SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
[DefCon 2016] I got 99 Problems, but Little Snitch ain’t one!
Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail
Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail
[DefCon 2016] I got 99 Problems, but Little Snitch ain’t one!
1.
@patrickwardle
I got 99 Problems, but
Little Snitch ain’t one!
2.
WHOIS
“leverages the best combination of humans and technology to discover
security vulnerabilities in our customers’ web apps, mobile apps, IoT
devices and infrastructure endpoints”
@patrickwardle
security for the
21st century
career
hobby
3.
making little snitch our b!tch
OUTLINE
understanding bypassing reversing
owning
little snitch
versions < 3.6.2
apple os x 10.11
note:
5.
the de-facto host firewall for macOS
LITTLE SNITCH
"Little Snitch intercepts
connection attempts, and lets
you decide how to proceed."
-www.obdev.at
little snitch alert
in the news (red team vs. palantir)
6.
the puzzle pieces
LITTLE SNITCH COMPONENTS
ring-0
ring-3 (root session)
LittleSnitch.kext
Little Snitch Daemon
Little Snitch Configuration
Little Snitch Agent
›network, process monitoring
'authentication'›
›rules management
›rules management
preferences›
›ui alerts
ring-3 (user/UI session)
ring-0 bug
7.
BYPASSING LITTLE SNITCH
undetected data exfil
IMHO; such bypasses aren't bugs or
0days
8.
abusing system rules to talk to iCloud
LITTLE SNITCH BYPASS 0X1
iCloud
little snitch's iCloud rule
o rly!?...yes!
un-deletable system rule:
"anybody can talk to iCloud"
9.
abusing 'proc-level' trust
LITTLE SNITCH BYPASS 0X2
$ python dylibHijackScanner.py
GPG Keychain is vulnerable (weak/rpath'd dylib)
'weak dylib': '/Libmacgpg.framework/Versions/B/Libmacgpg'
'LC_RPATH': '/Applications/GPG Keychain.app/Contents/Frameworks'
undetected exfil/C&C
"Using Process Infection to Bypass
Windows Software Firewalls" -Phrack, '04
gpg keychain; allow all
dylib hijack 'injection'
10.
stop the network filter
LITTLE SNITCH BYPASS 0X3
ring-0
method 0xB
disable: 0x0
ring-3
LittleSnitch.kext
//connect & authenticate to kext
// ->see later slides for details :)
//input
// ->set to 0x0 to disable
uint64_t input = 0x0;
//stop network filter
IOConnectCallScalarMethod(connectPort, 0xB, &input, 0x1, NULL, NULL);
'invisible' to UI
//input
// ->disable is 0x0
if( (0xB == method) &&
(0x0 == scalarInput) )
{
//disable filter!
}
'stop network filter'
11.
REVERSING LITTLE SNITCH
poking on the kext's interface
14.
'inter-ring' comms
I/O KIT
serial port driver
open(/dev/xxx)
read() / write()
other i/o kit drivers
find driver; then:
I/O Kit Framework
read/write 'properties'
send control requests
"The user-space API though which a process
communicates with a kernel driver is provided by
a framework known as 'IOKit.framework'"
-OS X and iOS Kernel Programming
today's focus
or
26.
reliably exploiting a macOS heap overflow
WEAPONIZING
"Attacking the XNU Kernel in El
Capitan" -luca todesco
controlling heap layout
bypassing kALSR
bypassing smap/smep
payloads (!SIP, etc)
"Hacking from iOS 8 to iOS 9"
-team pangu
"Shooting the OS X El Capitan Kernel
Like a Sniper" -liang chen/qidan he
}
get root
'bring' & load buggy kext
exploit & disable SIP
run unsigned kernel code, etc
SIP/code-sign
'bypass'
(buggy) kext still
validly signed!
28.
at least they fixed it...
VENDOR RESPONSE :
mov rbx, rdi ; user struct
mov edi, [rbx+8] ; size
call _OSMalloc
mov rdi, [rbx] ; in buffer
mov edx, [rbx+8] ; size
mov rsi, rax ; out buffer
call _copyin
fixed the bug
downplayed the bug
didn't assign a CVE
no credit (i'm ok with that)
maybe talking about
my exploit!?
consistent size
users won't patch
30.
contact me any time :)
QUESTIONS & ANSWERS
patrick@synack.com
@patrickwardle
"Is it crazy how saying sentences backwards creates backwards
sentences saying how crazy it is?" -Have_One, reddit.com
final thought ;)
31.
mahalo :)
CREDITS
- FLATICON.COM
- THEZOOOM.COM
- ICONMONSTR.COM
- HTTP://WIRDOU.COM/2012/02/04/IS-THAT-BAD-DOCTOR/
- HTTP://TH07.DEVIANTART.NET/FS70/PRE/F/
2010/206/4/4/441488BCC359B59BE409CA02F863E843.JPG
- "IOS KERNEL EXPLOITATION --- IOKIT EDITION ---" -STEFANO ESSER
- "REVISITING MAC OS X KERNEL ROOTKITS!" -PEDRO VILAÇA
- "FIND YOUR OWN IOS KERNEL BUG" -XU HAO/XIABO CHEN
- "ATTACKING THE XNU KERNEL IN EL CAPITAN" -LUCA TODESCO
- "HACKING FROM IOS 8 TO IOS 9" -TEAM PANGU
- "SHOOTING THE OS X EL CAPITAN KERNEL LIKE A SNIPER" -LIANG CHEN/QIDAN HE
- "OPTIMIZED FUZZING IOKIT IN IOS" -LEI LONG
- "MAC OS X AND IOS INTERNALS" -JONATHAN LEVIN
- "OS X AND IOS KERNEL PROGRAMMING" -OLE HALVORSEN/DOUGLAS CLARKE
images
resources
0 likes
Be the first to like this
Views
Total views
1,405
On SlideShare
0
From Embeds
0
Number of Embeds
7
You have now unlocked unlimited access to 20M+ documents!
Unlimited Reading
Learn faster and smarter from top experts
Unlimited Downloading
Download to take your learnings offline and on the go
You also get free access to Scribd!
Instant access to millions of ebooks, audiobooks, magazines, podcasts and more.
Read and listen offline with any device.
Free access to premium services like Tuneln, Mubi and more.