RealWorldCTF 2018 had a really fun challenge called “P90 Rush B”, an allusion to a desparate tactic employed in the Valve game “Counter-Strike: Global Offensive”. It was about finding and exploiting a bug in the map file loader used by a CS:GO server. During the CTF, I exploited a stack buffer overflow that was later described well in a writeup by another team.
The 3-d acceleration feature of VirtualBox has had a bit of a rough time this year. One could argue that technically this component might not be considered attack surface in VirtualBox, due to the big warning put out in the documentation recommending against its use (emphasis mine):
When playing around with VirtualBox last September, I came across some curious behaviour which I initially thought was a pretty severe vulnerability in VirtualBox: When running an unprivileged program inside a box spawned using Vagrant, it can obtain read and write access to the entire filesystem of the host. Turns out it was not actually a VirtualBox bug, and more of a misconfiguration by Vagrant.
The previous part of this write-up was about a local privilege escalation on
macOS 10.12.4. Two primitives are missing for it to be exploitable from the Safari
sandbox: We need an authorization token with the
right, as well as the ability to create symlinks in an arbitrary directory. Enter
/ ZDI-17-356, a logic issue in the
Apple Security framework that allows us to bypass the authorization sandbox, and CVE-2017-2534,
a quirky configuration of the Speech Synthesis service which allows us to
easily execute arbitrary code in its context.
This blog post explores a reference leak that occurs during the handling of shared arrary buffers by the structured clone algorithm. Coupled with a missing overflow check, it can be leveraged to achieve arbitrary code execution. Both issues were discovered by saelo and the corresponding bug report is available on Bugzilla.
Today we have CVE-2017-2533 / ZDI-17-357 for you, a race condition in a macOS system service which could be used to escalate privileges from local admin to root. We used it in combination with other logic bugs to escape the Safari sandbox at this year’s Pwn2Own competition.
This article is about CVE-2017-2536 / ZDI-17-358, a classic integer
overflow while computing an allocation size, leading to a heap-based buffer overflow. It was introduced in
saelo in February. The PoC is short enough to fit into a tweet, and we have a fully
working exploit for Safari 10.1, so this is going to be fun!
Today we are writing about a use-after-free bug in Safari 10.0.3 that could be used to get remote code execution in the browser's renderer process. This article is part of a series of write-ups we plan to do about the bugs and exploits we used to break Safari and escalate to root privileges on an up-to-date MacBook Pro.
subscribe via Atom