Recently, @pwnsdx noticed that Blizzard’s Battle.net application modifies macOS' list of trusted X.509 certificates. Many applications use this information to decide whether a website or networked service should be trusted. As a result, modifying it is generally a bad idea. While researching this behavior with @pwnsdx, I discovered a user-assisted local privilege escalation (UALPE) vulnerability in the Battle.net installer. In this post, I would like to share how I discovered this issue, and outline some of the strategies that led me to it.

If you are anything like me, you may find Windows “challenging” to use. Its GUI tends to get in the way of just about everything. Running Windows in a hypervisor only accentuates this. The CLI tools appear to follow the same pattern. Microsoft is actively improving this, but I still prefer using git bash. So, what does this mean if we are stuck on Windows, and we need to automate some reverse engineering tasks?