It occurred to me recently that a lot of people probably use screen or tmux in ways that leave an easy path to privilege escalation open. For example if you start a screen session as your local user and then escalate to root inside the screen session. As soon as you do that, anyone with access to the non-root account can simply resume the screen session and immediately be root.
[read more...]Recently I was working on a security issue in some other software that has yet to be disclosed which created a rather interesting condition. As a non-root user I was able to write to any file on the system that was not SIP-protected but the resulting file would not be root-owned, even if it previously was.
This presented an interesting challenge for privilege escalation - how would you
[read more...]I recently blogged about the prevalence of escalation hijack vulnerabilities amongst macOS applications. One example of this is the latest version of Murus firewall. By design it requires the user to authenticate every time in order to obtain the access it needs to modify the firewall settings.
If a local attacker or malware is running as an admin user (ie has write access
[read more...]VirtualBox is a virtualisation application written by Oracle that is quite popular presumably because its free. I'm not a fan myself - if my mac locks up completely or kernel panics it's usually because I've loaded the vbox kernel extensions less than 10 minutes ago. I use VMware Fusion instead (which is fairly expensive but IMO worth the money) and have a ritual whereby if I've had to load the vbox kernel extensions for work-related reasons I will reboot the machine
[read more...]With all the hype today about the blank-password root bug in High Sierra I thought I'd write a quick post about escalation hihacking on macOS and how common it is for software to be vulnerable to this.
Consider the case of malware gaining execution on a mac. This is pretty bad to begin with but it's all the more worse if the malware obtains root access. Even
[read more...]As well as the other bugs affecting Arq <= 5.9.6 there is also another issue with the suid-root restorer binaries in Arq for Mac. There are three of them and they are used to execute restores of backed up files from the various cloud providers.
After reversing the inter-app protocol I discovered that the path to the
[read more...]Arq Backup from Haystack Software is a great application for backing up macs and windows machines. Unfortunately versions of Arq for mac before 5.9.7 are vulnerable to a local root privilege escalation exploit.
The updater binary has a "setpermissions" function which sets the suid bit and root ownership on itself but it suffers from a race condition that allows you to
[read more...]Another day, another root privesc bug in this plugin. Not quite so serious this time - this one is only exploitable if the user has the plugin installed but VMware Fusion not installed. This is a fairly unlikely scenario but it's a straight to root privesc with no user interaction so isn't the kind of thing that should be shipping with any software.
[read more...]I recently blogged about how the installation process of version 5.0.0 of this plugin could be hihacked by a local attacker or malware in order to escalate privileges to root. Hashicorp pushed some mitigations for this issue fairly quickly but unfortunately 5.0.1 is still exploitable with a slightly different approach.
[read more...]Sera is a free app for mac and iOS that lets you unlock your mac automatically when your iphone is within a configured proximity.
Unfortunately to facilitate this it stores the users login password in their home directory at:
[read more...]After three CVEs and multiple exploits disclosed to Hashicorp they have finally upped their game with this plugin. Now the previously vulnerable non-root-owned ruby code that get executed as root by the sudo helper is no more and the sudo helper itself is one static Go binary with tightly-controlled parameters that can't (as far as I can tell) be exploited on its own.
[read more...]Recently I had a recurring problem where I would see mdworker running at high CPU every 5 minutes or so for no apparent reason. Internet searches reveal loads of people with the same problem and lots of witchcrafty ways to try to resolve it that often don't work.
This is how I fixed it. The problem seems to occur because something is
[read more...]I've just discovered something totally batshit about sudo on macOS.
Spot the difference..
Linux:
[read more...]I've published several root privilege escalation bugs this year in various Mac applications. I decided to see how difficult it would be to escalate privileges on a machine without actually using an exploit. Having access to a local account with sudo rights gives us an enormous attack surface for escalation.
Many of the dotfiles, which are nearly always user-writable for obvious reasons,
[read more...]I have previously disclosed a couple of bugs in Hashicorp's vagrant-vmware-fusion plugin for vagrant.
Unfortunately the 4.0.23 release which was supposed to fix the previous bug I reported didn't address the issue, so Hashicorp quickly put out another release - 4.0.24 - after that (but didn't update the public changelog on github).
[read more...]InsomniaX by Andrew James - http://semaja2.net - is really handy if you want to leave your macbook running with the lid closed.
Unfortunately back in June of this year a security vulnerability in the loader binary was disclosed that allows the loading of any arbitrary kernel extension as a non-root user.
[read more...]During recent months I have published two CVEs documenting root privilege escalation vulnerabilities in the Hashicorp vagrant-vmware-fusion plugin.
Version 4.0.24 is now released which addresses those bugs, but it still depends on an suid root binary being present in order for vagrant to communicate with VMWare.
[read more...]A couple of weeks ago I disclosed a local root privesc in Hashicorp's vagrant-vmware-fusion plugin:
https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmwarefusion--4020.html
The initial patch they released was 4.0.21 which unfortunately contained a bug
[read more...]I'm a big fan of Hashicorp but this is an awful bug to have in software of their calibre.
Their vagrant plugin for vmware fusion uses a product called Ruby Encoder to protect their proprietary ruby code. It does this by turning the ruby code into bytecode and executing it directly.
[read more...]The new macbook pros are divisive in many ways, not least of which is the reportedly less than stellar battery life compared to the previous generation. I bought the escape version which has innately better battery life than the touchbar version, but opted for the i7. My strategy in the past has always been to max the spec as much as I can afford so the machine will last a long time but this time around there isn't a huge difference in performance between the i5 and
[read more...]I blogged about Cylance a couple of times earlier this year after testing their endpoint security product CylancePROTECT on MacOS. I ended up deleting both blog posts shortly after posting them because I was concerned about inaccuracies in the original post and wanted to give Cylance a chance to respond to the issues I raised.
[read more...]sudolikeaboss is a neat little program that acts as a command-line interface to 1Password Pro, effectively giving you a way to use 1password with the terminal.
This is useful but it does come with a security tradeoff as any application running in the context of the user can potentially steal passwords if 1password is in an unlocked state.
[read more...]With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader binary that ships with Proxifier <= 2.18.
Unfortunately 2.19 is also vulnerable to a slightly different attack that yields the same result.
[read more...]Proxifier 2.18 (also 2.17 and possibly some earlier version) ships with a KLoader binary which it installs suid root the first time Proxifier is run. This binary serves a single purpose which is to load and unload Proxifier's kernel extension.
Unfortunately it does this by taking the first parameter passed to it on the
[read more...]As a follow-up to my previous post about making immutable S3 backups using Lambda, this is an additional Lambda function you can use to verify that your backup actually ran.
You'll want to configure it to run at around 10-15mins past the hour so the backup has some time to complete. It will look for the backup files that should
[read more...]S3 is really handy for server backups and at $0.023/GB/month it's incredibly cost-effective.
However the default way most people use it is to simply spray their data directly into an S3 bucket from the machine they're backing up. This works fine right up until you get hacked by someone malicious who then has the ability to
[read more...]