RSS.Social

theevilbit blog

follow: @[email protected]

Posts

Talks and Workshops

The diskarbitrationd and storagekitd Audit Story Part 2

The diskarbitrationd and storagekitd Audit Story Part 1

Beyond the good ol' LaunchAgents - 35 - Persist through the NVRAM - The 'apple-trusted-trampoline'

Beyond the good ol' LaunchAgents - 34 - launchd boot tasks

Dock Tile Plugins Could Be Used to Escalate Privileges

Beyond the good ol' LaunchAgents - 33 - Widgets

CVE-2023-40424 - How Malware Can Bypass Transparency Consent and Control

How Apple Mitigates Vulnerabilities in Installer Scripts

Launch and Environment Constraints Deep Dive

Beyond the good ol' LaunchAgents - 32 - Dock Tile Plugins

macOS Service Management - The SMAppService API - Quick Notes

Beyond the good ol' LaunchAgents - 31 - BSM audit framework

Beyond the good ol' LaunchAgents - 30 - The man config file - man.conf

CVE-2022-22655 - TCC - Location Services Bypass

CVE-2022-32929 - Bypass iOS backup's TCC protection

Prologue - The Lord of The Rules

CVE-2017-2533 - The details behind

AMFI Launch Constraints - First Quick Look

Beyond the good ol' LaunchAgents - 29 - amstoold

Beyond the good ol' LaunchAgents - 28 - Authorization Plugins

Beyond the good ol' LaunchAgents - 27 - Dock shortcuts

Beyond the good ol' LaunchAgents - 26 - Finder Sync Plugins

Beyond the good ol' LaunchAgents - 25 - Apache2 modules

Beyond the good ol' LaunchAgents - 24 - Folder Actions

Beyond the good ol' LaunchAgents - 23 - emond, The Event Monitor Daemon

Beyond the good ol' LaunchAgents - 22 - LoginHook and LogoutHook

CVE-2021-30808 - CVE-2021-1784 strikes back - TCC bypass via mounting

About

Beyond the good ol' LaunchAgents - 21 - Re-opened Applications

Getting started in macOS security

Beyond the good ol' LaunchAgents - 20 - Terminal Preferences

Beyond the good ol' LaunchAgents - 19 - Periodic Scripts

GateKeeper - Not a Bypass (Again)

Beyond the good ol' LaunchAgents - 18 - X11 and XQuartz

macOS Monterey Shortcuts - First look

Beyond the good ol' LaunchAgents - 17 - Color Pickers

Beyond the good ol' LaunchAgents - 16 - Screen Saver

NOCVE - TeamViewer Local Privilege Escalation Vulnerability

Beyond the good ol' LaunchAgents - 15 - xsanctl

Beyond the good ol' LaunchAgents - 14 - atrun

Experiences with Apple Security Bounty

CVE-2020-9900 & CVE-2021-1786 - Abusing macOS Crash Reporter

Beyond the good ol' LaunchAgents - 13 - Audio Plugins

Beyond the good ol' LaunchAgents - 12 - QuickLook Plugins

Beyond the good ol' LaunchAgents - 11 - Spotlight Importers

Beyond the good ol' LaunchAgents - 10 - Application script files

Beyond the good ol' LaunchAgents - 9 - Preference Pane

Beyond the good ol' LaunchAgents - 8 - Hammerspoon

Beyond the good ol' LaunchAgents - 7 - xbar plugins

Beyond the good ol' LaunchAgents - 6 - SSHRC

Beyond the good ol' LaunchAgents - 5 - Pluggable Authentication Modules (PAM)

Beyond the good ol' LaunchAgents - 4 - cron jobs

Beyond the good ol' LaunchAgents - 3 - Login Items

Beyond the good ol' LaunchAgents - 2 - iTerm2 startup

Beyond the good ol' LaunchAgents - 1 - shell startup files

Beyond the good ol' LaunchAgents - Introduction

About com.apple.private.security.clear-library-validation

Divide and Conquer - A technique to bypass NextGen AV

CVE-2020-9771 - Reversing Engineering the Fix

NOCVE - Microsoft Teams for macOS Local Privilege Escalation

Let's talk macOS Authorization

CVE-2020-9771 - mount_apfs TCC bypass and privilege escalation

CVE-2020-14977 - Secure coding XPC Services - Part 5 - PID reuse attacks

CVE-2020-14978 - Secure coding XPC Services - Part 4 - Improved client authorization

The AMFI MACF policy system call

CVE-2020-0984 - Secure coding XPC Services - Part 3 - Incorrect client verification

Kernel Debugging macOS with SIP

Secure coding XPC Services - Part 2 - Checking CS (CodeSigning) flags of the client

TALK - Exploiting directory permissions on macOS

CVE-2019-20057 - Secure coding XPC services - Part 1 - Why EvenBetterAuthorization is not enough?

GateKeeper - Bypass or not bypass?

CVE-2020-14974 & CVE-2020-14975 - IOBit Unlocker 1.1.2 - Local Privilege Escalation

NOCVE - Few click RCE via GitHub Desktop macOS client with Gatekeeper bypass and custom URL handlers

Shield - An app to protect against process injection on macOS

UninstallString - a possible LPE via Social Engineering

A simple protection against HMValidateHandle technique

DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX

TALK - macOS - Getting root with benign AppStore apps

CVE-2020-14976 - GNS3 ubridge SETUID bit - arbitrary file read

CVE-2019-5514 - VMware Fusion 11 - Guest VM RCE