CVE-2017-15358 Local root privesc in Charles Proxy 4.2

30 Jul 2018 06:41 | macOS | security | exploits

Charles Proxy is a great mac application for debugging web services and
inspecting SSL traffic for any application on your machine.

In order to inspect the SSL traffic it needs to configure the system to use a
proxy so that it can capture the packets and use its custom root CA to decode
the SSL.
[read more...]

CVE-2017-16512 Hashicorp vagrant-vmware-fusion v5.0.2-5.0.4 local root

28 Mar 2018 21:08 | macOS | security | exploits

Another Hashicorp bug that I've been sitting on since late last year. This one
was exploitable only during the vagrant update process, or even if the user
typed "vagrant plugin update" and there was no pending update.

It was possible for a rogue process on the system to subvert the upgrade process
in a way the user was unlikely to notice in order to steal root privileges.
[read more...]

CVE-2017-16839 Hashicorp vagrant-vmware-fusion v5.0.4 local root

28 Mar 2018 21:03 | macOS | security | exploits

Another exploit for the now deprecated vagrant-vmware-fusion plugin. This one
only works if VMware Fusion is not installed which is an unlikely scenario.
However if this should occur then it's an easy root escalation so users should
still update.
[read more...]

CVE-2017-16873 Hashicorp vagrant-vmware-fusion v4.0.25-5.0.4 local root

28 Mar 2018 07:22 | macOS | security | exploits

This issue was reported to Hashicorp on 16/11/17. At first they claimed it was
low priority because it required local access, despite being a straight-to-root
escalation. Then they conceded that this wasn't reasonable and said it was high
priority and that they would address it.

It has taken until this week to get their fixes out, involving an entire rewrite
[read more...]

Two local root privesc bugs in Arq Backup <= 5.10

29 Jan 2018 06:33 | macOS | security | exploits

Last year I found a couple more privilege escalation vectors in Arq Backup
for Mac version 5.10. Both have now been fixed in the latest release.

The first is relatively simple - the arq_updater binary (which runs as root)
takes a path argument for the url to retrieve an Arq update from in the format We can simply specify an arbitrary path - eg file:///tmp/blah/ -
[read more...]

Murus Firewall 1.4.11 escalation hihack / root privesc

4 Dec 2017 12:23 | macOS | security | exploits

I recently blogged about the prevalence of escalation hijack vulnerabilities
amongst macOS applications. One example of this is the latest version of Murus
firewall. By design it requires the user to authenticate every time in order to
obtain the access it needs to modify the firewall settings.

If a local attacker or malware is running as an admin user (ie has write access
[read more...]

CVE-2017-16895 Local root privesc in Arq Backup <= 5.9.7

29 Nov 2017 19:09 | macOS | security | exploits

As well as the other bugs affecting Arq <= 5.9.6 there is also another issue
with the suid-root restorer binaries in Arq for Mac. There are three of them
and they are used to execute restores of backed up files from the various
cloud providers.

After reversing the inter-app protocol I discovered that the path to the
[read more...]

CVE-2017-15357 Local root privesc in Arq Backup <= 5.9.6

29 Nov 2017 19:02 | macOS | security | exploits

Arq Backup from Haystack Software is a great application for backing up macs and
windows machines. Unfortunately versions of Arq for mac before 5.9.7 are
vulnerable to a local root privilege escalation exploit.

The updater binary has a "setpermissions" function which sets the suid bit and
root ownership on itself but it suffers from a race condition that allows you to
[read more...]

CVE-2017-16777 Local root privesc in Hashicorp vagrant-vmware-fusion 5.0.3

15 Nov 2017 08:21 | macOS | security | exploits

Another day, another root privesc bug in this plugin. Not quite so serious this
time - this one is only exploitable if the user has the plugin installed but
VMware Fusion *not* installed. This is a fairly unlikely scenario but it's a
straight to root privesc with no user interaction so isn't the kind of thing
that should be shipping with any software.

[read more...]

