fG! @ CodeBlue 2014
BadXNU
Who am I?
! (© Dr.
Quynh)
Rootkits?
!
! :
! .
! .
Backdoors?
! .
! .
! OS X .
Got root?
! OS X
!
https://vimeo.com/109214161
Got root?
! ....
! !
! iWorm
Got root?
! HTTP
! ...
! ☺☺.
Apple new kext policy
Consequences
! Kexts :
! .
! Invalid.
!
.
Solutions
!
! kext-dev-mode=1 (boot parameter)
!
!
!
! EFI
Attack userland daemons
! Kextd daemon.
! 3 .
! !
Attack userland daemons
!
*Output from Yosemite GM3 kextd
Attack userland daemons
! 2
! 2013 .
! http://reverse.put.as/2013/11/23/
breaking-os-x-signed-kernel-
extensions-with-a-nop/
Apple Security...
Kernel vulnerabilities
! :
! .
! .
! .
Kernel vulnerabilities
!
! .
! PID .
Kernel vulnerabilities
! Snow Leopard
.
! task_for_pid(0) .
! http://phrack.org/issues/66/16.html
Kernel vulnerabilities
Kernel vulnerabilities
! processor_set_tasks() .
! Ming-chieh Pan & Sung-ting Tsai
BlackHat Asia 2014 .
! Jonathan Levin Mac OS X iOS
Kernel vulnerabilities
! .
! task_for_pid(0) .
Kernel vulnerabilities
! Apple
.
! iOS !
! SECURE_KERNEL .
! !
We can
! .
! .
! .
We can’t
! :
! .
! read-only .
! .
Kernel obstacles
! read-only.
Kernel obstacles
! read-only.
! syscall mach
! Mountain Lion
Kernel obstacles
! Kernel ASLR.
! .
! kas_info syscall .
! .
Memory protection problem
! read-only
.
! CR0
!
Code execution problem
!
! sysycall mach
.
Code execution problem
! .
! kernelchache .
! .
Goals
! Direct Kernel Object Manipulation
(DKOM).
! .
! .
! CR0 .
! .
TrustedBSD MACF
! MAC .
! .
! FreeBSD .
! OS X/iOS .
! Userland Gatekeeper.
TrustedBSD MACF
! .
! .
TrustedBSD MACF
! .
! .
! .
= WIN!
How to Leverage TrustedBSD
! .
! .
! .
! .
10 steps to victory
1. .
2. ASL .
3. .
4. .
5. .
10 steps to victory
6. .
7.
8. TrustedBSD .
9. TrustedBSD .
10. .
1. Get kernel task port
2. Find KASLR slide
3. Compute rootkit size
!
4. Allocate kernel memory
! mach_vm_allocate().
! .
5. Copy rootkit
! mach_vm_write().
! .
!
6. Change memory protections
! mach_vm_protect().
! .
! .
Problems
! .
! mach_vm_wire().
! .
7. Fix external symbols
! PIE.
! .
! ?
! .
! .
7. Fix external symbols
! .
! Mach-O :
! LC_DYSYMTAB.
! LC_SYMTAB.
7. Fix external symbols
! 10 .
! Kexts :
! X86_64_RELOC_UNSIGNED.
! RIP .
! X86_64_RELOC_BRANCH.
! .
7. Fix external symbols
RReellooccaattiioonn TTyyppee LLooccaall EExxtteerrnnaall X86_64_RELOC_UNSIGNED 166078 335464 X86_64_RELOC_SIGNED 0 0 X86_64_RELOC_BRANCH 0 158219 X86_64_RELOC_GOT_LOAD 0 0 X86_64_RELOC_GOT 0 0 X86_64_RELOC_SUBTRACTOR 0 0 X86_64_RELOC_SIGNED_1 0 0 X86_64_RELOC_SIGNED_2 0 0 X86_64_RELOC_SIGNED_4 0 0 X86_64_RELOC_TLV 0 0
7. Fix external symbols
! :
! KPI .
