Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The macOS App Sandbox restricts system resources and user data for applications. Additionally, a user can use an applications entitlements to assess its behavior. Every sandboxed application gets its own container that can isolate network access, hardware and other things.

The open utility is used on macOs under the hood to open files. This can be called within the sandbox, including the underlining APIs. Should you be able to open arbitrary files using this? Probably not!

The Terminal application can be called via the API calls for open. By controlling the HOME environmental variable being passed to the API call, we can set this to a location outside of the container.

To bypass the restrictions, the following action can be done:

1. Write the payload into a profile file, such as the bash profile.
2. Open the Terminal application setting the $HOME ENV variable.

Since the Terminal application is not sandboxed at all, this gives us full disk access! This is gameover on the application, depending on the user this runs at. The article mentions nothing particular about the fix.

All input to a privileged context should be considered malicious. In this case, the mishandling of the $HOME ENV variable led to compromise. Good find!