Forklift <=3.3.9 and <=3.4 Local Privilege Escalations on macOS (CVE-2020-15349/CVE-2020-27192)

I have started to have a look at my local installed helpers on macOS. These helpers are used as an interface for applications to perform privileged operations on the system. Thus, it is quite a nice attack surface to search for Local Privilege Escalations.

Forklift is an advanced dual pane file manager for macOS. It is well known under macOS power users.

As part of my investigation I identified vulnerabilities in Forklift allowing local privilege escalation.

By now all vulnerabilities are fixed by the vendor I can release the details: https://binarynights.com/versionhistory

Continue reading “Forklift <=3.3.9 and <=3.4 Local Privilege Escalations on macOS (CVE-2020-15349/CVE-2020-27192)”

Continue reading

Spraying arbitrary objects into the non-paged pool

Recently, I had some time to play around with HEVD [1], an extremly vulnerable Windows driver available for 32-bit and 64-bit systems.

Since exploits for all vulnerabilities of the 32-bit variant are publically available, I was wondering why this is not the case for the 64-bit version, especially for the pool corruption and UAF vulnerabilities.

Continue reading “Spraying arbitrary objects into the non-paged pool”

Continue reading

Insomni’hack pwn50 write-up

Hi all,

i´ve looked a bit at the Insomni’hack CTF which took place on the 21st January and lasted for 36 hours.
For the sake of warming up a bit for our Troopers workshop Windows and Linux Exploitation,
I decided to create a write-up of the first pwn50 challenge.

To grab your own copy of the presented files you can also find it in our Github repository:

Continue reading “Insomni’hack pwn50 write-up”

Continue reading

Black Hat 2016 Summary

Just a few days ago I had a blast again at this year’s Black Hat. Some of the talks were really worth listening to, so I wanted to point them out and give a short summary.



They had the last slot at the last day of Black Hat which resulted in a kind of empty room, but in my opinion it was an awesome talk and I even had the pleasure to meet these two guys at our ERNW dinner.


The talk was about a very weirdly documented Intel instruction which does not check for privileges or throw exceptions:

Continue reading “Black Hat 2016 Summary”

Continue reading

Keynote #1 Troopers 2016

The first Keynote directly after the Opening by Enno Rey was held by Ben Zevenbergen. At the beginning he pointed out that he is not a very technical guy rather he specialized in Information Law and a policy advisor to the European Parliament. Before he started to dive into his Keynote he talked about some rant story’s which happened to him while trying to make his point clear on previous conferences and that he came in peace to Troopers ;).

Continue reading “Keynote #1 Troopers 2016”

Continue reading

Attacking Next-Generation Firewalls

Felix Wilhelm presented in his talk various ways to attack his new target – The PA-500 which is produced by Palo Alto Networks.

He discovered vulnerabilities in 3 different exposed aspects of the device. The first vulnerability occurred inside of an unauthenticated API from the Management-Website which could only be accessed within the Admin Network. This vulnerability was a typical off-by-one Command Injection, which could be abused by reaching out to the API with a special client=wget Request.

Continue reading “Attacking Next-Generation Firewalls”

Continue reading

Dynamic IDA Enrichment (aka. DIE)

Last year on the Hex-rays plugin Contest the Dynamic IDA Enrichment (DIE) plugin won first place, so we decided to have a look and play around with it.

DIE extends IDA to add Dynamic Data to the static analysis. So after the installation, we are able to perform the static analysis using a lot of supporting information from the actual execution of the binary under assessment.

Since DIE is purely written in Python you will need at least Python 2.7 and IDA Versions prior to 6.8 won´t work. In the current version DIE will only work on Windows which will hopefully soon be available cross-platform.

To setup the environment for DIE just use pip install –r requirements.txt (requirements.txt are shipped with DIE).
Copy die_proxy.py to the IDA Plugin directory and add an environment Variable named DIEDIR including the path to the DIE directory. Continue reading “Dynamic IDA Enrichment (aka. DIE)”

Continue reading