gergelykalman

@gergelykalman@infosec.exchange
169 Followers
70 Following
23 Posts
gergelykalmanMar 25

I published a correction to my slides/blogposts regarding rename(). I have incorrectly stated that rename("./a", "./b") was racy. It is not.
For most situations this is not a huge deal, but I still feel bad that I misled you all, so beers are on me.

https://gergelykalman.com/corrections-regarding-rename.html

Corrections regarding rename()

While researching the filesystem training I came across a particularly bad example I have given in my talks and slides about how rename() works, and I felt it's prudent that I own up to this mistake and publish the correction. TL;DR: My provided example of rename("./a", "./b") is …

Gergely's hack blog
gergelykalmanNov 26, 2024
Since it's almost been a year and OBTSv7 is around the corner, I published the long overdue writeup for badmalloc:
https://gergelykalman.com/badmalloc-CVE-2023-32428-a-macos-lpe.html
badmalloc (CVE-2023-32428) - a macOS LPE

I recently realised that I still owe you guys some writeups, so since OBTSv7 is around the corner here's the one for badmalloc. I found this back in March 2023, and it got fixed in October. About the bug There's a bug in MallocStackLogging, Apple's "magical" framework that allows developers …

Gergely's hack blog
gergelykalmanSep 13, 2024
For those of you who might like it: Here are the slides from my Alligatorcon talk:
https://gergelykalman.com/the-forgotten-art-of-filesystem-magic-alligatorcon-2024-slides.html
The forgotten art of filesystem magic - Alligatorcon 2024 slides

For those of you who requested and/or couldn't make it, here are the slides from my Alligatorcon talk: Gergely Kalman: The forgotten art of filesystem magic It's a prequel to the guide, that is more dry and technical: The missing guide to the security of filesystems and file APIs …

Gergely's hack blog
gergelykalmanFeb 8, 2024

I keygened all of my Hungarian ISP's routers last year:

https://gergelykalman.com/hacking-isp-cpe-equipment-fiberhome.html

Hacking ISP CPE equipment: FiberHome

For those of you who are used to reading about my Apple research, this post is going to be a change of pace. This one is about CPE (Customer Premise Equipment) security, basically the routers your ISP gives you. Background Last year I spent some time back in my home …

Gergely's hack blog
gergelykalmanNov 15, 2023

Another writeup is up, this time it's sqlol (CVE-2023-32422), a $30,500 macOS TCC bypass:
https://gergelykalman.com/sqlol-CVE-2023-32422-a-macos-tcc-bypass.html

Slowly, but surely I will work off my backlog...

sqlol (CVE-2023-32422) - a macOS TCC bypass

Wow, two blogposts in two days! Is this a new writeup schedule? No, it's not. But, since I'm presently just ill enough to not be productive, yet well enough to write, I figured I'd chip away at my horrendous (writeup) debt while I wait for the immune fairy to arrive …

Gergely's hack blog
gergelykalmanNov 15, 2023

Post about "lateralus" (a $30,500 TCC bypass) is live: https://gergelykalman.com/lateralus-CVE-2023-32407-a-macos-tcc-bypass.html

I even praise Apple in it. It's wild.

lateralus (CVE-2023-32407) - a macOS TCC bypass

Since I owe you guys a bunch of writeups from my talk ( Unexpected, Unreasonable, Unfixable: Filesystem Attacks on macOS), I decided that I'll tackle lateralus today. It's a simple, clean bug with a quick and satisfying resolution. I have been bitching about Apple in the past blogpost (and on twitter …

Gergely's hack blog
gergelykalmanOct 15, 2023
Here are the slides from my OBTS talk:
https://gergelykalman.com/unexpected-unreasonable-unfixable-my-slides-from-obts-v6.html
Unexpected, Unreasonable, Unfixable - My slides from OBTS v6

For those that missed the OBTS v6 conference and live stream, here are the slides of my talk: Gergely Kalman: Unexpected Unreasonable Unfixable There should be a video of the talk coming out on the official OBTS youtube channel as well. As for me, I will publish a writeup for …

Gergely's hack blog
gergelykalmanSep 27, 2023

To make even more room in my #OBTS talk, here's a trivial TCC bypass writeup :)

https://gergelykalman.com/CVE-2023-38571-a-macOS-TCC-bypass-in-Music-and-TV.html

CVE-2023-38571 - a macOS TCC bypass in Music and TV

This post is a writeup of CVE-2023-38571, a macOS TCC bypass bug I found. It was supposed to be unveiled in my upcoming talk: "Unexpected, Unreasonable, Unfixable: Filesystem Attacks on macOS" at OBTS v6, but I needed to cut some bugs out. This is another one of them. Background While …

Gergely's hack blog
gergelykalmanSep 26, 2023

Due to lack of time on my #OBTS talk, here's one of the bugs that didn't make the cut:
"unnamed app sandbox escape", aka CVE-2023-32364

https://gergelykalman.com/CVE-2023-32364-a-macOS-sandbox-escape-by-mounting.html

CVE-2023-32364 - a macOS sandbox escape by mounting

This post is a writeup of CVE-2023-32364, a macOS application sandbox escape bug I found. It was supposed to be unveiled in my upcoming talk: "Unexpected, Unreasonable, Unfixable: Filesystem Attacks on macOS" at OBTS v6, but I needed to cut some bugs out. This is one of them. macOS Sandboxing …

Gergely's hack blog