1 Practical Mac OS X Insecurity Security Concepts, Problems and Exploits on your Mac
2 Who am I? Student of physics, mathematics and astronomy in Bonn Mac user since 1995 I love Macs Mac evangelist
3 Intentions Macs have to become even more secure Apple needs to react appropriately Give an overview on Mac security
4 Overview Mac OS X Security Concepts Worst vulnerabilities and exploits Securing your Mac
5 Security Concepts
6 Security Concepts What s good: No network services are listening by default User is never logged in as root Relies on the strong Unix security and permissions model Malware usually needs some sort of privilege escalation exploit
7 Security Concepts What s not so good: Closed-source security components (e.g. Admin.framework) User can do almost anything without entering the password Insecure default settings
9 Vulnerability #1 System Preferences
10 System Preferences Closed-source Relies on setuid root helper tool Many things can be done without password Start and stop services, change power management settings, add new users
11 System Preferences You can add users to the admin group You can get root within 5 seconds Still works in Tiger AppleScript Demo!
12 System Preferences How do I fix it?
13 System Preferences I reported this bug to Apple in October I sent the exploit and suggested a workaround The answer was: You can enable the "Require password to unlock each secure system preferences" checkbox, which can be found in the Security preference pane. Note: After doing so, any user will have to provide the admin name and password in order to change settings, including Accounts.
14 System Preferences This was no question, this was a local privilege escalation vulnerability I wrote them again This time they answered: Thank you for the clarification. Please know that we have forwarded this information on to the appropriate engineering team for review.
15 System Preferences The year is now over, it is still not fixed
16 System Preferences This morning, I got mail from Apple We are taking security seriously Wait for next security update Don t publish it Too late, it s already in the congress proceedings
17 Vulnerability #2 Bad Installers and wrong Permissions
18 Bad Installers and wrong Permissions Global startup items can be put to /Library/StartupItems They will be executed as root
19 Bad Installers and wrong Permissions The directory /Library/StartupItems does not exist by default Many installers will create it with wrong permissions It will likely be user- or even world-writable
20 Bad Installers and wrong Permissions Execution of arbitrary code as root by putting it in /Library/StartupItems and rebooting
21 Bad Installers and wrong Permissions Disk Utility can repair permissions The problem is: Disk Utility does not repair the permissions of /Library/StartupItems This is a major bug
22 Bad Installers and wrong Permissions How do I fix it? Put something like chown -R root:wheel /Library/StartupItems chmod -R og-w /Library/StartupItems into /etc/rc or /etc/daily as a workaround.
23 Vulnerability #3 Clear Text Passwords in Swap File
24 Clear Text Passwords Apple s Security Framework does not lock passwords in physical memory by using something like mlock() Eventually they will be written to the swap file Type: sudo strings /var/vm/swapfile0 grep -A 4 -i longname and you will much likely see your password in clear text
25 Clear Text Passwords Fix? In Panther, there is a way but it makes OS X unstable Wait for Tiger which lets you encrypt your swap But: it s no clean solution, breaks performance
26 Vulnerability #4 Personal Filesharing Denial of Service
27 Personal Filesharing Denial of Service Personal Filesharing is the Mac equivalent to Samba on Windows Contains a guest account by default You cannot disable it in System Preferences
28 Personal Filesharing Denial of Service The guest account has write access to a drop box There is no limit on the amount of written data The Harddisk is the limit
29 Personal Filesharing Denial of Service The attacker can fill up all disk space with bullshit OS X will likely crash when it has no free swap space anymore Especially dangerous over gigabit ethernet RendezPoo Demo!
30 Personal Filesharing Denial of Service The guest account can be disabled in /Library/Preferences/com.apple.AppleFileServer.plist by setting <key>guestaccess</key> <true/> to <key>guestaccess</key> <false/>
31 Vulnerability #5 Mach Injection
32 Mach Injection Mach Kernel API Inject code into running Programs and execute it Override C-Functions at runtime
33 Mach Injection With Objective-C it gets interesting
34 Intermezzo: Objective-C Categories Categories: Objective-C language feature Add new methods to existing classes at compile time Subclassing without subclassing ;-)
35 Intermezzo: Objective-C Categories Example: Extend NSString to be able to deal with regular expressions In your App, create a Category NSString (RegExp) Implement all methods you want to add All NSString are now capable of regular expresions
36 Intermezzo: Objective-C Categories No subclassing and casting necessary Also used to split up large classes into a number of smaller files
37 Mach Injection It gets even cooler... We have seen what we can do with Objective-C at compile time On Mac OS X, you can inject Categories into running Applications at runtime I repeat, at runtime!
38 Mach Injection It doesn t stop there... The Objective-C Runtime Library lets you replace one method with another MethodSwizzling I repeat, at runtime!