! :
! kext .
8. Install a TrustedBSD policy
! :
! mac_policy_list.
! mac_policy_conf.
! mac_policy_ops.
8. Install a TrustedBSD policy
! .
! mac_policy_list.
8. Install a TrustedBSD policy
! mac_policy_conf
.
8. Install a TrustedBSD policy
! mac_policy_ops
.
! .
8. Install a TrustedBSD policy
a) mac_policy_ops .
b) mac_policy_conf .
c) mac_policy_con .
d) mac_policy_list .
a) mac_policy_ops
! task_for_pid() .
! .
! mac_policy.h
Rootkit entrypoint
! .
! kmod_info symbol .
! start_addr .
b) mac_policy_conf
! mac_policy_ops
.
! NULL .
c) Add mac_policy_conf
! .
!
c) Add mac_policy_conf
!
d) Add new policy
!
:
! numloaded
! .
! maxindex
! .
9. Start rootkit
! task_for_pid(1) .
! PID 1 launchd .
! ”fuse”
.
10. Cleanup
! :
! maxindex numloaded .
! :
! .
! .
Abusing OS X features
! /dev/kmem .
! “kmem=1” .
! /Library/Preferences/
SystemConfiguration/
com.apple.Boot.plist .
Abusing OS X features
! AppleHWAccess .
! Mavericks .
! .
! 64 bits read/write.
Abusing OS X features
! SJ_UnderWater .
! http://www.tonymacx86.com/apple-
news-rumors/112304-applehwaccess-
random-memory-read-write.html
We can
!
.
! read-only .
We can’t
! .
! .
! .
AppleHWAccess
! :
! .
! .
! .
Problems?
! :
! .
!
! .
! .
! shellcode .
Problems?
! :
! syscall mach .
! TrustedBSD .
! kext .
! ...
10 steps to victory
1. ASLR .
2. .
3. .
4. .
5. .
10 steps to victory
6. .
7. .
8. .
9. syscall .
10. syscall .
1. Find KASLR slide
2. Find available memory
3. Find kernel
! .
! (VM !).
! :
! .
! .
3. Find kernel
! .
! .
! KASLR .
! 32 .
3. Find kernel
! .
! 0 .
! .
3. Find kernel
! VM .
! .
! ""
3. Find kernel
! ?
! Mach-O .
! .
! .
3. Find kernel
! KASLR
.
! .
3. Find kernel
! .
! vmaddrs KASLR
.
4. Compute rootkit size
! .
! .
5. Find free space
! __TEXT __DATA
.
! .
! 10.10.0 .
! 10.9.5 .
5. Find free space
! !
! .
! .
5. Find free space
!
.
! .
6. Write rootkit to memory
! .
! .
6. Write rootkit to memory
7. Fix rootkit symbols
! .
! .
8. Find rootkit entrypoint
! .
9. Modify unused syscall entry
! sysent .
! .
! syscall .
! sysent ( ).
9. Modify unused syscall entry
!
”enosys” ”nosys” .
! Mavericks nosys .
! Yosemite enosys .
! .
10. Start rootkit
Problems
! non-writeable(
.
! .
!
.
Problems
! CR0 .
!
! .
Problems
! CR0 CPU .
! ?
OS X security
is...
Conclusions
! Kext .
! .
! Apple
.
Conclusions
! (EOL)
.
! .
!
Conclusions
! Apple
.
! ...
http://reverse.put.as
http://github.com/gdbinit
[email protected]
@osxreverser
#osxre @ irc.freenode.net PGP key:
http://reverse.put.as/wp-content/uploads/2008/06/publickey.txt
PGP Fingerprint: 7B05 44D1 A1D5 3078 7F4C E745 9BB7 2A44 ED41 BF05
References
! Images from images.google.com. Credit due to all their
authors.