It seemed a shame that the night mode on the latest WatchOS was so good yet we're stuck with the same display in sleep mode. So I made my own focus mode, used Shortcuts automations to make it activate with the sleep schedule and made a custom watch face in night mode.
This isn't an exploit, I just wanted to be able to execute a shortcut on iOS via a remote trigger. Specifically I wanted to dynamically change the complications on my Apple watch depending on context, for example if I have calendar events later today then show the calendar as a complication but if I don't then show something else.
[read more...]I made a stateful shortcut for the Apple Watch Ultra action button: Stateful Workout Shortcut
It starts an outdoor walk workout and then enables the water lock to avoid humidity from my clothing causing unexpected inputs. Press the action button again and it stops the workout and disables the water lock.
Not sure why the action button works while water locked but it's very handy, I hope they don't change that.
[read more...]Just in case anyone thought I was joking about running Tailscale on AWS Lambda, this is how: aws-lambda-python312-tailscale
[read more...]People often talk about Tailscale but don't seem to mention its ephemeral nodes and their awesome power as an MMORPG weapon so I thought I'd address that. There are many MMORPGs but my all-time favourite is AWS which I play as an extremely stingy but also quite rich and entitled hacker. This character choice works well within the game dynamic as the object of the game is obviously to run your workload for as little financial outlay as possible.
The bog standard default way of running things on AWS is to use EC2, but one glance at the in-game pricing for this will make you quickly realise this is not a viable way to win. Managed services can sometimes be a good cost-effective alternative, but for those of us playing super stingy characters who just want their personal stuff to run for as close to free as possible, these too are usually unviable options. Serverless is therefore where the real action is at and how you can truly win at this game.
It's not without its limitations though and there are many crafty ways the game monetises its side channels and ancillary services in order to extract profit from the player. Take for example AWS Lambda, on the surface for smaller workloads this can be close to essentially free compute. That only works until you need a state store though, and depending on what you're doing pay-as-you-go DynamoDB can quickly add up to unacceptable costs. My in-game bill was recently creeping over the $5/month mark so I decided to have a think about my strategy and see if I could level up by levelling down my bill. The observant reader might wonder if hours of my time are really worth the potential cost savings here, all I can say is that some people will just never understand gaming.
[read more...]Steps for installing Tailscale on a Synology rt6600ax. The same steps will probably work on the 2600 but I haven't tried it.
1) SSH to the router as root
2) Retrieve the package for DSM7 / ARMv8:
[read more...]Originally posted on the Synology Community forum.
It's great to see the new SRM release - 1.3.1 - has recently dropped. Although a minor update, apparently adding only optimisations to the network connectivity check mechanism, this is a testament to the stability and resiliency of the SRM software in that dramatic changes are no longer required in order for their products to continue to operate well.
Those of us with Synology routers may cast our minds back to the late summer of 2022 when SRM 1.3.1 was released, adding much-wanted VLAN support for the older devices including the RT2600ac router. This update was unfortunately slightly problematic, resulting in an additional update - 1.3.1 - being pushed out on the same day.
[read more...]I've been manually monitoring and renewing it like a chump. Turns out it's trivially easy to automate the renewal:
```` curl https://gist.githubusercontent.com/m4rkw/6c9b65dcd4914e1aa03188d2b5d5c5b8/raw/09632a5be4dddf029916367dd9fa463cd3d3b9ae/gistfile1.txt -o /usr/local/bin/renew_cert.py
chmod 755 /usr/local/bin/renew_cert.py
[read more...]Several organisations still support SMS for OTP, often making it mandatory, and even when it isn't mandatory as the primary 2FA method it's often still enabled as a fallback, leaving you vulnerable. An attacker will always take the easiest path, you may have a passkey set up or even a hardware fido token but if it's possible to revert to sms-based OTP then you're just as vulnerable to a sim-swap as you would be without these extra tokens.
[read more...]Another security issue that's been rising in recent years is the advent of organised criminals shoulder-surfing iPhone passcodes in order to then later steal the phone and take over the iCloud account.
