hijacking sudo in real time

15 Aug 2018 22:03 | macOS | security

A while ago I posted about how sudo can be easily backdoored by dropping a fake
sudo script into the user's PATH:

https://m4.rkw.io/blog/getting-root-without-an-exploit--stealth-sudo-backdoor...

Another attack vector for sudo is monitoring the process list for invocations of
[read more...]

CVE-2017-15358 Local root privesc in Charles Proxy 4.2

30 Jul 2018 06:41 | macOS | security | exploits

Charles Proxy is a great mac application for debugging web services and
inspecting SSL traffic for any application on your machine.

In order to inspect the SSL traffic it needs to configure the system to use a
proxy so that it can capture the packets and use its custom root CA to decode
the SSL.
[read more...]

2016-17 Macbook Pro keyboard recall

4 May 2018 07:38 | apple

Somebody started a petition asking Apple to recall the 2016 (and presumably
2017 since they're basically the same) macbook pros and fit them with a
keyboard "that works":

https://www.change.org/p/apple-apple-recall-macbook-pro-w-defective-keyboard-...
[read more...]

CVE-2017-16512 Hashicorp vagrant-vmware-fusion v5.0.2-5.0.4 local root

28 Mar 2018 21:08 | macOS | security | exploits

Another Hashicorp bug that I've been sitting on since late last year. This one
was exploitable only during the vagrant update process, or even if the user
typed "vagrant plugin update" and there was no pending update.

It was possible for a rogue process on the system to subvert the upgrade process
in a way the user was unlikely to notice in order to steal root privileges.
[read more...]

CVE-2017-16839 Hashicorp vagrant-vmware-fusion v5.0.4 local root

28 Mar 2018 21:03 | macOS | security | exploits

Another exploit for the now deprecated vagrant-vmware-fusion plugin. This one
only works if VMware Fusion is not installed which is an unlikely scenario.
However if this should occur then it's an easy root escalation so users should
still update.

https://m4.rkw.io/vagrant_vmware_privesc_5.0.4.sh.txt
[read more...]

CVE-2017-16873 Hashicorp vagrant-vmware-fusion v4.0.25-5.0.4 local root

28 Mar 2018 07:22 | macOS | security | exploits

This issue was reported to Hashicorp on 16/11/17. At first they claimed it was
low priority because it required local access, despite being a straight-to-root
escalation. Then they conceded that this wasn't reasonable and said it was high
priority and that they would address it.

It has taken until this week to get their fixes out, involving an entire rewrite
[read more...]

Minotaur, Fanotaur and Excavataur

31 Jan 2018 08:53 | cryptocurrency | mining

I have released three cryptocurrency mining projects:

- Fanotaur: independently monitors Nvidia card temperatures and regulates fan
  speeds to keep them at a preset temperature.

- Minotaur: derives calibrated hashrates and power limits from your devices for
[read more...]

Two local root privesc bugs in Arq Backup <= 5.10

29 Jan 2018 06:33 | macOS | security | exploits

Last year I found a couple more privilege escalation vectors in Arq Backup
for Mac version 5.10. Both have now been fixed in the latest release.

The first is relatively simple - the arq_updater binary (which runs as root)
takes a path argument for the url to retrieve an Arq update from in the format
Arq.zip. We can simply specify an arbitrary path - eg file:///tmp/blah/Arq.zip -
[read more...]