Advanced Mac OS X Rootkits. Dino Dai Zovi Chief Scientist Endgame Systems

Similar documents
ADVANCED MAC OS X ROOTKITS

Review and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU

Mining Mach Services within OS X Sandbox

CS 416: Opera-ng Systems Design

SWIPING THROUGH MODERN SECURITY FEATURES

µtasker Document FTP Client

Operating Systems and Networks

Kernel Types System Calls. Operating Systems. Autumn 2013 CS4023

CSC 2405: Computer Systems II

CS161: Operating Systems

Toasterkit - A NetBSD Rootkit. Anthony Martinez Thomas Bowen

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Host-based Intrusion Prevention on Windows and UNIX. Dr. Rich Murphey White Oak Labs

A Hypervisor IPS based on Hardware assisted Virtualization Technology

FAME Operating Systems

Please Complete Speaker Feedback Surveys. SecurityTube.net

Linux Kernel Architecture

Phase 2: Scanning Detec0ng informa0on useful for break- in Live machines Network topology Firewall configura0on Applica0ons and OS types Vulnerabili0es

Example of Standard API

REAL TIME OPERATING SYSTEM PROGRAMMING-II: II: Windows CE, OSEK and Real time Linux. Lesson-12: Real Time Linux

Operating System Structure

Topics in Network Security

Encryption Wrapper. on OSX

MACH: AN OPEN SYSTEM OPERATING SYSTEM Aakash Damara, Vikas Damara, Aanchal Chanana Dronacharya College of Engineering, Gurgaon, India

UNIX Sockets. COS 461 Precept 1

McAfee Web Gateway 7.4.1

Defending Computer Networks Lecture 6: TCP and Scanning. Stuart Staniford Adjunct Professor of Computer Science

Oracle Database Security and Audit

Chapter 17. Transport-Level Security

System Calls and Standard I/O

A SIMPLE WAY TO CAPTURE NETWORK TRAFFIC: THE WINDOWS PACKET CAPTURE (WINPCAP) ARCHITECTURE. Mihai Dorobanţu, M.Sc., Mihai L. Mocanu, Ph.D.

POSIX. RTOSes Part I. POSIX Versions. POSIX Versions (2)

A Comparative Study on Vega-HTTP & Popular Open-source Web-servers

Linux Driver Devices. Why, When, Which, How?

Operating Systems Design 16. Networking: Sockets

Lync for Mac 2011 Deployment Guide

CIS 551 / TCOM 401 Computer and Network Security. Spring 2005 Lecture 4

How To Write A Windows Operating System (Windows) (For Linux) (Windows 2) (Programming) (Operating System) (Permanent) (Powerbook) (Unix) (Amd64) (Win2) (X

CSE 120 Principles of Operating Systems. Modules, Interfaces, Structure

The Lagopus SDN Software Switch. 3.1 SDN and OpenFlow. 3. Cloud Computing Technology

BadUSB On accessories that turn evil

CEN 559 Selected Topics in Computer Engineering. Dr. Mostafa H. Dahshan KSU CCIS

Windows Server 2003 default services

COS 318: Operating Systems

Network Attached Storage. Jinfeng Yang Oct/19/2015

Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek,

Firewall Implementation

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015

THE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT. April 2009 EXAMINERS' REPORT. Network Information Systems

Web Server Architectures

ELEC 377. Operating Systems. Week 1 Class 3

XNU:asecurityevaluation

Process Description and Control william stallings, maurizio pizzonia - sistemi operativi

OS/390 Firewall Technology Overview

Cloud Networking Disruption with Software Defined Network Virtualization. Ali Khayam

TABLE OF CONTENTS NETWORK SECURITY 2...1

IT304 Experiment 2 To understand the concept of IPC, Pipes, Signals, Multi-Threading and Multiprocessing in the context of networking.

