https://codecolor.ist/ Security Research mainly on macOS / iOS en Fri, 31 Oct 2025 00:00:00 GMT https://codecolor.ist/posts/2025-10-31-macos-abuse-tcl-lol/ https://codecolor.ist/posts/2025-10-31-macos-abuse-tcl-lol/ Fri, 31 Oct 2025 00:00:00 GMT Yet another LOOBins https://codecolor.ist/posts/2021-09-10-mistuned-part-iii/ https://codecolor.ist/posts/2021-09-10-mistuned-part-iii/ Fri, 10 Sep 2021 00:00:00 GMT Bypass hardware assisted mitigation using Objective-C runtime. https://codecolor.ist/posts/2021-08-05-mistuned-part-ii/ https://codecolor.ist/posts/2021-08-05-mistuned-part-ii/ Thu, 05 Aug 2021 00:00:00 GMT A simple access control issue makes a huge difference, leading to infoleak and use after free. https://codecolor.ist/posts/2021-08-04-mistuned-part-i/ https://codecolor.ist/posts/2021-08-04-mistuned-part-i/ Wed, 04 Aug 2021 00:00:00 GMT Remotely pwn iOS and pop up arbitrary app with 0 memory corruption. https://codecolor.ist/posts/2021-06-20-quick-analysis-wifid/ https://codecolor.ist/posts/2021-06-20-quick-analysis-wifid/ Sun, 20 Jun 2021 00:00:00 GMT A rogue Wi-Fi hotspot can crash your phone. https://codecolor.ist/posts/2021-01-16-see-no-eval-runtime-code-execution-objc/ https://codecolor.ist/posts/2021-01-16-see-no-eval-runtime-code-execution-objc/ Sat, 16 Jan 2021 00:00:00 GMT There is a turing-complete querying language embeded in Objective-C hidden in plain sight. https://codecolor.ist/posts/2020-08-06-x-site-escape-part-ii-look-up-a-shell-in-the-dictionary/ https://codecolor.ist/posts/2020-08-06-x-site-escape-part-ii-look-up-a-shell-in-the-dictionary/ Thu, 06 Aug 2020 00:00:00 GMT A funny bug chain turing inter-process XSS to native code execution for sandbox escape. https://codecolor.ist/posts/2020-07-01-x-site-escape-part-iii-cve-2020-9860-a-copycat/ https://codecolor.ist/posts/2020-07-01-x-site-escape-part-iii-cve-2020-9860-a-copycat/ Wed, 01 Jul 2020 00:00:00 GMT Copycat. https://codecolor.ist/posts/2020-05-28-x-site-escape-part-i-exploitation-of-and-old-corefoundation-sandbox-bug/ https://codecolor.ist/posts/2020-05-28-x-site-escape-part-i-exploitation-of-and-old-corefoundation-sandbox-bug/ Thu, 28 May 2020 00:00:00 GMT Triggering inter-process XSS for fun and profit. https://codecolor.ist/posts/2020-05-27-revisiting-an-old-mediaremote-bug-cve-2018-4340/ https://codecolor.ist/posts/2020-05-27-revisiting-an-old-mediaremote-bug-cve-2018-4340/ Wed, 27 May 2020 00:00:00 GMT Useless bugs are just being given up too early. https://codecolor.ist/posts/2019-11-21-two-macos-persistence-tricks-abusing-plugins/ https://codecolor.ist/posts/2019-11-21-two-macos-persistence-tricks-abusing-plugins/ Thu, 21 Nov 2019 00:00:00 GMT Similar to DLL sideloading, legit plugins on macOS could be abused to load executable code on startup. https://codecolor.ist/posts/2019-04-21-rootpipe-reborn-part-ii/ https://codecolor.ist/posts/2019-04-21-rootpipe-reborn-part-ii/ Sun, 21 Apr 2019 00:00:00 GMT Relying on pid to validate IPC peer is unsafe. https://codecolor.ist/posts/2019-04-13-rootpipe-reborn-part-i/ https://codecolor.ist/posts/2019-04-13-rootpipe-reborn-part-i/ Sat, 13 Apr 2019 00:00:00 GMT Applying web security tricks to macOS LPE bugs. https://codecolor.ist/posts/2019-03-26-one-liner-safari-sandbox-escape-exploit/ https://codecolor.ist/posts/2019-03-26-one-liner-safari-sandbox-escape-exploit/ Tue, 26 Mar 2019 00:00:00 GMT TOCTOU bug in CoreFoundation and state change of sandbox lockdown on macOS Safari, leading to easy sandbox escape. https://codecolor.ist/posts/2018-08-22-cve-2018-4991-adobe-creative-cloud-desktop-local-privilege-escalation-via-signature-bypass/ https://codecolor.ist/posts/2018-08-22-cve-2018-4991-adobe-creative-cloud-desktop-local-privilege-escalation-via-signature-bypass/ Wed, 22 Aug 2018 00:00:00 GMT The private API design of XPC could make it hard for 3rd-party developers to write security code. https://codecolor.ist/posts/2018-08-22-cve-2018-8412-ms-office-2016-for-mac-privilege-escalation-via-a-legacy-package/ https://codecolor.ist/posts/2018-08-22-cve-2018-8412-ms-office-2016-for-mac-privilege-escalation-via-a-legacy-package/ Wed, 22 Aug 2018 00:00:00 GMT Code signature bypass and insecure sideloading result in privilege escalation in Microsoft Office 2016 for Mac https://codecolor.ist/posts/2018-08-07-something-about-realworldctf-doc2own/ https://codecolor.ist/posts/2018-08-07-something-about-realworldctf-doc2own/ Tue, 07 Aug 2018 00:00:00 GMT Get some real life 0day by playing CTF challenges. https://codecolor.ist/posts/2018-06-18-bypass-macos-rootless-by-sandboxing/ https://codecolor.ist/posts/2018-06-18-bypass-macos-rootless-by-sandboxing/ Mon, 18 Jun 2018 00:00:00 GMT Attacking the operating system by using its own security mechanism. https://codecolor.ist/posts/2018-03-16-visual-studio-code-silently-fixed-a-remote-code-execution-vulnerability/ https://codecolor.ist/posts/2018-03-16-visual-studio-code-silently-fixed-a-remote-code-execution-vulnerability/ Fri, 16 Mar 2018 00:00:00 GMT Better not leave inspectable Electron instances on production. https://codecolor.ist/posts/2016-01-20-bypass-php-safe-mode-by-abusing-sqlite3-s-fts-tokenizer/ https://codecolor.ist/posts/2016-01-20-bypass-php-safe-mode-by-abusing-sqlite3-s-fts-tokenizer/ Wed, 20 Jan 2016 00:00:00 GMT Abuse SQLite's legit feature to turn arbitrary SQL queries into arbitrary code execution and pwn php