CodeColorist
Two macOS Persistence Tricks Abusing Plugins

Two macOS Persistence Tricks Abusing Plugins

Similar to DLL sideloading, legit plugins on macOS could be abused to load executable code on startup.

Rootpipe Reborn (Part II): CVE-2019-8565 Feedback Assistant Race Condition

Rootpipe Reborn (Part II): CVE-2019-8565 Feedback Assistant Race Condition

Relying on pid to validate IPC peer is unsafe.

Rootpipe Reborn (Part I): TimeMachine Command Injection

Rootpipe Reborn (Part I): TimeMachine Command Injection

Applying web security tricks to macOS LPE bugs.

One-liner Safari Sandbox Escape Exploit

One-liner Safari Sandbox Escape Exploit

TOCTOU bug in CoreFoundation and state change of sandbox lockdown on macOS Safari, leading to easy sandbox escape.

CVE-2018-4991: Adobe Creative Cloud Desktop Local Privilege Escalation via Signature Bypass

CVE-2018-4991: Adobe Creative Cloud Desktop Local Privilege Escalation via Signature Bypass

The private API design of XPC could make it hard for 3rd-party developers to write security code.

CVE-2018-8412: MS Office 2016 for Mac Privilege Escalation via a Legacy Package

CVE-2018-8412: MS Office 2016 for Mac Privilege Escalation via a Legacy Package

Code signature bypass and insecure sideloading result in privilege escalation in Microsoft Office 2016 for Mac

Something About #realworldctf doc2own

Something About #realworldctf doc2own

Get some real life 0day by playing CTF challenges.

Bypass macOS Rootless by Sandboxing

Bypass macOS Rootless by Sandboxing

Attacking the operating system by using its own security mechanism.

Visual Studio Code silently Fixed a Remote Code Execution Vulnerability

Visual Studio Code silently Fixed a Remote Code Execution Vulnerability

Better not leave inspectable Electron instances on production.

Bypass PHP Safe Mode by Abusing SQLite3's FTS Tokenizer

Bypass PHP Safe Mode by Abusing SQLite3's FTS Tokenizer

Abuse SQLite's legit feature to turn arbitrary SQL queries into arbitrary code execution and pwn php