39 Mach Injection What does it mean? You can selectively replace arbitrary methods with your own implementations in any Objective-C App at runtime Even possible when you don t have the source code
40 Mach Injection Consequences: You can patch the closed-source components in Mac OS X at runtime (e.g. the Finder or Safari) You can do almost anything you want with any running App
41 Mach Injection Implications on security: You don t get a free root shell It makes it easy for malware to patch the system in a malicious way No privileges needed
42 Mach Injection New kind of malware that works entirely with user privileges It will be able to patch the system in a malicious way and perhaps even hide itself Rootkit without root Pretty welcoming atmosphere for viruses
43 Mach Injection Implications for security are not yet explored
44 Vulnerability #6 Disguised Executables
45 Disguised Executables An executable can be camouflaged as any other filetype in the Finder How? Simply change the suffix and the symbol to e.g. match an mp3 file
46 Disguised Executables Fix? None known
47 Summary 1. System Preferences privilege escalation 2. Bad permissions 3. Clear text passwords in swap 4. Personal Filesharing DOS 5. Mach Injection 6. Disguised executables
48 One more thing
49 The first Mac OS X Worm Proof-of-concept, no malicious routine
50 The first Mac OS X Worm Demo!
51 Resources Slides available at: https://21c3.annulator.de/ Demo source code available soon
User's Manual Intego VirusBarrier Server 2 / VirusBarrier Mail Gateway 2 User's Manual Page 1 VirusBarrier Server 2 and VirusBarrier Mail Gateway 2 for Macintosh 2008 Intego. All Rights Reserved Intego
FileMaker Server 13 FileMaker Server Help 2010-2013 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker and Bento are trademarks of FileMaker,
User's Manual Intego Remote Management Console User's Manual Page 1 Intego Remote Management Console for Macintosh 2007 Intego, Inc. All Rights Reserved Intego, Inc. www.intego.com This manual was written
Start Developing ios Apps Today Contents Introduction 6 Setup 7 Get the Tools 8 Review a Few Objective-C Concepts 9 Objects Are Building Blocks for Apps 9 Classes Are Blueprints for Objects 9 Objects Communicate
4. Client-Level Administration Introduction to Client Usage The Client Home Page Overview Managing Your Client Account o Editing Your Client Record View Account Status Report Domain Administration Page
Cumulus 8.1 Administrator Guide Copyright 2010, Canto GmbH. All rights reserved. Canto, the Canto logo, the Cumulus logo, and Cumulus are registered trademarks of Canto, registered in the U.S. and other
Programming from the Ground Up Jonathan Bartlett Edited by Dominick Bruno, Jr. Programming from the Ground Up by Jonathan Bartlett Edited by Dominick Bruno, Jr. Copyright 2003 by Jonathan Bartlett Permission
MULTI LICENSES The information in this document is subject to change without notice and does not represent a commitment on the part of Propellerhead Software AB. The software described herein is subject
LAVASOFT FILE SHREDDER FILE SHREDDER SOFTWARE MANUAL Table of Contents Install and Uninstall 1 Install Using a CD 1 Install Using a File 1 Uninstall the Application 1 Activation 2 What is the Subscription
Data protection Protecting personal data in online services: learning from the mistakes of others May 2014 Contents Introduction... 2 What the DPA says... 4 Software security updates... 5 Software security
A Survey on Virtual Machine Security Jenni Susan Reuben Helsinki University of Technology email@example.com Abstract Virtualization plays a major role in helping the organizations to reduce the operational
User Guide and Reference Manual Version 3.1 September 2014 Scientific Toolworks, Inc. 53 N Main St. George, UT 84770 Copyright 2014 Scientific Toolworks, Inc. All rights reserved. The information in this
OS X Support Essentials 10.10 Exam Preparation Guide Updated January 2015 1 Contents About This Guide... 3 Exam Details... 4 Recommended Exam Preparation... 4 Part One: Installation and Configuration...
Getting Started Guide Cloud Server powered by Mac OS X Getting Started Guide Page 1 Getting Started Guide: Cloud Server powered by Mac OS X Version 1.0 (02.16.10) Copyright 2010 GoDaddy.com Software, Inc.
A beginners guide in how to make a Laptop/PC more secure. This guide will go through the common ways that a user can make their computer more secure. Here are the key points covered: 1) Device Password
GALSYNC V4.3 Manual NETSEC 18. March 2013 NETsec GmbH & Co.KG Schillingsstrasse 117 DE - 52355 Düren THE ADVANTAGES OF GALSYNC... 6 EASY TO USE... 6 NO SECURITY RISKS IN YOUR FIREWALL... 6 VALUES FOR YOUR
Mobile Device Manager v. 7.3 Admin Guide Document Revision Date: Oct. 14, 2014 MDM Admin Guide i Contents Introduction... 1 System Requirements... 1 Getting Started with AirWatch... 2 Environment Setup...
Syncro SVN Client 4.2 User Manual SyncRO Soft Ltd. Syncro SVN Client 4.2 User Manual SyncRO Soft Ltd. Copyright 2002-2009 SyncRO Soft Ltd. All Rights Reserved. Many of the designations used by manufacturers
SuccessFactors Admin: Recruiting Management Admin Guide v1204 (One Admin) For SuccessFactors v12 (One Admin) Last Modified 07/17/2012 2012 SuccessFactors, Inc. All rights reserved. Execution is the Difference