C-GEP 100 Monitoring application user manual

Chapter 2: Remote Procedure Call (RPC)

Chapter 10 Case Study 1: LINUX

INTRODUCTION TO FIREWALL SECURITY

Security Overview of the Integrity Virtual Machines Architecture

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Appendix. Web Command Error Codes. Web Command Error Codes

Chapter 3. Internet Applications and Network Programming

Virtuozzo Virtualization SDK

Improving DNS performance using Stateless TCP in FreeBSD 9

Network Defense Tools

SMTP-32 Library. Simple Mail Transfer Protocol Dynamic Link Library for Microsoft Windows. Version 5.2

VoIP Security How to prevent eavesdropping on VoIP conversa8ons. Dmitry Dessiatnikov

<Insert Picture Here> Oracle Web Cache 11g Overview

Intro to Firewalls. Summary

CS 213, Fall 2000 Lab Assignment L5: Logging Web Proxy Assigned: Nov. 28, Due: Mon. Dec. 11, 11:59PM

Kaseya Fundamentals Workshop DAY THREE. Developed by Kaseya University. Powered by IT Scholars

Operating Systems. Privileged Instructions

Chapter 6, The Operating System Machine Level

Advanced Event Viewer Manual

WhatsUp Gold v16.3 Installation and Configuration Guide

Kernel comparison of OpenSolaris, Windows Vista and. Linux 2.6

Generalised Socket Addresses for Unix Squeak

Configuring Security for FTP Traffic

SIDN Server Measurements

PrintFleet Enterprise 2.2 Security Overview

Linux Network Security

Computer Security: Principles and Practice

Monitoring the BlackBerry Enterprise Server

EView/400i Management Pack for Systems Center Operations Manager (SCOM)

Customized Data Exchange Gateway (DEG) for Automated File Exchange across Networks

Overview. SSL Cryptography Overview CHAPTER 1

Section 5 Configuring the Partition for Enterprise Output Manager (EOM)

Libmonitor: A Tool for First-Party Monitoring

Study and installation of a VOIP service on ipaq in Linux environment

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Ubuntu, FEAP, and Virtualiza3on. Jonathan Wong Lab Mee3ng 11/08/10

Transcription:

Advanced Mac OS X Rootkits Dino Dai Zovi Chief Scientist Endgame Systems

Overview Mac OS X and Mach Why use Mach for rootkits? User mode Mach rootkit techniques Kernel Mach rootkit techniques 2

Why Mach Rootkits? Tradi>onal Unix rootkit techniques are well understood Mach func>onality is more obscure Rootkits using obscure func>onality are less likely to be detected or no>ced Mach is fun to program 3

Introduction to Mach Mac OS X kernel (xnu) is a hybrid between Mach 3.0 and FreeBSD FreeBSD kernel top half runs on Mach kernel bonom half Mul>ple system call interfaces: BSD (posi>ve numbers), Mach (nega>ve) BSD sysctls, ioctls Mach in kernel RPC servers, IOKit user clients, etc. Mach inter process communica>on (IPC) Communicates over uni direc>onal ports, access controlled via rights Mul>ple tasks may hold port send rights, only one may hold receive rights 4

Tasks and Processes Mach Tasks own Threads, Ports, and Virtual Memory BSD Processes own file descriptors, etc. BSD Processes <=> Mach Task task_for_pid(), pid_for_task() POSIX Thread!= Mach Thread Library func>ons use TLS 5

Mach Task/Thread System Calls task_create(parent_task, ledgers, ledgers_count, inherit_memory, *child_task) thread_create(parent_task, *child_ac>va>on) vm_allocate(task, *address, size, flags) vm_deallocate(task, address, size) vm_read(task, address, size, *data) vm_write(task, address, data, data_count) 6

User-mode Mach Rootkits Not as sexy as kernel mode rootkits Can be just as effec>ve and harder to detect Are typically applica>on/process specific Based on thread injec>on or executable infec>on Would you no>ce an extra bundle and thread in your web browser? 7

