Bug Bytes #120 – MacOS pwned, Homebrew RCE & The world’s shortest backdoor
By Anna Hammond
April 28, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 19 to 26 of April.
Our favorite 5 hacking items
1. Videos of the week
Why you should Close Your Files | Binary Exploitation 0x02
How SUDO on Linux was HACKED! // CVE-2021-3156
I’m more into Web/API/mobile hacking, but sometimes other types of InfoSec resources are so good it makes me want to change fields! It’s the case with these two videos.
The first one is part of a new binary exploitation series by PwnFunction. It provides a beginner friendly introduction to file descriptors, what they are and how they can be abused.
The second video is a walkthrough of CVE-2021-3156 (Baron Samedit), why it wasn’t obsvious to detect with fuzzing and was hiding in plain sight for almost a decade. These are interesting but complex topics that only @LiveOverflow could make so fun!
2. Writeups of the week
All Your Macs Are Belong To Us & macOS Gatekeeper Bypass (2021 Edition) (Apple)
Remote code execution in Homebrew by compromising the official Cask repository (Homebrew)
@cedowens found a pretty bad bug that allowed malicious apps to basically bypass MacOS’s security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements). It’s already exploited in the wild. @patrickwardle confirmed the findings and published a detailed analysis on the root cause of the bug. Make sure to update your OS before diving into this!
@ryotkak disclosed a Remote Code Execution in Homebrew (a popular macOS package manager). A bug in the git_diff library made it possible to trick a repo’s maintainers into approving malicious pull requests. Users who installed the infected package would have had their system compromised.
3. Tools of the week
HTTP Methods Discloser
gsocket.io
HTTP Methods Discloser is a Burp extension to easily check which HTTP methods are available. It replays each request with the OPTIONS verb and adds all methods available in the request’s “Comment” column (in the Proxy History). It’s a handy tool to be aware of available HTTP verbs for all requests.
gsocket (or Global Socket) is a tookit that allows workstations behind NAT/Firewall to establish a TCP connection with each other “like there is no firewall”. It has different applications. One of them is deploying a reverse login shell with a single command, without a server. The shell is accessible remotely through NAT/firewalls. It’s powerful, and pretty useful for CTF and pentest!
4. Challenge of the week
Intigriti’s 0421 XSS challenge winners and writeups, Source code & Walkthrough by @terjanq (who created the challenge)
This is a hard XSS challenge by XSS and XS-Leaks master @terjanq. The cool thing is that the source code is available to play with even though the challenge has ended. There is also a bunch of writeups and different solutions to guide you.
It’s a nice opportunity to learn techniques that @terjanq used for a real WAF bypass.
5. Resource of the week
Offensive Security Guide to SSH Tunnels and Proxies
This is a one-page guide on SSH tunnels and SOCKS proxies. It’s a good reference for those engagements where you’re short on time and need to quickly remember which tunnel/proxy to use and how to do it.
Other amazing things we stumbled upon this week
Videos
Podcasts
- DAY[0] Episode 74 – Bad Patches, Fuzzing Sockets, & 3DS Hacked by Super Mario 
- The Mystery of AS8003 – Remembering Dan Kaminski, Project Zero, Unethical Security Research 
Webinars
Conferences
Slides & Workshop material
Tutorials
Medium to advanced
Beginners corner
- Hacking GraphQL for Fun and Profit — Part 1 — Understanding GraphQL Basics & Part 2— Methodology and Examples 
Writeups
Challenge writeups
- SQL Injection – Lab #8 SQLi attack, querying the database type and version on MySQL & Microsoft #video 
Responsible(ish) disclosure writeups
- CVE-2021-27736: XXE in FusionAuth SAML Library & Detection with Burp SAML Raider 
- Uncovering and Disclosing a Signature Spoofing Vulnerability in Windows Installer: CVE-2021-26413 #Windows 
- CVE-2021-22204: ExifTool vulnerable to arbitrary code execution when parsing malicious images (no PoC yet) #Web 
0-day & N-day vulnerabilities
- Zero-Day Exploits in SonicWall Email Security Lead to Enterprise Compromise #Web 
- Microsoft Exchange From Deserialization to Post-Auth RCE (CVE-2021–28482) 
Bug bounty writeups
- New Clubhouse Security Vulnerabilities Could Happen to Any Growing Unicorn (Clubhouse) 
- CVE-2021-30481: Source engine remote code execution via game invites (Valve, $8,000) 
- You Talking To Me? (Google) 
- Stored XSS via malicious key value of Synthetics monitor tag when visiting an Insights dashboard with filtering enabled (New Relic, $2,123) 
- RCE in ‘Copy as Node Request’ BApp via code injection (PortSwigger Web Security) 
- Brave — Stealing your cookies remotely (Brave, $500) 
- Shopify Account Takeover $22500 Bug Bounty (Shopify, $22,500) #video 
- Github Open Redirect to Reflected XSS Poc 4000$ (GitHub, $4,000) #video 
See more writeups on The list of bug bounty writeups.
Tools
- h1stats: h1 Program Stats Scraper 
- Marauders Map & Intro: The internal attacker toolkit heavily inspired by SharpPack 
- Traitor: Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins 
Tips & Tweets
Misc. pentest & bug bounty resources
Challenges
- Hack the Amazon Interview (ends on May 3) 
Articles
- Unintentionally exposing your organization to MFA bypasses on Azure Active Directory 
- Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective & Cellebrite Good Times, Come On: Reverse-Engineering Phone Forensics Tools 
Bug bounty & Pentest news
- Dan Kaminsky: Tributes pour in for security researcher who died after short illness 
- Stanford student finds glitch in ransomware payment system to save victims $27,000 
- Researchers Secure Bug Bounty Payout to Help Raise Funds for Infant’s Surgery 
- Ill-advised research on Linux kernel lands computer scientists in hot water 
- Tools updates: 
- Upcoming talks: 
Non technical
Community pick of the week
Impressive, @pudsec, well done!
Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!
You may also like
Intigriti Bug Bytes #228 - September 2025 🚀
September 12, 2025
Intigriti Bug Bytes #227 - August 2025 🚀
August 15, 2025
Intigriti Bug Bytes #226 - July 2025 🚀
July 18, 2025
 
                    