Sent in my exploit to Apple for March. A little late as life happened, but here it is. Meet a macOS LPE to root from any unsandboxed user: 24d8f84ab09f82db011c33023517d3b57822eb2c6e5105768eaea1dd50ddc441
@linusgsebastian
...but not as critically as todays sponsor. GLASS. DOOR. The leading company review company, get your coupon code in the vide description
My macOS LPE (any user to root) bug, "badmalloc" was awarded with $22500, as it only affects macOS. Fair enough, I doubt that this could be exploited on iOS. With that said, I can't help but feel like such a bug is more valuable, especially since it's been around for decades
Full Disclosure time:
Here's a quick LPE for macOS that affects you if you have Homebrew installed under /usr/local (Intel macs or Apple Silicon with Game Porting Toolkit)
You have to wait for periodic.daily to run, but that's a small price to pay
Apple awarded me $17000 for an LPE I handed in 11 months ago. It was a frustrating experience, but they DO PAY. I will write it up when all fixes are out, as bug was a shitshow (duplicate etc...). Also I guess I am officially a bounty hunter now :)
Don't give up.
@LunaticJTV
Super cool video! Bitflips due to cosmic rays are not terribly uncommon, this is why servers have ECC ram for ages, however it's a rare event as far as bitflips go. More likely causes are overheating, other EM interference or voltage glitches.
@LiveOverflow
1. rand() is good enough for salts. The reporter is wrong and confidently wrong, which is the worst type
2. The 3 rounds of SHA1 is actually not great, but it's far from terrible. It's extremely likely thus way due to legacy reasons, which the reporter doesn't address at all.
@kvlly
It seems amazing to me that people learn this lesson every week but somehow it is still not common knowledge. Companies are not your friends, they are machines. Loyalty means nothing.
So Apple fixed none of my bugs, and I still have not been credited for the old one that they rewarded. Oh well.
In other news I will try to present the vulns at OBTS this year, or if I don't make the CFP there will be blogposts about them.
macOS Full TCC bypass:
e33234b7591ba2725c0c4166cc64254707813d130f183f9d39f5a4d114840986
This is for May, I'm a little behind. Video coming next week, or as time permits.
macOS LPE that affects every release in the past 20 years: 0774bf11192625db013225b19d5fe1e58100b541d8e3bb2f489f6fbfabafb179
This takes care of my january quota, video coming soon
Super happy to report that I seem to be getting my first ever CVEs, coming to an Apple device near you :)
To give credit where credit's due: it took Apple on average ~3.7 months to issue and ship the fixes, I will write up details on all this once everything is fixed and people
@EmilyAYoung1
In every comment section there's "oh well it's up to the devs". No. Xcode is horrific, Apple policies on app store apps are unclear and subject to change. The device is not even out yet. I would be shocked if many devs threw away their current projects to jump on this bandwagon
: A full TCC bypass fs race condition.
This is a very slow run, usually it is around ~10s.
This is my missing report for feb and while it is not 50k (no sbx escape), I do wonder what this will be worth...
"We are stoked to inform you that your talk has been accepted for
#OBTS
v6.0. We really appreciate your valuable contribution."
Oh wow, my talk got in! I only have 25m though, so prepared to record the video with 100fps as this talk will be _dense_, In more than one way
Sorry to all the Apple engineers who have to deal with my bs just before Xmas, I promise I am not timing this to screw with your holidays!
53a9bd4f497eaa374ad4caed7d16d0b175a63e15 - app sbx
9cc78427e1074b4869d747784160e3ff0c3fdbe3 - user tcc bypass
More info as soon as I can
CVE-2023-32422 description is factually incorrect:
"Impact: An app may be able to access data from other apps by enabling additional SQLite logging"
This is not the case, this is a TCC.db overwrite. As soon as Apple confirms that they could not reproduce it, I'm making it public
@thegrugq
I ran a VPN provider for a few years. Can confirm that most of our competitors acquired customers at a loss. We went under, only to realize later that they were just funded in other ways.
Apple gives me the runaround for 8 months on my macOS LPE (alfred), tells me it affects iOS but not macOS (the opposite is true). It becomes "bounty ineligible", but they tell me they are still working on it. Then I get a mystery $20500 on appstoreconnect, which would correspond
Apple closed the ticket on my bug (CVE-2023-40443), with bounty ineligible and I was not notified about this. Did anyone had a similar experience? I didn't really have a bug do this before.
hey
@Blizzard_Ent
care to explain why TF is your software create this directory as root in my "~/Library/Application Support":
"drwxrwxrwx@ 3 root staff 96 Feb 24 12:04 Blizzard"
This is amateur hour, and opens up the system to user->root LPE!