Unfortunate victims are then locked out of their account forever, losing precious iCloud data such as photos of their kids.
There are some steps you can take to protect yourself, such as using a longer/more complex passcode and being very careful where you type it to ensure nobody can see over your shoulder.
[read more...]Although for most people it's pretty unlikely, the thought of getting sim-swapped is pretty scary.
This is where an attacker manages to convince your mobile carrier to transfer your number to a new sim card that they control. When this happens your original sim card will lose service and they will obtain your number - and any SMS OTP codes it's configured to receive.
Unfortunately despite many improvements in online security there are still several providers who either rely on SMS OTP or make it a mandatory fallback option if your primary OTP mechanism doesn't work. You're only secure as the weakest link and nothing will stop an attacker from using the fallback mechanisms if they can't bypass your primary one.
[read more...]I recently blogged about my ProtonMail issues, the weird glitches with their bridge IMAP interface and their apparent lack of care that it might be silently deleting customer data - proton-bridge issue #220
I have now finally gotten around to kicking ProtonMail out of my life and I could not be happier. Gone are the days of having to run some janky Go software just to get an unstable IMAP interface. Gone are randomly changing message UIDs invalidating backups. Gone is the totally batshit way that messages can become orphaned from any folder and not show up anywhere other than "All Mail".
Suddenly I have normal IMAP that works, it even works on iOS (!) and in the webmail I can operate on more than 50 messages at once. I can in fact perform a quick operation on the entire resultset of a search. Try doing that in Proton's webmail. I have lost hours of my life to messing around just try to carry out basic operations on their platform and I'm so glad to be rid of it.
[read more...]I was a fan of the ProtonMail email service until I was casually linked to this issue while discussing something else:
TL;DR message UIDs returned by proton-bridge are unstable and subject to change without UIDVALIDITY changing. This is not only bad because it violates the RFC but also because it can lead to data loss in at least a couple of scenarios:
[read more...]I'm a big fan of Patrick Wardle's free mac utilities but I noticed something odd about LuLu recently. It seems that it only filters egress traffic when LuLu.app is running. Since it normally runs as the local user rather than root, this makes it somewhat trivial for malware to defeat as it can simply kill the process and then connect to whatever it wants.
This can be mitigated by running the app as root, but since it's not installed root-owned the first thing to do is change that:
``` $ sudo chown -R root:wheel /Applications/LuLu.app/
[read more...]After working for some time as an engineer at a very security-obsessed company I decided it would be a good exercise to note down and organise all the things I've learned both at work and in my spare time related to Linux server security. This guide will focus on Linux in a server context but many of the ideas here are applicable to other systems.
The full guide is also available on GitHub: linux-server-hardening-guide
For some time I've been using a hand-rolled solution for touchID over ssh which I previously blogged about. Up until recently it's been a somewhat loosely-compiled scattering of config that wasn't really in a releasable form but with a pending security talk on the horizon I thought it would be worth tidying it up and making it releasable so I could mention it in my talk.
That code can be found here: touchid-remote
However when I was compiling it I was under the impression that one of the tools it relies on - touch2sudo - was merely a standalone binary for authenticating sudo commands locally. I didn't realise that the author had also noted in the README that it's possible to use it over SSH. The solution presented there involves forwarding the local ssh agent over the SSH connection and then configuring touch2sudo as the askpass agent.
[read more...]Egress filtering is an immensely powerful security control but it's not so straightforward to do it well. If any malware manages to execute on your system one of the first things it's likely going to try to do is call home and establish a C2 channel. With effective egress filtering you can break this link in the attack chain and stop it dead in its tracks.
There are two well-known products which do egress filtering on macs - Little Snitch and LuLu. LuLu is made available by the awesome Patrick Wardle on his website - objective-see.com - along with a load of other very clever security tools.
