• Attribution is hard — at least for Dock: A Safari sandbox escape & LPE

    This is a quick write-up of CVE-2019-8603, a heap out-of-bounds read in Dock and the com.apple.uninstalld service, which could lead to a controlled CFRelease call and escape the WebContent sandbox on macOS, ending up as root.

  • Non JIT Bug, JIT Exploit

    Today we have our first blog post about CVE-2019-0812 with an honored guest and friend: S0rryMyBad. There has traditionally not been a lot of collaboration between the Chinese researcher community and other researchers. However since we are both addicted to ChakraCore we have been able to exchange ideas around throughout the last months and we are happy to present this blogpost written together today. We hope this can maybe lead to even more collaboration in the future!

  • Exploiting a Safari information leak

    Today we have a quick write-up about an infoleak bug inside Safari that was fixed with the recent releases of macOS Mojave and iOS 12. This bug resulted in a powerful leak primitive that could make weak memory corruption bugs exploitable.

  • Fuzzing Counter-Strike: Global Offensive maps files with AFL

    RealWorldCTF 2018 had a really fun challenge called “P90 Rush B”, an allusion to a desparate tactic employed in the Valve game “Counter-Strike: Global Offensive”. It was about finding and exploiting a bug in the map file loader used by a CS:GO server. During the CTF, I exploited a stack buffer overflow that was later described well in a writeup by another team.

  • Better slow than sorry – VirtualBox 3D acceleration considered harmful

    UPDATE: Exploit code and HGCM/Chromium interface library now on Github.

  • This is fine: Vagrant guests can access the entire host filesystem

    When playing around with VirtualBox last September, I came across some curious behaviour which I initially thought was a pretty severe vulnerability in VirtualBox: When running an unprivileged program inside a box spawned using Vagrant, it can obtain read and write access to the entire filesystem of the host. Turns out it was not actually a VirtualBox bug, and more of a misconfiguration by Vagrant.

  • Pwn2Own: Safari sandbox part 2 – Wrap your way around to root

    The previous part of this write-up was about a local privilege escalation on macOS 10.12.4. Two primitives are missing for it to be exploitable from the Safari sandbox: We need an authorization token with the system.volume.internal.mount right, as well as the ability to create symlinks in an arbitrary directory. Enter CVE-2017-2535 / ZDI-17-356, a logic issue in the Apple Security framework that allows us to bypass the authorization sandbox, and CVE-2017-2534, a quirky configuration of the Speech Synthesis service which allows us to easily execute arbitrary code in its context.

  • Share with care: Exploiting a Firefox UAF with shared array buffers

    This blog post explores a reference leak that occurs during the handling of shared arrary buffers by the structured clone algorithm. Coupled with a missing overflow check, it can be leveraged to achieve arbitrary code execution. Both issues were discovered by saelo and the corresponding bug report is available on Bugzilla.

  • Pwn2Own: Safari sandbox part 1 – Mount yourself a root shell

    Today we have CVE-2017-2533 / ZDI-17-357 for you, a race condition in a macOS system service which could be used to escalate privileges from local admin to root. We used it in combination with other logic bugs to escape the Safari sandbox at this year’s Pwn2Own competition.

  • Exploiting an integer overflow with array spreading (WebKit)

    This article is about CVE-2017-2536 / ZDI-17-358, a classic integer overflow while computing an allocation size, leading to a heap-based buffer overflow. It was introduced in 99ed479, which improved the way JavaScriptCore handled ECMAScript 6 spreading operations, and discovered by saelo in February. The PoC is short enough to fit into a tweet, and we have a fully working exploit for Safari 10.1, so this is going to be fun!

  • Pwn2Own 2017: UAF in JSC::CachedCall (WebKit)

    Today we are writing about a use-after-free bug in Safari 10.0.3 that could be used to get remote code execution in the browser's renderer process. This article is part of a series of write-ups we plan to do about the bugs and exploits we used to break Safari and escalate to root privileges on an up-to-date MacBook Pro.