The previous part of this write-up was about a local privilege escalation on
macOS 10.12.4. Two primitives are missing for it to be exploitable from the Safari
sandbox: We need an authorization token with the
right, as well as the ability to create symlinks in an arbitrary directory. Enter
/ ZDI-17-356, a logic issue in the
Apple Security framework that allows us to bypass the authorization sandbox, and CVE-2017-2534,
a quirky configuration of the Speech Synthesis service which allows us to
easily execute arbitrary code in its context.
This blog post explores a reference leak that occurs during the handling of shared arrary buffers by the structured clone algorithm. Coupled with a missing overflow check, it can be leveraged to achieve arbitrary code execution. Both issues were discovered by saelo and the corresponding bug report is available on Bugzilla.
Today we have CVE-2017-2533 / ZDI-17-357 for you, a race condition in a macOS system service which could be used to escalate privileges from local admin to root. We used it in combination with other logic bugs to escape the Safari sandbox at this year’s Pwn2Own competition.
This article is about CVE-2017-2536 / ZDI-17-358, a classic integer
overflow while computing an allocation size, leading to a heap-based buffer overflow. It was introduced in
saelo in February. The PoC is short enough to fit into a tweet, and we have a fully
working exploit for Safari 10.1, so this is going to be fun!
Today we are writing about a use-after-free bug in Safari 10.0.3 that could be used to get remote code execution in the browser's renderer process. This article is part of a series of write-ups we plan to do about the bugs and exploits we used to break Safari and escalate to root privileges on an up-to-date MacBook Pro.
subscribe via Atom