This post is mostly going to discuss LuLu but the approach taken here may well work just as well with Little Snitch. LuLu is free and very cleverly made, it even allows you to configure regexes for web urls that applications are allowed to connect to. It does have one major limitation imposed by the operating system though which is mentioned on the website:
[read more...]It's been a while since I've blogged so I thought I'd get back into it with some security stuff. My dayjob has had a very heavy security focus for the last 3 years and it's infected my personal life too such that I'm now even more obsessed with security than I was before.
I recently wrote a first draft of a Linux server hardening guide: linux-server-hardening-guide and plan to start a mini-series soon which will go into some of those topics in further detail with example configs etc.
Watch this space!
[read more...]I love Yubikeys, they provide a very strong second factor for accounts and services that you care a lot about. I use them for all kinds of things but one thing I was quite excited to try was the Yubikey 5ci in static password mode.
Static password mode simply acts as a virtual keyboard, playing back a static sequence of characters over the connected interface (usually USB). I wasn't sure at first if this was supported over the lightning port but it turns out it is which is very cool.
Using static password mode to supply the entire password for something is a bad idea - if someone steals the key then they have the entire password and there's no way to protect it on the key. Plug it in, press the sensor and voila you've got the entire secret string. But using it in combination with a known passphrase is very powerful. I was quite excited about the idea of using this on iOS - a relatively simple password combined with a huge amount of extra entropy from the Yubikey as a salt.
[read more...]TouchID on the mac is really cool. It's awesome being able to use it for sudo, but I thought it would be even more awesome if it could be used to authenticate sudo remotely over ssh.
I've made this work using touch2sudo - https://github.com/prbinu/touch2sudo which is a simple binary that when executed will show a touchID authentication
[read more...]I love Carbon Copy Cloner, it is an awesome piece of software. I frequently rave about it to anyone who'll listen, it's so useful.
It does however seem to have been somewhat limited by the introduction of Apple's new T2 security chip. I recently purchased one of the new 2020 Macbook Airs - a great computer and my first mac with the T2 chip.
[read more...]On a mac if you set Cylance's "local protection" to "system" it seems to disallow all filesystem access to the CylanceSvc service's launchd plist file:
/Library/LaunchDaemons/com.cylance.agent_service.plist
This access is completely denied even to the root user. At first glance this
[read more...]I recently had the logic board replaced in my 2017 Macbook Pro. I use the awesome Carbon Copy Cloner to keep an image of my system as a bootable backup which can then be easily restored when the machine is returned to me.
This time however I had some issues with iCloud Drive. After restoring the backup I found it wasn't syncing. I tried the usual troubleshooting steps: turn
[read more...]A while ago I posted about how sudo can be easily backdoored by dropping a fake sudo script into the user's PATH:
https://m4.rkw.io/blog/getting-root-without-an-exploit--stealth-sudo-backdoor.html
Another attack vector for sudo is monitoring the process list for invocations of
[read more...]Charles Proxy is a great mac application for debugging web services and inspecting SSL traffic for any application on your machine.
In order to inspect the SSL traffic it needs to configure the system to use a proxy so that it can capture the packets and use its custom root CA to decode the SSL.
[read more...]Somebody started a petition asking Apple to recall the 2016 (and presumably 2017 since they're basically the same) macbook pros and fit them with a keyboard "that works":
[read more...]Another Hashicorp bug that I've been sitting on since late last year. This one was exploitable only during the vagrant update process, or even if the user typed "vagrant plugin update" and there was no pending update.
It was possible for a rogue process on the system to subvert the upgrade process in a way the user was unlikely to notice in order to steal root privileges.
[read more...]Another exploit for the now deprecated vagrant-vmware-fusion plugin. This one only works if VMware Fusion is not installed which is an unlikely scenario. However if this should occur then it's an easy root escalation so users should still update.
[read more...]This issue was reported to Hashicorp on 16/11/17. At first they claimed it was low priority because it required local access, despite being a straight-to-root escalation. Then they conceded that this wasn't reasonable and said it was high priority and that they would address it.
