Hey Hackers! 👋🏻 In this blog post, I want to show you why signing applications with get-task-allow entitlement may be dangerous and can lead to local privilege escalation bugs. We are going to exploit a real application, iExplorer, iOS application pentesters widely use that. Make a notice that iExplorer is only an example - a lot of apps have that excessive entitlement set. Entitlements? Since Mac OS X 10.11 El Capitan, Apple decided to add a new feature called System Integrity Protection (aka Rootless).

Readers who know me probably also know that I like test soft that I use. So it was this time. I wanted to collect all my chaotically stored notes in Apple Notes, docx files, txts, etc. I considered many different noting apps, but finally I chose Bear.app. Bear offers cool hashtags systems, markdown notation, and syntax highlighting that totally bought me. 😉 Bear is also in the top 10 App Store productivity apps!

Some time ago, I bought Logitech MX Master wireless mouse to be used with my macs. And here, the story begins… Since this mouse has extra buttons I wanted to assign them my custom actions. As I read in Logitech docs I had to download driver called “Logitech Options”. So I did! Kudos section First of all, I wanted to thank @Disconnect3d for helping me with the reversing part. The second Kudos belongs to @Taviso who discovered similar issue on Windows simultaneously and reported it to the Logitech team.

Before I start describing details, you have to know that this post is published on Responsible Disclosure terms. I sent a full report with all the findings to DASAN on 24th October 2017. We have been talking about these vulnerabilities for a long time, and one day they just stopped contacting me anymore (even when I warned them that I want to disclose this). Today is 26th April 2018, so it’s over half year after DASAN has been informed.

Not so long time ago, I submitted my presentation proposal on CONFidence’s Call For Papers. CONFidence is one of the best European IT Sec conferences that I love to attend due to very good presentations quality and hackish^H^H atmosphere ;-) This year I decided to actively attend as a speaker with my presentation about pentesting iOS apps using jailed iDevice. I sent my proposal, and when I received the approval, I visited the conference’s website in order to check if I’m included in the speakers list for sure (in SecuRing it’s common to prank your colleagues like for instance sending emails from the fake server, haha).

During my work, I was auditing a Cordova App and then I saw a plain text password right in the logs. I talked to the developer and it proved that Cordova doesn’t support Keychain by itself. One of the most popular Keychain plugins (also used by this developer) is https://github.com/ionic-team/cordova-plugin-ios-keychain. Turned out there was a forgotten NSLog call that logged all keychain entries: I have reported it and the bug is now fixed (CVE-2018-1000123).

What FreePlane is? FreePlane is an open-source application intended for creating mind maps. Vulnerability descripton: FreePlane is a Java-based app that loads its mind maps that are stored as simple XML files. The parser allowed to expand external entities that caused this vulnerability. Results: When the victim opens a maliciously crafted mind map, any accessible by Java file can be sent to the attacker. Proof of concept: Malicious mindmap: <map version="freeplane 1.