Bye bye ProtonMail

8 Jun 2022 21:10 | email | security

I recently blogged about my ProtonMail issues, the weird glitches with their
bridge IMAP interface and their apparent lack of care that it might be silently
deleting customer data - https://github.com/ProtonMail/proton-bridge/issues/220

I have now finally gotten around to kicking ProtonMail out of my life and I
could not be happier. Gone are the days of having to run some janky Go software
[read more...]

PSA: Your ProtonMail backups might not be safe

5 Jun 2022 12:16 | email

I was a fan of the ProtonMail email service until I was casually linked to this
issue while discussing something else:

https://github.com/ProtonMail/proton-bridge/issues/220

TL;DR message UIDs returned by proton-bridge are unstable and subject to change
[read more...]

Lulu firewall hardening

26 Feb 2022 21:21 | macOS | security

I'm a big fan of Patrick Wardle's free mac utilities but I noticed something odd
about LuLu recently. It seems that it only filters egress traffic when LuLu.app
is running. Since it normally runs as the local user rather than root, this
makes it somewhat trivial for malware to defeat as it can simply kill the
process and then connect to whatever it wants.

[read more...]

TouchID over SSH part 2: Secretive agent

19 Feb 2022 13:46 | macOS | security | touchID

For some time I've been using a hand-rolled solution for touchID over ssh which
I previously blogged about. Up until recently it's been a somewhat
loosely-compiled scattering of config that wasn't really in a releasable form
but with a pending security talk on the horizon I thought it would be worth
tidying it up and making it releasable so I could mention it in my talk.

[read more...]

Restricting macOS egress with LuLu and Squid proxy

10 Feb 2022 20:55 | apple | macOS | security

Egress filtering is an immensely powerful security control but it's not so
straightforward to do it well. If any malware manages to execute on your system
one of the first things it's likely going to try to do is call home and
establish a C2 channel. With effective egress filtering you can break this link
in the attack chain and stop it dead in its tracks.

[read more...]

Getting back into blogging

10 Feb 2022 05:48 | security

It's been a while since I've blogged so I thought I'd get back into it with some
security stuff. My dayjob has had a very heavy security focus for the last 3
years and it's infected my personal life too such that I'm now even more
obsessed with security than I was before.

I recently wrote a first draft of a Linux server hardening guide:
[read more...]

Unlocking iOS devices with a Yubikey

8 Jul 2021 20:53 | apple | iOS

I love Yubikeys, they provide a very strong second factor for accounts and
services that you care a lot about. I use them for all kinds of things but one
thing I was quite excited to try was the Yubikey 5ci in static password mode.

Static password mode simply acts as a virtual keyboard, playing back a static
sequence of characters over the connected interface (usually USB). I wasn't
[read more...]

How to use touchID for sudo remotely over ssh

18 Apr 2020 14:25 | macOS | security | touchID

TouchID on the mac is really cool. It's awesome being able to use it for sudo,
but I thought it would be even more awesome if it could be used to authenticate
sudo remotely over ssh.

I've made this work using touch2sudo - https://github.com/prbinu/touch2sudo
which is a simple binary that when executed will show a touchID authentication
[read more...]

2020 Macbook Air: Carbon Copy Cloner vs the T2 chip

18 Apr 2020 11:53 | macOS

I love Carbon Copy Cloner, it is an awesome piece of software. I frequently rave
about it to anyone who'll listen, it's so useful.

It does however seem to have been somewhat limited by the introduction of
Apple's new T2 security chip. I recently purchased one of the new 2020 Macbook
Airs - a great computer and my first mac with the T2 chip.
[read more...]

Cylance local protection seems a bit daft

25 Jul 2019 19:14 | macOS | security

On a mac if you set Cylance's "local protection" to "system" it seems to
disallow all filesystem access to the CylanceSvc service's launchd plist file:

/Library/LaunchDaemons/com.cylance.agent_service.plist

This access is completely denied even to the root user. At first glance this
[read more...]

The real reason your iCloud Drive isn't syncing

9 Jul 2019 18:34 | apple | macOS

I recently had the logic board replaced in my 2017 Macbook Pro. I use the
awesome Carbon Copy Cloner to keep an image of my system as a bootable backup
which can then be easily restored when the machine is returned to me.

This time however I had some issues with iCloud Drive. After restoring the
backup I found it wasn't syncing. I tried the usual troubleshooting steps: turn
[read more...]

hijacking sudo in real time

15 Aug 2018 22:03 | macOS | security

A while ago I posted about how sudo can be easily backdoored by dropping a fake
sudo script into the user's PATH:

https://m4.rkw.io/blog/getting-root-without-an-exploit--stealth-sudo-backdoor...

Another attack vector for sudo is monitoring the process list for invocations of
[read more...]

CVE-2017-15358 Local root privesc in Charles Proxy 4.2

30 Jul 2018 06:41 | macOS | security | exploits

Charles Proxy is a great mac application for debugging web services and
inspecting SSL traffic for any application on your machine.

In order to inspect the SSL traffic it needs to configure the system to use a
proxy so that it can capture the packets and use its custom root CA to decode
the SSL.
[read more...]

2016-17 Macbook Pro keyboard recall

4 May 2018 07:38 | apple

Somebody started a petition asking Apple to recall the 2016 (and presumably
2017 since they're basically the same) macbook pros and fit them with a
keyboard "that works":

https://www.change.org/p/apple-apple-recall-macbook-pro-w-defective-keyboard-...

[read more...]

CVE-2017-16512 Hashicorp vagrant-vmware-fusion v5.0.2-5.0.4 local root

28 Mar 2018 21:08 | macOS | security | exploits

Another Hashicorp bug that I've been sitting on since late last year. This one
was exploitable only during the vagrant update process, or even if the user
typed "vagrant plugin update" and there was no pending update.

It was possible for a rogue process on the system to subvert the upgrade process
in a way the user was unlikely to notice in order to steal root privileges.
[read more...]

CVE-2017-16839 Hashicorp vagrant-vmware-fusion v5.0.4 local root

28 Mar 2018 21:03 | macOS | security | exploits

Another exploit for the now deprecated vagrant-vmware-fusion plugin. This one
only works if VMware Fusion is not installed which is an unlikely scenario.
However if this should occur then it's an easy root escalation so users should
still update.

https://m4.rkw.io/vagrant_vmware_privesc_5.0.4.sh.txt
[read more...]

CVE-2017-16873 Hashicorp vagrant-vmware-fusion v4.0.25-5.0.4 local root

28 Mar 2018 07:22 | macOS | security | exploits

This issue was reported to Hashicorp on 16/11/17. At first they claimed it was
low priority because it required local access, despite being a straight-to-root
escalation. Then they conceded that this wasn't reasonable and said it was high
priority and that they would address it.

It has taken until this week to get their fixes out, involving an entire rewrite
[read more...]

Minotaur, Fanotaur and Excavataur

31 Jan 2018 08:53 | cryptocurrency | mining

I have released three cryptocurrency mining projects:

- Fanotaur: independently monitors Nvidia card temperatures and regulates fan
  speeds to keep them at a preset temperature.

- Minotaur: derives calibrated hashrates and power limits from your devices for
[read more...]

Two local root privesc bugs in Arq Backup <= 5.10

29 Jan 2018 06:33 | macOS | security | exploits

Last year I found a couple more privilege escalation vectors in Arq Backup
for Mac version 5.10. Both have now been fixed in the latest release.

The first is relatively simple - the arq_updater binary (which runs as root)
takes a path argument for the url to retrieve an Arq update from in the format
Arq.zip. We can simply specify an arbitrary path - eg file:///tmp/blah/Arq.zip -
[read more...]

protecting against unsafe use of screen/tmux

15 Dec 2017 09:35 | linux | macOS | security | bash

It occurred to me recently that a lot of people probably use screen or tmux in
ways that leave an easy path to privilege escalation open. For example if you
start a screen session as your local user and then escalate to root inside the
screen session. As soon as you do that, anyone with access to the non-root
account can simply resume the screen session and immediately be root.

