The last SyScan is almost here so it’s time to get again into a plane and travel to Singapore. This means that the slides and source code can finally be released. Below you can find the archive with both presentations slides (they are slightly different, SyScan version fixes/upgrades a few things) and full source code for both rootkit/kext loaders. I hope you enjoy them; they are quite fun techniques, in particular the second one which now I sort of regret to disclose because it’s so cool....

Hummm this is something that I should have done a long time ago but was always too lazy since there’s not highly critical information here (except some hashes and my PGP key/id). Anyway, you can finally access the blog over https://reverse.put.as. I still need to understand if there’s any impact on Google search stuff by moving it to HTTPS only. Better late then never. Oh and fuck you David Cameron and your stupid populist ideas....

A few days late but, Happy New Year! 2014 is gone and it was an interesting year. Learnt quite a few new things in different areas, created tons of code, and got a couple of very interesting ideas to explore in 2015. It also ended in a great way with a visit to CodeBlue to present BadXNU, a rotten apple. If there’s city and country I always wanted to visit, those were Tokyo and Japan....

Today a local privilege escalation vulnerability was disclosed in this blog post. It describes a vulnerability in IOBluetoothFamily kernel extension (IOKit is a never-ending hole of security vulnerabilities). Mavericks and most probably all previous versions are vulnerable but not Yosemite. The reason for this is that Apple silently patched the bug in Yosemite. This is not a new practice, where Apple patches bugs in the latest and newly released OS X version and doesn’t care about older versions....

Let me present you another TrustedBSD policy module, this time to control execution of suid enabled binaries. The idea to create this started with nemo’s exploitation of bash’s shellshock bug and VMware Fusion. It was an easy local privilege escalation because there are many Fusion suid enabled binaries. This got me thinking that I want to know when this kind of binaries are executed and if possible control access to them....