Injecting Mach Threads Get access to another task s task port task_for_pid() or by exploi>ng a local privilege escala>on vulnerability Allocate memory in remote process for thread stack and code trampoline Create new mach thread in remote process Execute trampoline with previously allocated thread stack segment Trampoline code promotes Mach Thread to POSIX Thread Call _pthread_set_self(pthread_t) and cthread_set_self(pthread_t) 8

Mach Exceptions Tasks and Threads generate excep>ons on memory errors Another thread (possibly in another task) may register as the excep>on handler for another thread or task Excep>on handling process: 1. A Thread causes a run>me error, generates an excep>on 2. Excep>on is delivered to thread excep>on handler (if exists) 3. Excep>on is delivered to task s excep>on handler (if exists) 4. Excep>on converted to Unix signal and delivered to BSD Process 9

Injecting Mach Bundles Inject threads to call func>ons in the remote process Remote thread calls injected trampoline code and then target func>on Func>on returns to chosen bad address, generates an excep>on Injector handles excep>on, retrieves func>on return value Call dlopen(), dlsym(), dlclose() to load bundle from disk Inject memory, call NSCreateObjectFileImageFromMemory(), NSLinkModule() Injected bundle can hook library func>ons, Objec>ve C methods 10

inject-bundle inject bundle Inject a bundle from disk into a running process Usage: inject_bundle path_to_bundle [ pid ] Sample bundles test: Print output on load/run/unload isight: Take a picture using isight camera sslspy: Log SSL traffic sent through SecureTransport ichat: Log IMs from within ichat 11

Hooking and Swizzling Hooking C func>ons is basically the same as on any other plaqorm see Rentzsch s mach_override Objec>ve C run>me has hooking built in: method_exchangeimplementa>ons() or just switch the method pointers manually all due to Obj C s dynamic run>me use JRSwizzle for portability 12

DEMO 13

Rootkitting the Web Browser What client system doesn t have the web browser open at all >mes? Will be allowed to connect to *:80 and *:443 by host based firewalls (i.e. LiNle Snitch) Background thread can poll a known site for command and control instruc>ons or look for instruc>ons in HTML content from any site Injected bundles do not invalidate dynamic code signatures (used by Keychain, etc) 14

Kernel Mach Rootkits Mach system calls allow Mach RPC to in kernel servers which perform task, thread, and VM opera>ons RPC rou>nes are stored in the mig_buckets hash table by subsystem id + subrou>ne id Analogous to sysent table for Unix system calls Incoming Mach messages sent to a kernel owned port are dispatched through mig_buckets We can interpose on these func>on calls or inject new RPC servers by modifying this hash table 15

Example: inject_subsystem int inject_subsystem(const struct mig_subsystem * mig) { mach_msg_id_t h, i, r; // Insert each subroutine into mig_buckets hash table for (i = mig->start; i < mig->end; i++) { mig_hash_t* bucket; h = MIG_HASH(i); do { bucket = &mig_buckets[h % MAX_MIG_ENTRIES]; } while (mig_buckets[h++ % MAX_MIG_ENTRIES].num!= 0 && h < MIG_HASH(i) + MAX_MIG_ENTRIES); if (bucket->num == 0) { // We found a free spot r = mig->start - i; bucket->num = i; bucket->routine = mig->routine[r].stub_routine; if (mig->routine[r].max_reply_msg) bucket->size = mig->routine[r].max_reply_msg; else bucket->size = mig->maxsize; return 0; } } return -1; } 16

Mach Kernel RPC servers In kernel Mach RPC subsystems are enumerated in the mig_e table and interfaces are in /usr/ include/mach/subsystem.defs mach_vm, mach_port, mach_host, host_priv, host_security, clock, clock_priv, processor, processor_set, is_iokit, memory_object_name, lock_set, ledger, semaphore, task, thread_act, vm_map, UNDReply, default_pager_object, security 17