[read more...]

macOS High Sierra 10.13.1 insecure cron system

6 Dec 2017 07:32 | macOS | security

Recently I was working on a security issue in some other software that has yet
to be disclosed which created a rather interesting condition. As a non-root
user I was able to write to any file on the system that was not SIP-protected
but the resulting file would not be root-owned, even if it previously was.

This presented an interesting challenge for privilege escalation - how would you
[read more...]

Murus Firewall 1.4.11 escalation hihack / root privesc

4 Dec 2017 12:23 | macOS | security | exploits

I recently blogged about the prevalence of escalation hijack vulnerabilities
amongst macOS applications. One example of this is the latest version of Murus
firewall. By design it requires the user to authenticate every time in order to
obtain the access it needs to modify the firewall settings.

If a local attacker or malware is running as an admin user (ie has write access
[read more...]

Owning VirtualBox via MITM

30 Nov 2017 08:25 | macOS | security

VirtualBox is a virtualisation application written by Oracle that is quite popular
presumably because its free. I'm not a fan myself - if my mac locks up
completely or kernel panics it's usually because I've loaded the vbox kernel
extensions less than 10 minutes ago. I use VMware Fusion instead (which is fairly
expensive but IMO worth the money) and have a ritual whereby if I've had to load
the vbox kernel extensions for work-related reasons I will reboot the machine
[read more...]

Escalation hijacking on macs

29 Nov 2017 21:04 | macOS | security

With all the hype today about the blank-password root bug in High Sierra I
thought I'd write a quick post about escalation hihacking on macOS and how
common it is for software to be vulnerable to this.

Consider the case of malware gaining execution on a mac. This is pretty bad to
begin with but it's all the more worse if the malware obtains root access. Even
[read more...]

CVE-2017-16895 Local root privesc in Arq Backup <= 5.9.7

29 Nov 2017 19:09 | macOS | security | exploits

As well as the other bugs affecting Arq <= 5.9.6 there is also another issue
with the suid-root restorer binaries in Arq for Mac. There are three of them
and they are used to execute restores of backed up files from the various
cloud providers.

After reversing the inter-app protocol I discovered that the path to the
[read more...]

CVE-2017-15357 Local root privesc in Arq Backup <= 5.9.6

29 Nov 2017 19:02 | macOS | security | exploits

Arq Backup from Haystack Software is a great application for backing up macs and
windows machines. Unfortunately versions of Arq for mac before 5.9.7 are
vulnerable to a local root privilege escalation exploit.

The updater binary has a "setpermissions" function which sets the suid bit and
root ownership on itself but it suffers from a race condition that allows you to
[read more...]

CVE-2017-16777 Local root privesc in Hashicorp vagrant-vmware-fusion 5.0.3

15 Nov 2017 08:21 | macOS | security | exploits

Another day, another root privesc bug in this plugin. Not quite so serious this
time - this one is only exploitable if the user has the plugin installed but
VMware Fusion *not* installed. This is a fairly unlikely scenario but it's a
straight to root privesc with no user interaction so isn't the kind of thing
that should be shipping with any software.

[read more...]

CVE-2017-16001 Local root privesc in Hashicorp vagrant-vmware-fusion 5.0.1

3 Nov 2017 08:21 | macOS | security | exploits

I recently blogged about how the installation process of version 5.0.0 of this
plugin could be hihacked by a local attacker or malware in order to escalate
privileges to root.  Hashicorp pushed some mitigations for this issue fairly
quickly but unfortunately 5.0.1 is still exploitable with a slightly different
approach.

[read more...]

CVE-2017-15918 Sera 1.2 local root privesc and password disclosure

31 Oct 2017 08:20 | macOS | security | exploits

Sera is a free app for mac and iOS that lets you unlock your mac automatically
when your iphone is within a configured proximity.

Unfortunately to facilitate this it stores the users login password in their
home directory at:

[read more...]

CVE-2017-15884 Local root privesc in Hashicorp vagrant-vmware-fusion 5.0.0

28 Oct 2017 12:32 | macOS | security | exploits

After three CVEs and multiple exploits disclosed to Hashicorp they have finally
upped their game with this plugin. Now the previously vulnerable non-root-owned
ruby code that get executed as root by the sudo helper is no more and the sudo
helper itself is one static Go binary with tightly-controlled parameters that
can't (as far as I can tell) be exploited on its own.