It has taken until this week to get their fixes out, involving an entire rewrite
[read more...]I have released three cryptocurrency mining projects:
Fanotaur: independently monitors Nvidia card temperatures and regulates fan speeds to keep them at a preset temperature.
Minotaur: derives calibrated hashrates and power limits from your devices for
Last year I found a couple more privilege escalation vectors in Arq Backup for Mac version 5.10. Both have now been fixed in the latest release.
The first is relatively simple - the arq_updater binary (which runs as root) takes a path argument for the url to retrieve an Arq update from in the format Arq.zip. We can simply specify an arbitrary path - eg file:///tmp/blah/Arq.zip -
[read more...]It occurred to me recently that a lot of people probably use screen or tmux in ways that leave an easy path to privilege escalation open. For example if you start a screen session as your local user and then escalate to root inside the screen session. As soon as you do that, anyone with access to the non-root account can simply resume the screen session and immediately be root.
[read more...]Recently I was working on a security issue in some other software that has yet to be disclosed which created a rather interesting condition. As a non-root user I was able to write to any file on the system that was not SIP-protected but the resulting file would not be root-owned, even if it previously was.
This presented an interesting challenge for privilege escalation - how would you
[read more...]I recently blogged about the prevalence of escalation hijack vulnerabilities amongst macOS applications. One example of this is the latest version of Murus firewall. By design it requires the user to authenticate every time in order to obtain the access it needs to modify the firewall settings.
If a local attacker or malware is running as an admin user (ie has write access
[read more...]VirtualBox is a virtualisation application written by Oracle that is quite popular presumably because its free. I'm not a fan myself - if my mac locks up completely or kernel panics it's usually because I've loaded the vbox kernel extensions less than 10 minutes ago. I use VMware Fusion instead (which is fairly expensive but IMO worth the money) and have a ritual whereby if I've had to load the vbox kernel extensions for work-related reasons I will reboot the machine
[read more...]With all the hype today about the blank-password root bug in High Sierra I thought I'd write a quick post about escalation hihacking on macOS and how common it is for software to be vulnerable to this.
Consider the case of malware gaining execution on a mac. This is pretty bad to begin with but it's all the more worse if the malware obtains root access. Even
[read more...]As well as the other bugs affecting Arq <= 5.9.6 there is also another issue with the suid-root restorer binaries in Arq for Mac. There are three of them and they are used to execute restores of backed up files from the various cloud providers.
After reversing the inter-app protocol I discovered that the path to the
[read more...]Arq Backup from Haystack Software is a great application for backing up macs and windows machines. Unfortunately versions of Arq for mac before 5.9.7 are vulnerable to a local root privilege escalation exploit.
The updater binary has a "setpermissions" function which sets the suid bit and root ownership on itself but it suffers from a race condition that allows you to
[read more...]Another day, another root privesc bug in this plugin. Not quite so serious this time - this one is only exploitable if the user has the plugin installed but VMware Fusion not installed. This is a fairly unlikely scenario but it's a straight to root privesc with no user interaction so isn't the kind of thing that should be shipping with any software.
[read more...]I recently blogged about how the installation process of version 5.0.0 of this plugin could be hihacked by a local attacker or malware in order to escalate privileges to root. Hashicorp pushed some mitigations for this issue fairly quickly but unfortunately 5.0.1 is still exploitable with a slightly different approach.
[read more...]Sera is a free app for mac and iOS that lets you unlock your mac automatically when your iphone is within a configured proximity.
Unfortunately to facilitate this it stores the users login password in their home directory at:
[read more...]After three CVEs and multiple exploits disclosed to Hashicorp they have finally upped their game with this plugin. Now the previously vulnerable non-root-owned ruby code that get executed as root by the sudo helper is no more and the sudo helper itself is one static Go binary with tightly-controlled parameters that can't (as far as I can tell) be exploited on its own.
[read more...]Recently I had a recurring problem where I would see mdworker running at high CPU every 5 minutes or so for no apparent reason. Internet searches reveal loads of people with the same problem and lots of witchcrafty ways to try to resolve it that often don't work.
