and we have a fully
working exploit for Safari 10.1, so this is going to be fun!
Today we are writing about a use-after-free bug in Safari 10.0.3 that could be used to get remote code execution in the browser's renderer process. This article is part of a series of write-ups we plan to do about the bugs and exploits we used to break Safari and escalate to root privileges on an up-to-date MacBook Pro.
subscribe via Atom