Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

First, what do we look for in a target for privilege escalation? This blogger explains that looking for SUID binaries is a good place to start. In addition, third-party vendors tend to implement binary helper programs (with SUID) that do not take the proper security precautions.

To trace the execution of other files, dtrace (like strace in Linux) was used and filtered out with the execve syscall. By doing this, it was discovered that VMware Fusion was trying to load in several non-existent files, which looked like a good path for an LPE!

The parsing of how these files are called is interesting and the author reverse engineered this use IDA. The parsing attempts to find files by complicated parsing measuring and ensuring that links are valid.

By setting a hardlink on a file (that should exists but the program cannot find) to a location where we can compile the payload, it tricks the program into keeping the setuid binary of the file!

Unlike Linux, macOS allows unprivileged users to create hard links to SUID executables. This is the main reason that this exploit was possible.