Tool release: fs_usage_ng

Posted on 2024-10-02 in blog • Tagged with tool release, fs_usage_ng, macOS, tools, security

TL;DR:

Github repo: https://github.com/gergelykalman/fs_usage_ng

About

Since Apple's built-in fs_usage is amazing but occasionally falls short, I decided to take it upon myself to improve it.

Since I suck at coming up with names, I used the old-school Open Source default: fs_usage_ng

The ng stands for …


Continue reading

The forgotten art of filesystem magic - Alligatorcon 2024 slides

Posted on 2024-09-12 in blog • Tagged with macOS, ASB, 0day, Alligatorcon, slides, talks, POSIX, filesystems, file APIs, security

For those of you who requested and/or couldn't make it, here are the slides from my Alligatorcon talk:

Gergely Kalman: The forgotten art of filesystem magic

It's a prequel to the guide, that is more dry and technical: The missing guide to the security of filesystems and file APIs …


Continue reading

Why you shouldn't use a commercial VPN: Amateur hour with Windscribe

Posted on 2024-04-12 in blog • Tagged with macOS, 0day, VPN, Windscribe

Intro

This is a writeup about a user to root privilege escalation due to a race condition in Windscribe VPN's software.

What is Windscribe?

Windscribe is a smaller VPN provider, they have about 69M users according to their tweet that was published today.

They are notorious on X/Twitter for …


Continue reading

You can watch my OBTSv6 talk on youtube

Posted on 2023-12-18 in blog • Tagged with macOS, OBTS, talk

I forgot to post about my talk here, so here it is for those who missed my tweet:

Unexpected, Unreasonable, Unfixable: Filesystem Attacks on macOS by Gergely Kalman


sqlol (CVE-2023-32422) - a macOS TCC bypass

Posted on 2023-11-15 in blog • Tagged with macOS, ASB, tcc bypass, 0day

Wow, two blogposts in two days! Is this a new writeup schedule?

No, it's not. But, since I'm presently just ill enough to not be productive, yet well enough to write, I figured I'd chip away at my horrendous (writeup) debt while I wait for the immune fairy to arrive …


Continue reading

lateralus (CVE-2023-32407) - a macOS TCC bypass

Posted on 2023-11-14 in blog • Tagged with macOS, ASB, tcc bypass, 0day

Since I owe you guys a bunch of writeups from my talk ( Unexpected, Unreasonable, Unfixable: Filesystem Attacks on macOS), I decided that I'll tackle lateralus today.

It's a simple, clean bug with a quick and satisfying resolution. I have been bitching about Apple in the past blogpost (and on twitter …


Continue reading

batsignal (no CVE) - a macOS LPE

Posted on 2023-10-30 in blog • Tagged with macOS, ASB, LPE, 0day

UPDATE:

A couple hours after publication the Apple Security Changelogs were updated across the board, and they added me to CVE-2022-26704. I knew this was in the works, but it's still good to see. Thank you :)

This post is a writeup of batsignal, a macOS local privilege escalation bug from …


Continue reading

Unexpected, Unreasonable, Unfixable - My slides from OBTS v6

Posted on 2023-10-15 in blog • Tagged with macOS, ASB, 0day, OBTS, talks

For those that missed the OBTS v6 conference and live stream, here are the slides of my talk:

Gergely Kalman: Unexpected Unreasonable Unfixable

There should be a video of the talk coming out on the official OBTS youtube channel as well.

As for me, I will publish a writeup for …


Continue reading

librarian (CVE-2023-38571) - a macOS TCC bypass in Music and TV

Posted on 2023-09-27 in blog • Tagged with macOS, ASB, tcc bypass, 0day

This post is a writeup of CVE-2023-38571, a macOS TCC bypass bug I found. It was supposed to be unveiled in my upcoming talk:

"Unexpected, Unreasonable, Unfixable: Filesystem Attacks on macOS" at OBTS v6,

but I needed to cut some bugs out. This is another one of them.

Background

While …


Continue reading

unnamed sandbox escape (CVE-2023-32364) - a macOS sandbox escape by mounting

Posted on 2023-09-26 in blog • Tagged with macOS, ASB, sbx, 0day

This post is a writeup of CVE-2023-32364, a macOS application sandbox escape bug I found. It was supposed to be unveiled in my upcoming talk:

"Unexpected, Unreasonable, Unfixable: Filesystem Attacks on macOS" at OBTS v6,

but I needed to cut some bugs out. This is one of them.

macOS Sandboxing …


Continue reading