[read more...]

How to make macOS Spotlight fuck the fuck off and do your bidding

24 Oct 2017 12:27 | macOS

Recently I had a recurring problem where I would see mdworker running at high
CPU every 5 minutes or so for no apparent reason. Internet searches reveal loads
of people with the same problem and lots of witchcrafty ways to try to resolve
it that often don't work.

This is how I fixed it. The problem seems to occur because *something* is
[read more...]

MacOS sudo wtf

19 Oct 2017 22:55 | macOS | security

I've just discovered something totally batshit about sudo on macOS.

Spot the difference..

Linux:

[read more...]

Getting root without an exploit - stealth sudo backdoor

19 Oct 2017 21:59 | macOS | security | exploits

I've published several root privilege escalation bugs this year in various Mac
applications. I decided to see how difficult it would be to escalate privileges
on a machine without actually using an exploit. Having access to a local
account with sudo rights gives us an enormous attack surface for escalation.

Many of the dotfiles, which are nearly always user-writable for obvious reasons,
[read more...]

CVE-2017-12579 Local root privesc in Hashicorp vagrant-vmware-fusion 4.0.24

18 Oct 2017 08:11 | macOS | security | exploits

I have previously disclosed a couple of bugs in Hashicorp's
vagrant-vmware-fusion plugin for vagrant.

Unfortunately the 4.0.23 release which was supposed to fix the previous bug I
reported didn't address the issue, so Hashicorp quickly put out another release
- 4.0.24 - after that (but didn't update the public changelog on github).
[read more...]

Security fix for InsomniaX 2.1.8

14 Oct 2017 12:44 | security | macOS

InsomniaX by Andrew James - http://semaja2.net - is really handy if you want to
leave your macbook running with the lid closed.

Unfortunately back in June of this year a security vulnerability in the loader
binary was disclosed that allows the loading of any arbitrary kernel extension
as a non-root user.
[read more...]

Exploit mitigation patch for Hashicorp vagrant-vmware-fusion 4.0.24

4 Aug 2017 12:15 | macOS | security

During recent months I have published two CVEs documenting root privilege
escalation vulnerabilities in the Hashicorp vagrant-vmware-fusion plugin.

Version 4.0.24 is now released which addresses those bugs, but it still
depends on an suid root binary being present in order for vagrant to
communicate with VMWare.
[read more...]

CVE-2017-11741 Local root privesc in Hashicorp vagrant-vmware-fusion <= 4.0.23

2 Aug 2017 06:49 | macOS | security | exploits

A couple of weeks ago I disclosed a local root privesc in Hashicorp's
vagrant-vmware-fusion plugin:

https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmw...

The initial patch they released was 4.0.21 which unfortunately contained a bug
[read more...]

CVE-2017-7642 Local root privesc in Hashicorp vagrant-vmware-fusion <= 4.0.20

15 Jul 2017 06:57 | macOS | security | exploits

I'm a big fan of Hashicorp but this is an awful bug to have in software of their
calibre.

Their vagrant plugin for vmware fusion uses a product called Ruby Encoder to
protect their proprietary ruby code.  It does this by turning the ruby code into
bytecode and executing it directly.
[read more...]

Get more battery life out of your 2016 Macbook Pro

26 May 2017 08:10 | macOS

The new macbook pros are divisive in many ways, not least of which is the
reportedly less than stellar battery life compared to the previous generation.
I bought the escape version which has innately better battery life than the
touchbar version, but opted for the i7.  My strategy in the past has always been
to max the spec as much as I can afford so the machine will last a long time but
this time around there isn't a huge difference in performance between the i5 and
[read more...]

Enjoy the Cylance

11 May 2017 22:08 | security | macOS

I blogged about Cylance a couple of times earlier this year after testing their
endpoint security product CylancePROTECT on MacOS.  I ended up deleting both
blog posts shortly after posting them because I was concerned about
inaccuracies in the original post and wanted to give Cylance a chance to
respond to the issues I raised.