This is how I fixed it. The problem seems to occur because something is
[read more...]I've just discovered something totally batshit about sudo on macOS.
Spot the difference..
Linux:
[read more...]I've published several root privilege escalation bugs this year in various Mac applications. I decided to see how difficult it would be to escalate privileges on a machine without actually using an exploit. Having access to a local account with sudo rights gives us an enormous attack surface for escalation.
Many of the dotfiles, which are nearly always user-writable for obvious reasons,
[read more...]I have previously disclosed a couple of bugs in Hashicorp's vagrant-vmware-fusion plugin for vagrant.
Unfortunately the 4.0.23 release which was supposed to fix the previous bug I reported didn't address the issue, so Hashicorp quickly put out another release - 4.0.24 - after that (but didn't update the public changelog on github).
[read more...]InsomniaX by Andrew James - http://semaja2.net - is really handy if you want to leave your macbook running with the lid closed.
Unfortunately back in June of this year a security vulnerability in the loader binary was disclosed that allows the loading of any arbitrary kernel extension as a non-root user.
[read more...]During recent months I have published two CVEs documenting root privilege escalation vulnerabilities in the Hashicorp vagrant-vmware-fusion plugin.
Version 4.0.24 is now released which addresses those bugs, but it still depends on an suid root binary being present in order for vagrant to communicate with VMWare.
[read more...]A couple of weeks ago I disclosed a local root privesc in Hashicorp's vagrant-vmware-fusion plugin:
https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmwarefusion--4020.html
The initial patch they released was 4.0.21 which unfortunately contained a bug
[read more...]I'm a big fan of Hashicorp but this is an awful bug to have in software of their calibre.
Their vagrant plugin for vmware fusion uses a product called Ruby Encoder to protect their proprietary ruby code. It does this by turning the ruby code into bytecode and executing it directly.
[read more...]The new macbook pros are divisive in many ways, not least of which is the reportedly less than stellar battery life compared to the previous generation. I bought the escape version which has innately better battery life than the touchbar version, but opted for the i7. My strategy in the past has always been to max the spec as much as I can afford so the machine will last a long time but this time around there isn't a huge difference in performance between the i5 and
[read more...]I blogged about Cylance a couple of times earlier this year after testing their endpoint security product CylancePROTECT on MacOS. I ended up deleting both blog posts shortly after posting them because I was concerned about inaccuracies in the original post and wanted to give Cylance a chance to respond to the issues I raised.
[read more...]sudolikeaboss is a neat little program that acts as a command-line interface to 1Password Pro, effectively giving you a way to use 1password with the terminal.
This is useful but it does come with a security tradeoff as any application running in the context of the user can potentially steal passwords if 1password is in an unlocked state.
[read more...]With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader binary that ships with Proxifier <= 2.18.
Unfortunately 2.19 is also vulnerable to a slightly different attack that yields the same result.
[read more...]Proxifier 2.18 (also 2.17 and possibly some earlier version) ships with a KLoader binary which it installs suid root the first time Proxifier is run. This binary serves a single purpose which is to load and unload Proxifier's kernel extension.
Unfortunately it does this by taking the first parameter passed to it on the
[read more...]As a follow-up to my previous post about making immutable S3 backups using Lambda, this is an additional Lambda function you can use to verify that your backup actually ran.
You'll want to configure it to run at around 10-15mins past the hour so the backup has some time to complete. It will look for the backup files that should
[read more...]S3 is really handy for server backups and at $0.023/GB/month it's incredibly cost-effective.
However the default way most people use it is to simply spray their data directly into an S3 bucket from the machine they're backing up. This works fine right up until you get hacked by someone malicious who then has the ability to
[read more...]The vim keybindings are wonderful once you get used to them.
What some people don't know is that the same keybindings are available in other programs, for example bash has a "vi mode" which can be enabled with:
set -o vi
[read more...]SuperDuper! from ShirtPocket software is fantastic backup utility. It lets you create a full bootable clone of your mac that you can boot from any machine.
