Thursday, August 2, 2018

Escaping the Sandbox – Microsoft Office

Adam Chester:

Then, as we get closer to the end of the list, we see something a little bit strange:
(allow file-read* file-write*
(require-all (vnode-type REGULAR-FILE) (regex #"(^|/)~\$[^/]+$"))

This rule allows the Microsoft Word process to read/write a file as long as it matches the following regex


At first I couldn’t understand why this exception was here, however when crafting a filename matching this regex, it actually starts to make sense, for example ~$document1.docx. This is the typical filename format for temporary files used by Office, so what this rule is doing is allowing the process to persist temporary files without prompting the user for permission each time. At this point alarm bells should be ringing, as although this rule allows Word to create a temporary file, it also allows us to create a file anywhere on the filesystem as long as it ends with “~$something”.


This means that all we need to do is craft a plist with a filename matching the sandbox regex, wait for a user to log in… and we should be able to escape the Word sandbox.

3 Comments RSS · Twitter

Whoa! Security is hard man. Seriously cool stuff. Great read.

[…] Escaping the Sandbox – Microsoft Office […]

Leave a Comment