MacOS bug bounty

A macOS

XAR is a file archive format used in macOS, and is part of various file formats, including .xar, .pkg, .safariextz, and .xip files. XAR archives are extracted using the xar command-line utility. XAR was initially developed under open source, however, the original project appears to be no longer maintained. Apple maintains their own branch of XAR for macOS, which is published on the Apple Open Source website. The xar utility suffers from a logical vulnerability which allows files to be extracted outside of the intended destination folder, resulting in arbitrary file write anywhere on the filesystem (permissions allowing).

Microsoft found a vulnerability (CVE-2021-30892) that could allow an attacker to bypass System Integrity Protection (SIP) in macOS. We shared our findings with Apple via coordinated vulnerability disclosure, and a fix was released October 26.

Contribute to ronwai/talks development by creating an account on GitHub.

macOS 11.0/iOS 14.2/iOS 12.4.9 fixed an issue where host_request_notification doesn’t check port-ip_specialreply, causing it to overwrite ip_sync_inheritor_port. This can be used to reboot the system with a zone check error, but I can’t figure out what else this can do.

As the sixth and final post of our Pwn2Own 2018 series, we document the long and twisted road of weaponizing CVE-2018-4193 to exploit the macOS WindowServer....

Pwn2Own is an industry-level security competition organized annually by Trend Micro’s Zero Day Initiative. Pwn2Own invites top security researchers to showca...

IOHIDFamily 0day

This writeup is intended to be a bit of storytelling. I would like to show how I went down the rabbit hole in a quick ’research’ I wanted to do, and eventually found a local privilege escalation vulnerability in macOS. I also want to show, tell about all the obstacles and failures I run into, stuff that people don’t talk about usually, but I feel it’s part of the process all of us go through, when we try to create something.

We discovered a double free vulnerability (assigned as CVE-2019-8635) in macOS. The vulnerability is caused by a memory corruption flaw in the AMD component.

I plan to discuss two symlink attacks in this blog post. The first, more severe one, CVE-2020-9900 was reported by Zhongcheng Li (CK01) of Zero-dayits Team of Legendsec at Qi’anxin Group, and fixed in Catalina 10.15.6. Apple’s advisory said that with a symlink attack it was possible to elevate privileges. I never saw a public document about this bug, so I only assume that I will describe the actual issue here.

With the release of macOS Catalina in October, Apple rolled out a set of interesting new features collectively called System Extensions. System Extensions are a set of user space frameworks encouraging developers who currently maintain and ship kernel extensions to move their features to user space for increased security and stability. One of these new frameworks is the Endpoint Security framework. As a security researcher this framework is of special interest. It’s intended to provide a public and stable API for implementing security products. During the process of looking into what functionality the Endpoint Security framework provided, a privilege escalation bug was identified that would let an attacker execute any code they wanted with root privileges. The following describes both the vulnerability as well as what Apple did to fix the issue.

Just reading about the DYLD privilege escalation vulnerability reported by Stefan Esser at https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html I understand this allows anyone to

The DYLD_PRINT_TO_FILE environment variable can be used for local privilege escalation in OS X Yosemite. blockquote p, blockquote {font-family: monospace; font-size: 14px;} #imgtc {float: right; mar

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities - GitHub - sslab-gatech/pwn2own2020: Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities

There was an iOS pwnable challenge in RWCTF 2019 quals, Dezhou Instrumentz. The challenge is to make the victim app run arbitrary code on a real iPhone XR, which has both code signing and Pointer Authentication Code. Sounds impossible without system-level 0day? This talk will reveal the equivalent of Eval function in Objective-C and how to abuse it. https://www.youtube.com/watch?v=dvvFWa3Nm2M

Introduction:Each year, as part of TyphoonCon; our All Offensive Security Conference, we are offering cash prizes for vulnerabilities and exploitation techniques found. At […]