Not only is this a great way to backup your data but if your main machine dies you can plug the backup drive into any mac, boot from it using the option key at startup and be straight back into your environment.
[read more...]If you're a vim fanboy like me you may often find it frustrating when logging into another machine that the default vim config isn't very nice to use. Sometimes the remote machine has a shared user account so changing it to your liking isn't really practical.
To work around this and make my life easier I created this:
[read more...]Another hilarious and trivial rubygems exploit. The file ext/
Demonstration PoC: https://github.com/m4rkw/rubygems-poc2
[read more...]RubyGems is a nice system, very easy to use and also easy to abuse. Anyone can push a gem straight into the global namespace, even if the gem has the same name as a core library.
This can be trivially abused to break into systems of anyone who isn't very careful what gems they use (and let's be honest, that's probably a lot of developers :).
[read more...]I decided to roll my tethering bypass idea into a script to make it easy to use.
This script automates the fiddly configuration bits and gives you a quick way to throw up a proxy that will bypass tethering restrictions on iOS.
[read more...]It's often annoying that Apple lets carriers disable tethering at will, especially when the carrier has already sold you "unlimited" data. Three allow free data when roaming in "feel at home" countries but they don't allow tethering at all, even if you're willing to pay for it.
After being irritated by these restrictions on several holidays I decided to
[read more...]I've always been fairly cynical about Siri. It seemed more like a gimmick than something people would use seriously in their day to day lives, but I've recently discovered how wrong I was.
I don't have a CarPlay stereo in my car, because I didn't want to be tied into Apple's apps. Maps is nowhere near as good as TomTom (which I also paid good
[read more...]Despite Apple's best efforts, there are nearly always a number of users who experience issues after a major iOS update. Users might experience crashes, unusually high battery drain, slowness etc etc.
Whenever I upgrade to a major iOS release I usually do a fresh reinstall of iOS. Although Apple provides no official way to do this without losing all of
[read more...]When I started building my new website, I didn't want to be boring and just use rails so I decided to write my work super-lightweight ruby web framework.
It's powering this website but is quite basic and rough so probably shouldn't be used by anyone.
[read more...]I've written a couple of ruby gems that people might find useful..
tvfeed - https://github.com/m4rkw/tvfeed
A gem designed to provide a feed of new TV episodes as magnet links from torrent sites. This is offered purely for research purposes and should suit
[read more...]I wanted to like Apple Music, I really really did. I never really got into Spotify but the hassle of finding new music is a constant problem for me. As you can see from my music page on this very website, I go through music at a crazy rate. I've bought over 1500 songs from iTunes over the last few years and only around 266 are still in my playlist. Finding new music that I like is a constant struggle and I generally resort to scraping sites like beatport.com,
[read more...]This has been driving me nuts for months and I finally figured it out - smart playlists break iTunes Match.
I have a smart playlist simply called "Music" which is configured as:
Match all of:
strace is really useful on Linux for figuring out why some program isn't doing what it should.
Not sure how many people know this but you can do the same thing on darwin using dtruss, it's just no quite so obvious. Using this script:
[read more...]Don't you just hate it when an emergency happens with an important server and access from your location is firewalled? Luckily if there's someone else local to the machine who can execute commands for you, getting onto it is fairly trivial.
First make sure that the machine you're on can accept connections from the
[read more...]As PHP frameworks go, Symfony 2 isn't entirely terrible. Before this project it had been a while since I used Symfony, and back then it was still on version 1.something. These days it's kinda cool, allows easy use of popular design patterns and doctrine works reasonably well.
There are some things I find frustrating though, often you spend more time
[read more...]There are many reasons why PHP is a shit programming language, many of which are discussed at length in this article:
http://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/
But the main thing that bugs me is how inelegant it is. You can get things
[read more...]This is an awesome article:
https://michaelochurch.wordpress.com/2015/06/06/why-agile-and-especially-scrum-are-terrible/
I've been in this situation before when "agile" processes were strewn like cancer throughout a project I really cared about like, with depressing results.
[read more...]