[read more...]

sudolikeaboss allows password theft

3 May 2017 13:12 | security | exploits | macOS

sudolikeaboss is a neat little program that acts as a command-line interface to
1Password Pro, effectively giving you a way to use 1password with the terminal.

This is useful but it does come with a security tradeoff as any application
running in the context of the user can potentially steal passwords if 1password
is in an unlocked state.
[read more...]

CVE-2017-7690 Local root privesc in Proxifier for Mac 2.19

11 Apr 2017 20:57 | security | exploits | macOS

With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader
binary that ships with Proxifier <= 2.18.

Unfortunately 2.19 is also vulnerable to a slightly different attack that
yields the same result.

[read more...]

CVE-2017-7643 Local root privesc in Proxifier for Mac <= 2.18

10 Apr 2017 21:19 | security | exploits | macOS

Proxifier 2.18 (also 2.17 and possibly some earlier version) ships with a
KLoader binary which it installs suid root the first time Proxifier is run. This
binary serves a single purpose which is to load and unload Proxifier's kernel
extension.

Unfortunately it does this by taking the first parameter passed to it on the
[read more...]

Making sure your S3 backup worked

4 Jan 2017 18:21 | AWS

As a follow-up to my previous post about making immutable S3 backups using
Lambda, this is an additional Lambda function you can use to verify that your
backup actually ran.

You'll want to configure it to run at around 10-15mins past the hour so the
backup has some time to complete.  It will look for the backup files that should
[read more...]

Using lambda to make immutable S3 backups

2 Jan 2017 17:55 | AWS | security | linux

S3 is really handy for server backups and at $0.023/GB/month it's incredibly
cost-effective.

However the default way most people use it is to simply spray their data
directly into an S3 bucket from the machine they're backing up.  This works fine
right up until you get hacked by someone malicious who then has the ability to
[read more...]

How to get vi keybindings in bash and the MySQL client

11 Dec 2016 19:22 | vim | bash | mysql | linux

The vim keybindings are wonderful once you get used to them.

What some people don't know is that the same keybindings are available in other
programs, for example bash has a "vi mode" which can be enabled with:

set -o vi
[read more...]

How to create a bootable FileVault2-encrypted SuperDuper! clone

11 Dec 2016 13:11 | macOS

SuperDuper! from ShirtPocket software is fantastic backup utility.  It lets you
create a full bootable clone of your mac that you can boot from any machine.

Not only is this a great way to backup your data but if your main machine dies
you can plug the backup drive into any mac, boot from it using the option key
at startup and be straight back into your environment.
[read more...]

linux/vim lifehack: sourcing a temporary local environment

10 Dec 2016 17:18 | vim

If you're a vim fanboy like me you may often find it frustrating when logging into
another machine that the default vim config isn't very nice to use.  Sometimes the
remote machine has a shared user account so changing it to your liking isn't really
practical.

To work around this and make my life easier I created this:
[read more...]

Ruby gems can execute code as root while they're being installed

29 May 2016 18:07 | ruby | security

Another hilarious and trivial rubygems exploit.  The file ext/<ext>/extconf.rb
gets executed as root during installation.  A malicious gem could put code in
there that installs a backdoor.

Demonstration PoC: https://github.com/m4rkw/rubygems-poc2

[read more...]

Abusing rubygems for fun and profit

29 May 2016 12:18 | ruby | security

RubyGems is a nice system, very easy to use and also easy to abuse.  Anyone can push
a gem straight into the global namespace, even if the gem has the same name as a core
library.

This can be trivially abused to break into systems of anyone who isn't very careful
what gems they use (and let's be honest, that's probably a lot of developers :).
[read more...]

Tethery - bypass iOS tethering restrictions

12 Nov 2015 12:28 | apple | iOS

I decided to roll my tethering bypass idea into a script to make it easy to
use.

This script automates the fiddly configuration bits and gives you a quick way
to throw up a proxy that will bypass tethering restrictions on iOS.

[read more...]