My ticket for CVE-2023-32422 got closed, no badge marking it as bounty-eligible. I messaged Apple and they replied the next day saying it's eligible and even the description will be fixed.
Big props for this!
Don't worry too much if this happens to you...
@cyb3rops
@rly0nheart
Richard if you are interested I'd love to send you some hardware I had lying around, as well as a job offer if you want to make some money with your research
Not that it matters a lot but my MallocStackLogging vuln () got scored a 7.8 instead of the 8.4 it should be. Someone said it "requires user interaction". It does not.
@CDisillusion
I progressively watch less and less youtube due to shit like this and I don't miss it too much. Though I will never miss a new upload from you Captain!
I can't help but think that Apple added a new mount flag because of me <3
+
#define
MNT_NOFOLLOW 0x08000000 /* don't follow symlink when resolving mount point */
So after a couple days of struggling I did manage to load 3600 macOS files (that are security-relevant) into Ghidra. All it took was ~9h, 16 cores and 64GB or ram :)
FiberHome password decoder
The MAC's 2,3,4,5 bytes become the password when inverted in binary.
Lookup table for hex:
0: f 8: 7
1: e 9: 6
2: d a: 5
3: c b: 4
4: b c: 3
5: a d: 2
6: 9 e: 1
7: 8 f: 0
Hey mac experts
@theevilbit
,
@_r3ggi
: is it just me who thinks that having the ability to block arbitrary syscalls of entitled process via sandbox-exec is an insane idea? I can do this as a completely non-privileged user. What am I missing?
Is Apple malicious or comically incompetent?
As you might have seen, I complained about the bounty amount for badmalloc, since it affected multiple OSes. Things were changed, changelogs showed this (it was credited on macOS, iOS, watchOS, tvOS). Apple said no to reevaluating,
@nnwakelam
I hit 100k usd yesterday, exclusively from Apple (macOS) logic bugs. I plan for 200k or so this year as I have some life stuff I needed to do, but it seems very doable. Do you have any tips/advice that helped you push the envelope?
So
@Samsung
's Tizen apparently uses .NET, and has W+X sections in memory:
00354000-00355000 rwxp 00004000 b3:12 55691 /usr/share/dotnet/shared/Microsoft.NETCore.App/3.1.3/System.Net.NameResolution.ni.dll
This is not looking good
hey
@Samsung
can you enlighten me why my new and expensive QLED TV runs an 8 year old Linux kernel? I might take some time off Apple to mess with your
#BugBounty
@LiveOverflow
I though about doing this, but it would be unbearably boring, since I do this as a full time job. Any good bug worth talking about would take 6 months to fix for Apple (if you're lucky). I doubt any successful hunter who does this for a living would be open to discussing ongoing
@MalwareTechBlog
Not true at all, GDPR exists for this reason and the US is adopting similar laws. It seems to be toothless for now, but it is law so you literally can drag companies to court over it, or more likely your country's data/privacy authority will do it for you
My (arguably basic) automation found a trivial stack overflow while I was sleeping. It's in a privileged, default macOS app.
Don't believe the hackfluencers if you are serious about bug bounties. Coding is a MUST
@Dinosn
Fucking hell I found this, but I never thought to mount the unmounted system volume, with the volumes I created nosuid was always present. What a terrific find!
New macos local root day. I'll post info as soon as I'm able.
c40795e29a09052d54ac718a06156a30d608bacf5502dd4355cc69a16477f9dc3a36c7a9009e5436afca3c220e3df504ba7d69abaffa2e6461cbb0261ca5f5a2
On macOS I got used to using dtrace as it's super convenient, and apparently I was living under a rock as Linux has BPF working out of the box now these days, which pretty much can do the same things. This is EPIC!
The Personalized Ads setting in iOS doesn't disable the ad tracking daemon. All it does is tell the kernel to kill that daemon whenever it tries to start... every... three.... seconds.
Fucking finally. A promising bug I was working on has finally been turned into an LPE. I'll post details as soon as I am able.
160843e9707aa563d1c8c9a93292b1ef52ce428b
531f19b00ec3ec91e65462f8760903c15fdfc41d