Machiavelli Mach RPC provides high level remote control vm_alloc(), vm_write(), thread_create() on kernel or any task Want to s>ll use MiG generated client RPC stubs Machiavelli Proxy runs as background thread in control u>li>es on anacker s system Machiavelli Agents run on the remote compromised host as user mode process or in kernel 18

NetMessage and NetName servers Network transparency of IPC was a design goal Old Mach releases included the NetMessage Server Mach servers could register themselves on the local NetName server Clients could lookup named servers on remote hosts Local NetMessage server would act as a proxy, transmiung Mach IPC messages over the network These features no longer exist in Mac OS X 19

Machiavelli Architecture Machiavelli Proxy Runs as background thread of a Machiavelli u>lity Receives messages on proxy ports and sends to remote Agent Replaces port names in messages received from Agent with proxy ports Machiavelli Agent Receives messages over network from Proxy, sends to real des>na>on Receives and transmits reply message if a reply is expected Machiavelli U>li>es Run on control host, use Proxy to control compromised host 20

Mach messages Mach messages are structured and unidirec>onal Header: typedef struct { mach_msg_bits_t msgh_bits; mach_msg_size_t msgh_size; mach_port_t msgh_remote_port; mach_port_t msgh_local_port; mach_msg_size_t msgh_reserved; mach_msg_id_t msgh_id; } mach_msg_header_t; Body consists of typed data items 21

Complex Mach Messages Complex Mach messages contain out of line data and may transfer port rights and/or memory pages to other tasks In the message body, descriptors describe the port rights and memory pages to be transferred Kernel grants port rights to the receiving process Kernel maps transferred pages to receiving process, some>mes at message specified address 22

Proxying Mach Messages Proxy maintains a Mach port set A port set has the same interface as a single port and can be used iden>cally in mach_msg() Each proxy port in the set corresponds to the real des>na>on port name in the remote Agent Port names can be arbitrary 32 bit values, so port set names are pointers to real des>na>on port name values Received messages must be translated (local <=> remote ports and descriptor bits) Messages are serialized to byte buffers and then sent 23

Serializing Mach Messages Serializing simple messages is simple as they don t contain any out of line data Out of line data is appended to the serialized buffer in order of the descriptors in the body Port names are translated during deserializa>on Transla>ng to an intermediate virtual port name might be cleaner 24

Deserializing Mach Messages Port names in the mach message must be replaced with local port names On Agent, this is done to receive the reply On Proxy, this is done to replace transferred port names with proxy port names Ensures that only the ini>al port must be manually obtained from the proxy, the rest are handled automa>cally OOL memory is mapped+copied into address space 25

Machiavelli example int main(int argc, char* argv[]) { kern_return_t kr; mach_port_t port; vm_size_t page_size; machiavelli_t m = machiavelli_init(); machiavelli_connect_tcp(m, "192.168.13.37", "31337"); port = machiavelli_get_port(m, HOST_PORT); if ((kr = _host_page_size(port, &page_size))!= KERN_SUCCESS) { errx(exit_failure, "_host_page_size: %s", mach_error_string(kr)); } printf("host page size: %d\n", page_size); return 0; } 26

DEMO 27

Miscellaneous Agent services Agent must provide ini>al Mach ports: host port task_for_pid() (if pid == 0 => returns kernel task port) As OS X is a Mach/Unix hybrid, just controlling Mach is not enough i.e. How to list processes? Instead of implemen>ng Unix func>onality in Agent, inject Mach RPC server code into pid 1 (launchd) 28

Network Kernel Extensions (NKEs) NKEs can extend or modify kernel networking func>onality via: Socket filters IP filters Interface filters Network interfaces Protocol plumbers 29

Conclusion Mach is a whole lot of fun Mach IPC can be made network transparent and provides a good abstrac>on for remote host control I wish my desktop was as secure as my iphone For updated slides and tools go to: hnp://trailovits.com/ 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information