MacOS bug bounty

Security researchers at Offensive Security discovered a vulnerability in the XPC service of Microsoft Teams. Here's how it works and how to secure it.

During the last two weeks of my summer (as of writing, summer 2021), I decided to try and take a crack at iOS 14 kernel exploitation with the IOMobileFramebuffer OOB pointer read (CVE-2021-30807). Unfortunately, a couple days after I moved back into school, I found out that the way I was doing exploitation would not work on A12+ devices. An exploit that only works on hardware from 2017 and before is lame, so I scrapped it and started over.

https://www.blackhat.com/us-21/briefings/schedule/#hack-different-pwning-ios--with-generation-z-bugz-23002

slides for conference talks. Contribute to wangtielei/Slides development by creating an account on GitHub.

A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.3. An application may be able to execute arbitrary code with system privileges.

Ubrigens is a small site dedicated to all things Infosec.

Ubrigens is a small site dedicated to all things Infosec.

In part I of this blog, we discussed how to inspect the sending of Mach messages in kernel-mode perspective. In part II, I will continue to define how to inspect received Mach messages by setting u…

Mach IPC and Mach message are the foundation for many communications that occur in macOS. The question that many threat researchers ask is, “how can we inspect these Mach messages in user-mode or …

A persistent denial of service vulnerability affecting iOS 15.2 - iOS 14.7 (and likely through 14.0), triggered via HomeKit

Description of the vulnerability This vulnerability exists in libFontParser.dylib, a part of CoreText library is widely used in macOS, iOS, iPadOS to parse, and draw text. This vulnerability allows attacker to read memory of application which uses API from CoreText. Technical Details The Vulnerability macOS/iOS creates a font format structure that is a wrapper of Type 1 Postscript Font and TrueType Font is Mac Resource Fork Font. CoreText is a framework to draw text that supports load Mac Resource Fork Font through API CoreText CTFontManagerCreateFontDescriptorsFromURL.

Description of the vulnerability This vulnerability exists in libhvf.dylib, a part of CoreText library is widely used in macOS, iOS, iPadOS to parse font. An attacker can craft an evil PDF contains the malicious font that could lead to remote code execution. Technical Details libhvf.dylib is used to parse HierVariation table in Truetype Font. libhvf.dylib is a feature of libFontParser.dylib. To enable this feature user must create a plist file in /User//Library/Preferences/com.

Introduction I personally love vulnerabilities with stories. This one is of that kind… About one year ago, I submitted a vulnerability to Apple that they were unable to reproduce. We exchanged some emails with the clarifications, but the security team still couldn’t have validated the original vulnerability. Then they asked me to run sysdiagnose in order to collect logs that could have helped them. The problem Like a real security researcher I checked how the /usr/bin/sysdiagnose acutally works.

The msgrcv_nocancel syscall could disclose uninitialized memory from kernel space into userspace. This is due to an incorrect calculation being performed when copying the memory.

Posted by Brandon Azad, Project Zero While doing research for the   one-byte exploit technique , I considered several ways it might be poss...

Ubrigens is a small site dedicated to all things Infosec.

Sudo’s pwfeedback option can be used to provide visual feedback when the user is inputting their password.

I have started to have a look at my local installed helpers on macOS. These helpers are used as an interface for applications to perform privileged operations on the system. Thus, it is quite a nice attack surface to search for Local Privilege Escalations. Forklift is an advanced dual pane file manager for macOS. It is well known under macOS power users. As part of my investigation I ide ...

details of a privilege-escalation vulnerability (CVE-2017-7170)

Posted by Ian Beer, Project Zero NOTE: This specific issue was fixed before the launch of Privacy-Preserving Contact Tracing in iOS 13.5 in...

Property lists are files that store serialized objects and are prevalant in Apple’s Operating Systems similar to how Microsoft Windows uses the Registry to store configuration data.

Pwn2Own Vancouver is right around the corner so it seemed fitting to talk about an old Pwn2Own bug. Because we recently gave a presentation at OffensiveCon on how Adobe improperly patched some vulnerabilities, it seemed only fair to highlight how Apple has had similar issues. In April of 2018, we

Pwn2Own Tokyo just completed, and it got me thinking about a WebKit bug used by the team of Fluoroacetate (Amat Cama and Richard Zhu) at this year’s Pwn2Own in Vancouver. It was a part of the chain that earned them $55,000 and was a nifty piece of work. Since the holidays are coming up, I thought

On Tuesday of this week, we published six advisories covering vulnerabilities in Apple macOS. One of those advisories covered a bug reported by ABC Research s.r.o. pertaining to GPUs in Apple hardware. It’s one of many macOS bugs they have submitted to the program. Now that these bugs are fixed in B

This blog post targets fellow software developers. It’s a story of how it could happen that we shipped a version of Little Snitch with a serious vulnerability and, more importantly, what we can learn from it. It all began with a security improvement by Apple in macOS High Sierra

All communications essentially pass through launchd , macOS’s implementation of init . More details of that process can be obtained by checking its information property list file at /System/Library/La…