https://reverse.put.as/tags/sandbox/ Recent content in sandbox on Reverse Engineering Hugo -- gohugo.io en-us reverser@put.as (fG!) reverser@put.as (fG!) © 2025 fG! Mon, 26 Sep 2011 23:21:08 +0100 https://reverse.put.as/2011/09/26/fixes-for-the-trustedbsd-backdoor-rex-the-wonder-dog-v0-2/ Mon, 26 Sep 2011 23:21:08 +0100 reverser@put.as (fG!) https://reverse.put.as/2011/09/26/fixes-for-the-trustedbsd-backdoor-rex-the-wonder-dog-v0-2/ I like things well done and the healthy discussion with snare about this topic remembered me this PoC was a bit incomplete. So I decided to close the missing gaps. The fix is pretty simple. Retrieve a new kauth credential with uid and gid equal to 0 and replace the old one (the code seems stable even without process locks). It also seems to work fine without the allproc lock. The backdoor also had a small “bug” that I didn’t noticed due to a coincidence. https://reverse.put.as/2011/09/18/abusing-os-x-trustedbsd-framework-to-install-r00t-backdoors/ Sun, 18 Sep 2011 23:20:12 +0100 reverser@put.as (fG!) https://reverse.put.as/2011/09/18/abusing-os-x-trustedbsd-framework-to-install-r00t-backdoors/ While poking around OS X implementation of TrustedBSD to write the sandbox guide I had the idea of trying to abuse it for backdooring purposes. It’s kind of funny that something designed to protect can be so “easily” abused to install backdoors. This is not rocket science or a big breakthru post – I was just curious about the possibility to abuse the framework. You still need to find a way to install the kernel module! https://reverse.put.as/2011/09/14/apple-sandbox-guide-v1-0/ Wed, 14 Sep 2011 23:18:56 +0100 reverser@put.as (fG!) https://reverse.put.as/2011/09/14/apple-sandbox-guide-v1-0/ Here it is a version I consider good enough to come out of draft status. I have added more information – one thing I was especially interested was to match the available operations in the SBPL syntax with the system/kernel functions that they control. This helps to better understand what is the impact of each operation. Appendix B features the lazy IDC script I used to extract this information from the sandbox kernel module (then I had to match with XNU kernel sources). https://reverse.put.as/2011/09/03/apples-sandbox-guide-v0-1-early-draft-release/ Sat, 03 Sep 2011 23:18:06 +0100 reverser@put.as (fG!) https://reverse.put.as/2011/09/03/apples-sandbox-guide-v0-1-early-draft-release/ After quite a few hours typing and testing stuff, here it is a very early draft of my attempt to document Apple’s sandbox implementation. The most difficult part in writing technical documentation or business plans is to get the first draft more or less ready. It’s even worse when there’s not much information about the subject. But here it is something with already quite some significant content. In this draft I don’t like the writing style – it’s still very confuse and boring.