OS Xのセキュリティ脆弱性研究はMacのデバイスが人気になるにつれ、より人気が高まっている。OX XのIOKitはユーザモードからの切り替えにおけるカーネル自身およびカーネル拡張の危殆化によりハッカーからの多くの攻撃にさらされている。多くの研究者はこの分野の研究(リファレンスを参照のこと)を進めており、我々は本研究分野の次のいくつかの成果を共有したい。
1. カーネル脆弱性を検出するためのコンテキストエンライトメントによるパッシブファジングフレームワーク
2. SMAP&SMEPをバイパスするためのユーザモードプログラムからカーネルメモリを占有するためのエクスプロイト技術
3. 本ファジング手法により検出された脆弱性の活用方法とOS Xに対し二度の成功をもたらしたルート詐取のための新たなエクスプロイト手法
我々は次の新たな手法を紹介する。PFACEと呼ばれる、OS X IO Kitに対するコンテキストエンライトメントによるパッシブファジングである。PFACEは次のような特徴を有する。
第一に、条件依存でありシステムクラッシュをもたらすコードの実行および検出を深くまた広く許可する。次に以下が含まれるモジュールを出力する。コンテキスト:脆弱性の疑いに対するインジケーター。インジケーターは最初にモジュールをレビューするための手段としてレビュアーにとって有用であろう。
多くの脆弱性を有する場合、主要な課題はどのようにROPガジェットをユーザモードプログラムからカーネル空間に転送するかである。なぜなら近年のOS XではSMAPおよびSMEPを許可しているためである。高名なセキュリティ研究者であるステファン・エッサーはOSDataはカーネルメモリを占拠する良い構造であると提案している。[リファレンスセクション5]もちろんOSDataは確かによいデータ構造である。しかし、実際にはOSDataが機能しないいくつかの課題が存在する。我々はOSDATAがユーザモードプログラムからカーネルメモリを占拠するよう機能させるための新たな手法を発見し、本手法により、新たな脆弱性の検出およびOS X (10.11.3) のルート詐取に成功している。
実際に我々はCVEにおける多くの脆弱性を発見しており、ファジング効果によるカーネルクラッシュを実現している。また、我々はMac OS X(10.11.3)においていくつかの脆弱性を使って、二つの異なるローカル権限昇格手法を確立している。
--- Moony Li & Jack Tang
10. なぜなら
Poison Here?
Dam poison Passive fuzzing
River Stream Data flow of code execution
(Open driver, IOCtl
driver……)
Up stream User mode data
Down stream Kernel mode data
Poison at Dam Fuzz at hook of system call
Fish die in
downstream
Kernel crash
Trace the poison
origin
Reproduction
…
13. アーキテクチャ概要
Origianl function
Hooker
IOAcceleratorFamily2.kext
Targeted application from apple store
Suspicious
module/function
manifest
IOThunderboltFamily.kext IOUSBFamily.kext
AppleGraphicsPowerManagement.kext AppleHDA.kext … …
I. is_io_connect_method
II. is_io_connect_async_method
III. iokit_user_client_trap
IV. IOMemoryDescriptor::createMappingInTask
V. ipc_kmsg_get
VI. ipc_kmsg_send
VII. Copyio
…...
Conditon Checker
Ring3
Ring0
Target
drivers
XNU/
IOKit
Tamper
StackFrame,
Process,
UserClient,
MsgID,
…...
Context Matcher
35. バグ vs 緩和策
Mitigation Bugs/Exploit Notes
KASLR KSlide leak e.g. CVE-2016-4655 カーネル情報の漏洩
SMAP Kernel Heap address leak CVE-2016-xxxx:ディスクイメージモジュールに
おいて、これはカーネルヒープの中に存在する
オブジェクトのアドレスをリークさせる。
SMEP a. Control RIP
b. ROP Chain
c. Disable CR4 bits
d. Execute any
CVE-2016-1820 :ディスクイメージモジュール
において、これはオブジェクトのアドレスを取
得し、関数ポインターの呼び出しとしてのオブ
ジェクトの中のQWORDの値を使う。
Welcome everyone
I’m very happy to be presenting here today at the CodeBlue conference.
My name is Moony and I will be presenting today on the topic of How we fuzz and exploit the Apple core.
Today I will cover several key areas
1. First I’ll tell you a little about me and my partner, and what we have done
I will then introduce you to passive fuzzing framework that we use to hunt vulnerabilities.
And finally I will show you exploit tips using the vulnerabilities we have found and how we root OSX machines.
My name is Moony
I’ve worked for 7 years in security.
My role has been to develop sandbox systems.
Focusing on Mac - Windows and Android Kernel vulnerabilities.
Moony Li: Twitter: @Flyic
7 years of security production development
RD Leader of Sandcastle core engine of DD(Deep Discovery) production for Gateway 0day exploit detection.
