macOS Mojave 10.14.4 has patched two LPE flaws I reported. They are both userspace XPC logic bugs, simple and reliable to get root privilege escalation, just like the Rootpipe. This writeup is for the command injection in TimeMachine diagnose extension, which affects 10.12.x-10.14.3.

I am writing about a dead simple and reliable sandbox escape exploit which only have one line of code. Yeah I am sure it’s an exploit, not just PoC. It has nothing to do with iOS.

This issue affects Microsoft Office for Mac 2016, and SkypeForBusiness (16.17.0.65)

This write-up only covers macOS, but this issue may also affects Windows version.

The challenge is to get a shell when the victim opens a Dash docset. Both Dash and Adobe Brackets are up to date. Actually the intended solution involves no zero day at all. This writeup from Team 217 Real World CTF 2018 — doc2own (in Traditional Chinese) is the expected solution.

This bug has been fixed in Mojave Beta, but still present in latest High Sierra (10.13.5). It’s a logic bug that an entitled binary tries to load an insecure external library controllable by environment variable. To exploit it we need to abuse sandbox, which is interesting that sometimes a mitigation could be turned to an exploit.