• Pwn2Own: Safari sandbox part 2 – Wrap your way around to root

    The previous part of this write-up was about a local privilege escalation on macOS 10.12.4. Two primitives are missing for it to be exploitable from the Safari sandbox: We need an authorization token with the system.volume.internal.mount right, as well as the ability to create symlinks in an arbitrary directory. Enter CVE-2017-2535 / ZDI-17-356, a logic issue in the Apple Security framework that allows us to bypass the authorization sandbox, and CVE-2017-2534, a quirky configuration of the Speech Synthesis service which allows us to easily execute arbitrary code in its context.

  • Share with care: Exploiting a Firefox UAF with shared array buffers

    This blog post explores a reference leak that occurs during the handling of shared arrary buffers by the structured clone algorithm. Coupled with a missing overflow check, it can be leveraged to achieve arbitrary code execution. Both issues were discovered by saelo and the corresponding bug report is available on Bugzilla.

  • Pwn2Own: Safari sandbox part 1 – Mount yourself a root shell

    Today we have CVE-2017-2533 / ZDI-17-357 for you, a race condition in a macOS system service which could be used to escalate privileges from local admin to root. We used it in combination with other logic bugs to escape the Safari sandbox at this year’s Pwn2Own competition.

  • Exploiting an integer overflow with array spreading (WebKit)

    This article is about CVE-2017-2536 / ZDI-17-358, a classic integer overflow while computing an allocation size, leading to a heap-based buffer overflow. It was introduced in 99ed479, which improved the way JavaScriptCore handled ECMAScript 6 spreading operations, and discovered by saelo in February. The PoC is short enough to fit into a tweet, and we have a fully working exploit for Safari 10.1, so this is going to be fun!

  • Pwn2Own 2017: UAF in JSC::CachedCall (WebKit)

    Today we are writing about a use-after-free bug in Safari 10.0.3 that could be used to get remote code execution in the browser's renderer process. This article is part of a series of write-ups we plan to do about the bugs and exploits we used to break Safari and escalate to root privileges on an up-to-date MacBook Pro.