How to bypass tethering restrictions on iOS

24 Oct 2015 11:26 | apple | iOS

It's often annoying that Apple lets carriers disable tethering at will,
especially when the carrier has already sold you "unlimited" data.  Three allow
free data when roaming in "feel at home" countries but they don't allow
tethering at all, even if you're willing to pay for it.

After being irritated by these restrictions on several holidays I decided to
[read more...]

Siri in the car is awesome

15 Oct 2015 22:11 | apple | iOS

I've always been fairly cynical about Siri.  It seemed more like a gimmick than
something people would use seriously in their day to day lives, but I've
recently discovered how wrong I was.

I don't have a CarPlay stereo in my car, because I didn't want to be tied into
Apple's apps.  Maps is nowhere near as good as TomTom (which I also paid good
[read more...]

How to do a fresh installation of iOS 9 without losing data

31 Aug 2015 22:23 | apple | iOS

Despite Apple's best efforts, there are nearly always a number of users who
experience issues after a major iOS update.  Users might experience crashes,
unusually high battery drain, slowness etc etc.

Whenever I upgrade to a major iOS release I usually do a fresh reinstall of
iOS.  Although Apple provides no official way to do this without losing all of
[read more...]

Gangsta Lean ruby web framework

18 Aug 2015 22:22 | ruby | development

When I started building my new website, I didn't want to be boring and just use
rails so I decided to write my work super-lightweight ruby web framework.

It's powering this website but is quite basic and rough so probably shouldn't
be used by anyone.

[read more...]

TVFeed and TransmissionNG

18 Aug 2015 22:17 | ruby | development

I've written a couple of ruby gems that people might find useful..

tvfeed - https://github.com/m4rkw/tvfeed

A gem designed to provide a feed of new TV episodes as magnet links from
torrent sites. This is offered purely for research purposes and should suit
[read more...]

Apple Music is not worthy of the Apple brand

1 Jul 2015 16:53 | apple

I wanted to like Apple Music, I really really did.  I never really got into
Spotify but the hassle of finding new music is a constant problem for me.  As
you can see from my music page on this very website, I go through music at a
crazy rate.  I've bought over 1500 songs from iTunes over the last few years
and only around 266 are still in my playlist.  Finding new music that I like is
a constant struggle and I generally resort to scraping sites like beatport.com,
[read more...]

Smart playlists are too smart for iTunes Match

30 Jun 2015 21:07 | apple

This has been driving me nuts for months and I finally figured it out - smart
playlists break iTunes Match.

I have a smart playlist simply called "Music" which is configured as:

Match all of:<br/>
[read more...]

strace for mac

18 Jun 2015 08:55 | development | macOS

strace is really useful on Linux for figuring out why some program isn't doing
what it should.

Not sure how many people know this but you can do the same thing on darwin
using dtruss, it's just no quite so obvious.  Using this script:

[read more...]

Emergency reverse shell technique

18 Jun 2015 08:44 | security

Don't you just hate it when an emergency happens with an important server and
access from your location is firewalled?  Luckily if there's someone else local
to the machine who can execute commands for you, getting onto it is fairly
trivial.

First make sure that the machine you're on can accept connections from the
[read more...]

Symfony 2 is kind of ok

18 Jun 2015 08:04 | php | development

As PHP frameworks go, Symfony 2 isn't entirely terrible.  Before this project
it had been a while since I used Symfony, and back then it was still on version
1.something.  These days it's kinda cool, allows easy use of popular design
patterns and doctrine works reasonably well.

There are some things I find frustrating though, often you spend more time
[read more...]

PHP just sucks and there's no getting around it

15 Jun 2015 11:12 | php | development

There are many reasons why PHP is a shit programming language, many of which
are discussed at length in this article:

http://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

But the main thing that bugs me is how inelegant it is.  You can get things
[read more...]

Why agile and especially scrum are terrible

15 Jun 2015 08:20 | work | agile | scrum

This is an awesome article:

https://michaelochurch.wordpress.com/2015/06/06/why-agile-and-especially-scru...

I've been in this situation before when "agile" processes were strewn like
cancer throughout a project I really cared about like, with depressing results.
[read more...]