CVE-2017-16001 Local root privesc in Hashicorp vagrant-vmware-fusion 5.0.1

3 Nov 2017 08:21 | macOS | security | exploits

I recently blogged about how the installation process of version 5.0.0 of this
plugin could be hihacked by a local attacker or malware in order to escalate
privileges to root.  Hashicorp pushed some mitigations for this issue fairly
quickly but unfortunately 5.0.1 is still exploitable with a slightly different

[read more...]

CVE-2017-15918 Sera 1.2 local root privesc and password disclosure

31 Oct 2017 08:20 | macOS | security | exploits

Sera is a free app for mac and iOS that lets you unlock your mac automatically
when your iphone is within a configured proximity.

Unfortunately to facilitate this it stores the users login password in their
home directory at:

[read more...]

CVE-2017-15884 Local root privesc in Hashicorp vagrant-vmware-fusion 5.0.0

28 Oct 2017 12:32 | macOS | security | exploits

After three CVEs and multiple exploits disclosed to Hashicorp they have finally
upped their game with this plugin. Now the previously vulnerable non-root-owned
ruby code that get executed as root by the sudo helper is no more and the sudo
helper itself is one static Go binary with tightly-controlled parameters that
can't (as far as I can tell) be exploited on its own.

[read more...]

Getting root without an exploit - stealth sudo backdoor

19 Oct 2017 21:59 | macOS | security | exploits

I've published several root privilege escalation bugs this year in various Mac
applications. I decided to see how difficult it would be to escalate privileges
on a machine without actually using an exploit. Having access to a local
account with sudo rights gives us an enormous attack surface for escalation.

Many of the dotfiles, which are nearly always user-writable for obvious reasons,
[read more...]

CVE-2017-12579 Local root privesc in Hashicorp vagrant-vmware-fusion 4.0.24

18 Oct 2017 08:11 | macOS | security | exploits

I have previously disclosed a couple of bugs in Hashicorp's
vagrant-vmware-fusion plugin for vagrant.

Unfortunately the 4.0.23 release which was supposed to fix the previous bug I
reported didn't address the issue, so Hashicorp quickly put out another release
- 4.0.24 - after that (but didn't update the public changelog on github).
[read more...]

CVE-2017-11741 Local root privesc in Hashicorp vagrant-vmware-fusion <= 4.0.23

2 Aug 2017 06:49 | macOS | security | exploits

A couple of weeks ago I disclosed a local root privesc in Hashicorp's
vagrant-vmware-fusion plugin:

The initial patch they released was 4.0.21 which unfortunately contained a bug
[read more...]

CVE-2017-7642 Local root privesc in Hashicorp vagrant-vmware-fusion <= 4.0.20

15 Jul 2017 06:57 | macOS | security | exploits

I'm a big fan of Hashicorp but this is an awful bug to have in software of their

Their vagrant plugin for vmware fusion uses a product called Ruby Encoder to
protect their proprietary ruby code.  It does this by turning the ruby code into
bytecode and executing it directly.
[read more...]

sudolikeaboss allows password theft

3 May 2017 13:12 | security | exploits | macOS

sudolikeaboss is a neat little program that acts as a command-line interface to
1Password Pro, effectively giving you a way to use 1password with the terminal.

This is useful but it does come with a security tradeoff as any application
running in the context of the user can potentially steal passwords if 1password
is in an unlocked state.
[read more...]

CVE-2017-7690 Local root privesc in Proxifier for Mac 2.19

11 Apr 2017 20:57 | security | exploits | macOS

With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader
binary that ships with Proxifier <= 2.18.

Unfortunately 2.19 is also vulnerable to a slightly different attack that
yields the same result.

[read more...]

CVE-2017-7643 Local root privesc in Proxifier for Mac <= 2.18

10 Apr 2017 21:19 | security | exploits | macOS

Proxifier 2.18 (also 2.17 and possibly some earlier version) ships with a
KLoader binary which it installs suid root the first time Proxifier is run. This
binary serves a single purpose which is to load and unload Proxifier's kernel

Unfortunately it does this by taking the first parameter passed to it on the
[read more...]