Proxifier 2.18 (also 2.17 and possibly some earlier version) ships with
a KLoader binary which it installs suid root the first time Proxifier is
run. This binary serves a single purpose which is to load and unload
Proxifier's kernel extension.
Unfortunately it does this by taking the first par
With CVE-2017-7643 I disclosed a command injection vulnerablity in the
KLoader
binary that ships with Proxifier <= 2.18.
Unfortunately 2.19 is also vulnerable to a slightly different attack
that
yields the same result.
When Proxifier is first run, if the KLoader binary is not suid root it
ge
Sorry, the exploit code got mangled :S
-
#!/bin/bash
#
# Local root exploit for vulnerable KLoader binary distributed with #
# Proxifier for Mac v2.18 #
#
I'm a big fan of Hashicorp but this is an awful bug to have in software
of their
calibre.
POC:
https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmwarefusion--4020.html
Their vagrant plugin for vmware fusion uses a product called Ruby
Encoder to
protect their propriet
A couple of weeks ago I disclosed a local root privesc in Hashicorp's
vagrant-vmware-fusion plugin:
https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmwarefusion--4020.html
The initial patch they released was 4.0.21 which unfortunately contained
a bug
that prevented it
I have previously disclosed a couple of bugs in Hashicorp's
vagrant-vmware-fusion plugin for vagrant.
Unfortunately the 4.0.23 release which was supposed to fix the previous
bug I
reported didn't address the issue, so Hashicorp quickly put out another
release
- 4.0.24 - after that (but didn't u
Sera is a free app for mac and iOS that lets you unlock your mac
automatically
when your iphone is within a configured proximity.
Unfortunately to facilitate this it stores the users login password in
their
home directory at:
~/Library/Preferences/no.ignitum.SeraOSX.plist
This makes root pri
Arq Backup from Haystack Software is a great application for backing up
macs and
windows machines. Unfortunately versions of Arq for mac before 5.9.7 are
vulnerable to a local root privilege escalation exploit.
The updater binary has a "setpermissions" function which sets the suid
bit and
root
As well as the other bugs affecting Arq <= 5.9.6 there is also another
issue
with the suid-root restorer binaries in Arq for Mac. There are three of
them
and they are used to execute restores of backed up files from the
various
cloud providers.
After reversing the inter-app protocol I discover
VirtualBox downloads extension pack updates over plain HTTP, providing a
potential vector for MITM and remote code execution when updating the
extension pack.
Full writeup here:
https://m4.rkw.io/blog/owning-virtualbox-via-mitm.html
Mark
___
Sent t
Recently I was working on an security issue in some other software that
has yet
to be disclosed which created a rather interesting condition. As a
non-root
user I was able to write to any file on the system that was not
SIP-protected
but the resulting file would not be root-owned, even if it pre
11 matches
Mail list logo