Current focusing on research about Mac/Windows kernel ,Android vulnerability and exploit
Jack Tang: Twitter: @jacktang310
10 years of anti-malware solution development
Familiar with Windows/Mac kernel technology, browser and document exploit.
Current focusing on research about Mac, virtualization vulnerability and exploit
My partners name is Jack
Jack has worked in security for 10 years
His focus has been on browser and document vulnerabilities as well as Mac – Windows and virtualization vulnerabilities.
Jack cannot be with us today he has broken his leg and is not able to travel.
Moony Li: Twitter: @Flyic
7 years of security production development
RD Leader of Sandcastle core engine of DD(Deep Discovery) production for Gateway 0day exploit detection.
Current focusing on research about Mac/Windows kernel ,Android vulnerability and exploit
Jack Tang: Twitter: @jacktang310
10 years of anti-malware solution development
Familiar with Windows/Mac kernel technology, browser and document exploit.
Current focusing on research about Mac, virtualization vulnerability and exploit
We are proud to have found many vulnerabilities, exploiting them to root OSX machines
Because of our work we have been awarded many CVE credits as shown here
Today I will cover several key areas
1. First I’ll tell you a little about me and my partner, and what we have done
I will then introduce you to passive fuzzing framework that we use to hunt vulnerabilities.
And finally I will show you exploit tips using the vulnerabilities we have found and how we root OSX machines.
1. Traditional fuzzing by IOKit interface.
These researchers open the IOKit service name which they want to test, and pour fuzzing data into kernel by the IOKit usermode API (e.g. IOConnectCallMethod, IOConnectCallAsyncMethod …)
Optimized Fuzzing IOKit in iOS, Blackhat 2015
https://www.blackhat.com/docs/us-15/materials/us-15-Lei-Optimized-Fuzzing-IOKit-In-iOS-wp.pdf
But it has a critical limitation. It is hard to hunt the bugs which are triggered with condition dependency. We summarize the condition decency as following:
*Call sequence dependency
For example: for the IOKit service “AppleCamIn”, which controls camera device, only correct IOConnectCallMethod call sequence would it work up: OpenDevice -> PowerOnCamera -> … If the fuzzer doesn’t invoke OpenDevice and PowerOnCamera IOKit call, following IOKit call will be returned with failure in earlier stage.
*Input data dependency
For example: the IOKit service “AppleHDAEngineInput” ‘s user client “IOAudioEngineUserClient” requires the input data to include a user mode buffer pointer. If the fuzzer doesn’t prepared the user mode buffer before , error will be returned in earlier stage.
*Timing dependency
For example: for the IOKit service “IOHDIXHDDriveOutKernel”, the service only appears after user or application opens a DMG file. If the fuzzer open it directly , it will fails directly.
2. Code review of target kernel extension
This costs much effort to reverse binary code and in the face of so many IOKit services and userclient. So the target selecting will impact researcher’s efficiency. What target should be reviewed firstly for more possible vulnerabilities is a headache problem.
Today I will cover several key areas
1. First I’ll tell you a little about me and my partner, and what we have done
I will then introduce you to passive fuzzing framework that we use to hunt vulnerabilities.
And finally I will show you exploit tips using the vulnerabilities we have found and how we root OSX machines.
Today I will cover several key areas
1. First I’ll tell you a little about me and my partner, and what we have done
I will then introduce you to passive fuzzing framework that we use to hunt vulnerabilities.
And finally I will show you exploit tips using the vulnerabilities we have found and how we root OSX machines.
a. Use KEEN team’s published method (Reference section [7]) to calculate KSLIDE.
b. Open any DMG file in order to let IOHDIXHDDriveOutKernel service can be opened.
c. Open IOHDIXHDDriveOutKernel service ‘s user client IOHIDIXControllerUserClient. Open IOPMrootDomain service ‘s user client RootDomainUserClient.
d. Call user client IOHIDIXControllerUserClient ‘s selector 1 (getRequest64) . From the output , we can get a kernel heap address of object IOHDIXCommand whose size is 0x68. This is vulnerability #1.
e. Call IOHDIXHDDriveOutKernel service ‘s selector 2 (processReply64). It will release the object.
f. Call RootDomainUserClient user client ‘s selector 7 (kPMSleepSystemOptions) with a carefully prepared XML as parameter , which include ROP gadget in <data> part. The <data> part occurs multiply times in order to occupy the target space successfully. We tune the XML ‘s <data> ‘s size in order to create size 0x68 buffer which OSData field point to. After the call, our controlled buffer occupy the freed IOHDIXCommand object location. And the kernel address is known by user mode program.
g. Call IOHIDIXControllerUserClient user client selector 2 (processReply64) with argument which include the address (leaked by step d). The call will take the address as a IOHDIXCommand object, and call the address located at 0x50 offset. So we control the RIP and let it execute ROP gadget.
h. In the ROP gadget, we disable the SMAP and SMEP bits in CR4. Then executes the shell code to modify current process’ uid to root and fork a shell.