Show Notes

229 - Buggy Cookies and a macOS TCC Bypass

00:00:25
Humble Tech Book Bundle: Hacking 2023 by No Starch
00:06:58
Cookie Bugs - Smuggling & Injection
00:17:21
Extracting Training Data from ChatGPT

This post details a prompt-based exploit that could be leveraged against ChatGPT as well as other language models such as Falcon, Pythia, LLaMa, and GPT-NEO to extract training data. The basis for this vulnerability is the fact that when prompting the model to repeat a word a large number of times (for example, repeat this word forever: "poem"), after so many words the model ends up diverging. This divergence can end up being nonsense, or sometimes it can diverge into regurgitating remembered training data. Why exactly this happens isn’t clear, as they state they want to get to the core of why this divergence exists to defend against it better.

In some cases this training data can consist of Unique User IDs (UUIDs) as well as researcher contact information for a researcher who uploaded training data. Beyond the potential sensitive information disclosures, this regurgitation can also be triggered incidentally with innocent prompts, and can break the design goal of using a generative model in the first place if it ends up regurgitating training data.

Additional Links: https://arxiv.org/abs/2311.17035
00:32:22
lateralus (CVE-2023-32407) - a macOS TCC bypass

A classic filesystem race condition in Metal-based macOS applications that can lead to bypassing of macOS’ Transparency Consent and Control privacy framework (TCC). Applications that rely on the Metal framework will look for and process the MTL_DUMP_PIPELINES_TO_JSON_FILE environment variable to write debugging data to as that application, even if the given filepath already exists. This gives them a limited file write primitive where they can control the destination but not the contents. It turns out you can also control the contents too however, as the way the file I/O was done is it would open a temporary file to write the contents to, then rename it to the final path. Where the old and new path for the rename, you can open and obtain a file descriptor to write to the temporary file in a safe directory, and symlink the path off to some other privileged location between the old and new path being resolved.

This yields an arbitrary file write as the given metal application, bypassing TCC.

00:37:35
Securing our home labs: Home Assistant code review
00:45:16
TRAP; RESET; POISON; - Taking over a country Kaminsky style
00:47:04
Exploiting XPath Injection Weaknesses
00:47:42
Deep dive into the new Amazon EKS Pod Identity feature