Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Ron MasasPosted 2 Years Ago

Recently, some researchers found a vulnerability within Atlassian Companion App. The issue was that the program has a blocklist of file types of about 350. The author of the original post found that .class files were not in the blocklist, giving them RCE.
Why the blocklist? Atlassian does not add the quarantine attribute to files downloaded because it would make the user experience worse. However, a blocklist is commonly a bad idea, as an attacker just needs to find one file type that works.
The file type .fileloc is similar to a symbolic link but acts as a shortcut on macOS but it accepts a full path to another file on the system. Since this was not a blocked file type, this was a good candidate for exploitation. While reverse engineering the application, they noticed that files in the blocklist were still downloaded but inaccessible. Weird!
The name of this directory was random and they needed the macOS username as well. So, they found a websocket API that would return the folder UUID and another to retain the username in an error message. With all of this, we have a full chain.
1. Make a websocket API call to leak the UUID.
2. Make a websocket call to leak the macOS username.
3. Download a malicious file that should be blocked. It will be stored on the system but we now know the path.
4. Download the .fileloc file, which points to the absolute path of the malicious file above.
5. Pop a shell!