XPC Exploitation series Learn XPC exploitation - Part 1: Broken cryptography Learn XPC exploitation - Part 2: Say no to the PID! Intro Hey! In my last post, I showed you how weak SecRequirement string might lead to incoming connections validation issues. This post will focus on another way to trick XPC servers into trusting our malicious process. 😈 We’re going to exploit a vulnerability that I found some time ago in Malwarebytes.

XPC Exploitation series Learn XPC exploitation - Part 1: Broken cryptography Learn XPC exploitation - Part 2: Say no to the PID! After my talk on Objective by the Sea v3 I received a lot of questions regarding XPC exploitation. I think summing it up in a blog post series is a good idea, so here you have the first one! A post covering how to secure XPC services is planned in the nearest future.

After reading Adam Chester’s neat article about bypassing macOS privacy controls, I decided to share my recently discovered trick. To bypass the Transparency, Consent, and Control service (TCC), we need an Electron application that already has some privacy permissions. As it turns out, you probably have at least one such app installed - look, for example, on your desktop messengers. Especially for this post, I created a simple Electron app that has access to the camera.

Hey Hackers! 👋🏻 In this blog post, I want to show you why signing applications with get-task-allow entitlement may be dangerous and can lead to local privilege escalation bugs. We are going to exploit a real application, iExplorer, iOS application pentesters widely use that. Make a notice that iExplorer is only an example - a lot of apps have that excessive entitlement set. Entitlements? Since Mac OS X 10.11 El Capitan, Apple decided to add a new feature called System Integrity Protection (aka Rootless).

Readers who know me probably also know that I like test soft that I use. So it was this time. I wanted to collect all my chaotically stored notes in Apple Notes, docx files, txts, etc. I considered many different noting apps, but finally I chose Bear.app. Bear offers cool hashtags systems, markdown notation, and syntax highlighting that totally bought me. 😉 Bear is also in the top 10 App Store productivity apps!

Before I start describing details, you have to know that this post is published on Responsible Disclosure terms. I sent a full report with all the findings to DASAN on 24th October 2017. We have been talking about these vulnerabilities for a long time, and one day they just stopped contacting me anymore (even when I warned them that I want to disclose this). Today is 26th April 2018, so it’s over half year after DASAN has been informed.

Not so long time ago, I submitted my presentation proposal on CONFidence’s Call For Papers. CONFidence is one of the best European IT Sec conferences that I love to attend due to very good presentations quality and hackish^H^H atmosphere ;-) This year I decided to actively attend as a speaker with my presentation about pentesting iOS apps using jailed iDevice. I sent my proposal, and when I received the approval, I visited the conference’s website in order to check if I’m included in the speakers list for sure (in SecuRing it’s common to prank your colleagues like for instance sending emails from the fake server, haha).

What FreePlane is? FreePlane is an open-source application intended for creating mind maps. Vulnerability descripton: FreePlane is a Java-based app that loads its mind maps that are stored as simple XML files. The parser allowed to expand external entities that caused this vulnerability. Results: When the victim opens a maliciously crafted mind map, any accessible by Java file can be sent to the attacker. Proof of concept: Malicious mindmap: