SlideShare a Scribd company logo

Man in-the-browser-in-depth-report

Hai Nguyen
Hai Nguyen
TechnologyNews & Politics
1 of 8
Download to read offline
W H I T E PA P E R Man-In-The-Browser: Apple Mac OS X Edition ThreatMetrix™ Labs Report February 2012 V122412 Authors: Nick Blievers and Andreas Baumhof
W H I T E PA P E R Page2 Contents Introduction 3 MitB: Mac OS X Edition part 2 3 Lazy Symbol Resolution 4 Sound like too much work? 6 The three approaches in detail 7 DYLD_LIBRARY_PATH 7 DYLD_INSERT_LIBRARY 7 Code Injection 7 Conclusion 8
W H I T E PA P E R Page3 Introduction This ThreatMetrix™ Labs report is the second part of a series about Man-in-the-Browser (MitB) for Apple Mac OS X. In our first report in November 2011, we provided an overview of different ways to perform MitB on Apple Mac OS X. We identified three possible ways and provided initial details. All three approaches will overload a function in one way or another and each approach has its advantages and disadvantages. We will look in detail at each of these three approaches. This ThreatMetrix™ Labs report will provide important intelligence to understand the threat of MitB for platforms other than Windows. MitB: Mac OS X Edition Part 2 As mentioned above, the main problem we have to solve is to “hook” a function. If we can “redirect” a function that resides within the operating system to our own “malicious” code, then we can successfully perform a MitB attack. (For example all browsers call an operating system function to make an Internet request. If we can redirect this function, we can see all Internet traffic.) But what do we really need to hook a function? At a basic level, hooking requires a way of diverting a system function call to somewhere else. The system function call (the victim of our hook) will then be called by our hook code, so the apparent functionality stays the same. Last time we mentioned three different methods. There are undoubtedly more than this, but this makes a good start. To recap: 1. Library overloading using DYLD_LIBRARY_PATH 2. Function overloading using DYLD_INSERT_LIBRARIES 3. Code injection Before we take a look at each of these, let’s take a quick look at how symbol resolution works on Mac OS X. Afterwards we will take each method in turn and examine the benefits and disadvantages.
W H I T E PA P E R Page4 Lazy Symbol Resolution When an application is run, it almost always uses system libraries to perform common tasks. In fact, today Mac OS X SDKs ship with very few static libraries, so outside of a trivial program, it’s very difficult to avoid using shared libraries. Things as simple as comparing strings, or as complex as drawing a window on the screen, are all done via system (shared) libraries. This is a good thing, as it means there is a lot of code reuse, and binaries are smaller than they otherwise would be. However, there is a disadvantage to this method as well. When your binary runs, there needs to be a process whereby the functions or symbols it needs are found. In the early days, this would happen at start-up but the result of this was very slow program starts, and it was realized that many symbols are not needed until much later (or at all) in a program’s life cycle. So, the idea of lazy resolution was introduced. This means that a symbol is not resolved until it’s called the first time. The dynamic linker (dyld) is responsible for finding (linking) the symbols that a binary needs.
W H I T E PA P E R Page5 As an aside, if you want to see just how slow program starts can be without lazy linking, its possible to start an application with DYLD_BIND_AT_LAUNCH set, which forces non-lazy linking. Combine this with a C++ application that makes use of C++ libraries (C++ is particularly bad as classes generate a large number of symbols) and the results can be less than ideal. The following diagram shows what an executable looks like when it’s loaded into memory. There are a few important things to note. First, the TEXT segment is not writable but the DATA segment is. However it’s not executable. Second, , the shared library is loaded independently of the executable rather than embedded in it (which is pretty much the point of a shared library). However, this poses a problem, as we need to know where in memory it was loaded to be able to call functions from that library. Additionally, it has to be able to be loaded at any address to avoid conflicts with other libraries. The way this works, is we call a function in our code (‘printf’ for example), but the actual address that is embedded in our code by the compiler, is in the symbol stub section. The symbol stub is very small, it simply calls a function based on a value at an address in the lazy symbol pointer table. Now, the first time this happens, the pointer will point to the stub helper section. The stub helper calls the dynamic linker and essentially says “where is printf?” The dynamic linker finds the function in question and then we update the pointer with the address of the function. The second time our code calls ‘printf’, the pointer in the lazy symbol pointer table now points directly to the shared library (the dotted line). That is roughly how symbol resolution works on Mac OS X. The details are slightly different for 64 bit binaries but the concept is the same This may seem to be a bit of a roundabout way of handling the symbol resolution. You may ask, wouldn’t it be simpler to just rewrite the symbol stub with the actual address? We mentioned earlier that each segment has different permissions. The process doesn’t have write permissions for that segment, hence the need for the Lazy Symbol Pointer table inside the (writable) DATA segment. If we want to hook a library function and pervert it somehow, we can simply change the pointer in the lazy symbol pointer table to point to our injected code.
W H I T E PA P E R Page6 If you read the last article on MitB, then this image will look strangely familiar. Sound like too much work? Any knowledgeable UNIX user might be thinking that the above is all a bit too hard and that there must be an easier way. Well this is true. There is. Given the dynamic linker’s specialty is resolving symbols, can’t we get it to do some of the heavy lifting here? Most UNIX’s have some variant of LD_LIBRARY_PATH (and LD_PRELOAD), which allows you to specify your own path for loading libraries. In this way you can tell the dynamic linker to load your library instead, and ensure that your code runs first. Mac OS X is no different. It has a variant of that, however, it also has something much better that we will discuss later.
W H I T E PA P E R Page7 The three approaches in detail DYLD_LIBRARY_PATH • Please refer to the full ThreatMetrix Labs report for technical details. You can request a copy of the report by contacting us at labs@threatmetrix.com DYLD_INSERT_LIBRARY • Please refer to the full ThreatMetrix Labs report for technical details. You can request a copy of the report by contacting us at labs@threatmetrix.com Code Injection The last method that we are going to discuss is, in some ways, the best method. It is definitely the most complicated, but it is also the hardest of these three to detect. Depending on exactly how the other two are implemented, detecting them could be as simple as checking the environment variables, or querying dyld. Code injection, however, is done without dyld knowing about it. • Please refer to the full ThreatMetrix Labs report for technical details. You can request a copy of the report by contacting us at labs@threatmetrix.com Easy enough. So all we need to do is put this address into the lazy symbol pointer of our injected code. We could, of course, do this for every symbol we wanted to use but its easier to let dlsym() do the work for us.
W H I T E PA P E R Page8 Conclusion We have looked at three different methods of hooking functions on Mac OS X, and there are other variations that could also be done. The one benefit is that these methods all only work without privileges if we can control the start-up of the application we want to hook. However, this isn’t a large hurdle. Most users would not think anything very suspicious was happening if their browser appeared to crash and restart. Even without doing that, the Dock could be hooked and then infect any processes the user started from that point forward. While the examples given were written and tested on Apple Mac OS X 10.6, I have ported the code to 10.7, and, although the more aggressive ASLR makes things slightly more difficult, its still easily possible. The two biggest differences with Apple Mac OS X Lion are ASLR is now default, and affects the dynamic linker image, and privilege separation. (I’m lumping sandboxing in with privilege separa- tion, which isn’t technically correct, but will do for the sake of this discussion.) The first of these is not a major issue as there are some simple ways of figuring out the “slide” value and therefore finding the image in memory. The second of these doesn’t affect us at all because we are not discussing an attack vector here but an attack payload. The first two methods are well documented and well known (Apple Mac OS X Internals by Amit Singh covers dyld interposing), and black hat presentations by Dino Dai Zovi have talked about injecting into other processes. These methods are mostly well known, easy to use and provide the same level of compromise as on Windows. So the question isn’t “Is Apple Mac OS X vulnerable to MitB attacks?” Rather, “Why hasn’t there been widespread MitB attacks on Apple Mac OS X?” © 2012 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the ThreatMetrix Cybercrime Defender Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners. Contact Us USA Corporate Headquarters: ThreatMetrix Inc. 160 West Santa Clara Street Suite 1400 San Jose, CA, 95113 Telephone: +1.408.200.5755 Fax: +1.408.200.5799 EMEA Headquarters: ThreatMetrix B.V. Laan van Vredenoord 33-39 2289 DA Rijswijk The Netherlands Telephone: +31 (0)70 8200 508 www.threatmetrix.com www.threatmetrix.com/fraudsandends

Recommended

Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryJoxean Koret
 
srt311 Project2
srt311 Project2srt311 Project2
srt311 Project2trayyoo
 
Man in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperMan in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperHai Nguyen
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12Hai Nguyen
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheetHai Nguyen
 
Sms based otp
Sms based otpSms based otp
Sms based otpHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 

Recommended

Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryJoxean Koret
 
srt311 Project2
srt311 Project2srt311 Project2
srt311 Project2trayyoo
 
Man in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperMan in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperHai Nguyen
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12Hai Nguyen
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheetHai Nguyen
 
Sms based otp
Sms based otpSms based otp
Sms based otpHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...Sławomir Zborowski
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable coden|u - The Open Security Community
 
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagramMohit Jain
 
DLL Tutor maXbox starter28
DLL Tutor maXbox starter28DLL Tutor maXbox starter28
DLL Tutor maXbox starter28Max Kleiner
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyBrian Lyttle
 
Linking in MS-Dos System
Linking in MS-Dos SystemLinking in MS-Dos System
Linking in MS-Dos SystemSatyamevjayte Haxor
 
The dependency inversion principle
The dependency inversion principleThe dependency inversion principle
The dependency inversion principlenavicorevn
 
Rootkit case
Rootkit caseRootkit case
Rootkit caseArtem I. Baranov
 
Designing A Project Using Java Programming
Designing A Project Using Java ProgrammingDesigning A Project Using Java Programming
Designing A Project Using Java ProgrammingKaty Allen
 
Konstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asideKonstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asidePVS-Studio
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityAndrey Karpov
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityPVS-Studio
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityPVS-Studio
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScriptd0nn9n
 
C# classes
C# classesC# classes
C# classesTiago
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Vincenzo Iozzo
 
Extension methods, nulls, namespaces and precedence in c#
Extension methods, nulls, namespaces and precedence in c#Extension methods, nulls, namespaces and precedence in c#
Extension methods, nulls, namespaces and precedence in c#Paul Houle
 
The pragmatic programmer
The pragmatic programmerThe pragmatic programmer
The pragmatic programmerLeylimYaln
 
Extension methods, nulls, namespaces and precedence in c#
Extension methods, nulls, namespaces and precedence in c#Extension methods, nulls, namespaces and precedence in c#
Extension methods, nulls, namespaces and precedence in c#Paul Houle
 
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagramferreroroche11
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthenticationHai Nguyen
 

More Related Content

Similar to Man in-the-browser-in-depth-report

What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...Sławomir Zborowski
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable coden|u - The Open Security Community
 
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagramMohit Jain
 
DLL Tutor maXbox starter28
DLL Tutor maXbox starter28DLL Tutor maXbox starter28
DLL Tutor maXbox starter28Max Kleiner
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyBrian Lyttle
 
The dependency inversion principle
The dependency inversion principleThe dependency inversion principle
The dependency inversion principlenavicorevn
 
Designing A Project Using Java Programming
Designing A Project Using Java ProgrammingDesigning A Project Using Java Programming
Designing A Project Using Java ProgrammingKaty Allen
 
Konstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asideKonstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asidePVS-Studio
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityAndrey Karpov
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityPVS-Studio
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityPVS-Studio
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScriptd0nn9n
 
C# classes
C# classesC# classes
C# classesTiago
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Vincenzo Iozzo
 
Extension methods, nulls, namespaces and precedence in c#
Extension methods, nulls, namespaces and precedence in c#Extension methods, nulls, namespaces and precedence in c#
Extension methods, nulls, namespaces and precedence in c#Paul Houle
 
The pragmatic programmer
The pragmatic programmerThe pragmatic programmer
The pragmatic programmerLeylimYaln
 
Extension methods, nulls, namespaces and precedence in c#
Extension methods, nulls, namespaces and precedence in c#Extension methods, nulls, namespaces and precedence in c#
Extension methods, nulls, namespaces and precedence in c#Paul Houle
 
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagramferreroroche11
 

Similar to Man in-the-browser-in-depth-report (20)

What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
 
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram
 
DLL Tutor maXbox starter28
DLL Tutor maXbox starter28DLL Tutor maXbox starter28
DLL Tutor maXbox starter28
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp Philly
 
Linking in MS-Dos System
Linking in MS-Dos SystemLinking in MS-Dos System
Linking in MS-Dos System
 
The dependency inversion principle
The dependency inversion principleThe dependency inversion principle
The dependency inversion principle
 
Rootkit case
Rootkit caseRootkit case
Rootkit case
 
Designing A Project Using Java Programming
Designing A Project Using Java ProgrammingDesigning A Project Using Java Programming
Designing A Project Using Java Programming
 
Konstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asideKonstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from aside
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usability
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usability
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usability
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScript
 
C# classes
C# classesC# classes
C# classes
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
 
Extension methods, nulls, namespaces and precedence in c#
Extension methods, nulls, namespaces and precedence in c#Extension methods, nulls, namespaces and precedence in c#
Extension methods, nulls, namespaces and precedence in c#
 
The pragmatic programmer
The pragmatic programmerThe pragmatic programmer
The pragmatic programmer
 
Extension methods, nulls, namespaces and precedence in c#
Extension methods, nulls, namespaces and precedence in c#Extension methods, nulls, namespaces and precedence in c#
Extension methods, nulls, namespaces and precedence in c#
 
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram
89025069 mike-krieger-instagram-at-the-airbnb-tech-talk-on-scaling-instagram
 

More from Hai Nguyen

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthenticationHai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Hai Nguyen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 enHai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseHai Nguyen
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationHai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationxHai Nguyen
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowresHai Nguyen
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseHai Nguyen
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013Hai Nguyen
 

More from Hai Nguyen (20)

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Csd6059
Csd6059Csd6059
Csd6059
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowres
 
Bi guardotp
Bi guardotpBi guardotp
Bi guardotp
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013
 

Recently uploaded

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Man in-the-browser-in-depth-report

  • 1. W H I T E PA P E R Man-In-The-Browser: Apple Mac OS X Edition ThreatMetrix™ Labs Report February 2012 V122412 Authors: Nick Blievers and Andreas Baumhof
  • 2. W H I T E PA P E R Page2 Contents Introduction 3 MitB: Mac OS X Edition part 2 3 Lazy Symbol Resolution 4 Sound like too much work? 6 The three approaches in detail 7 DYLD_LIBRARY_PATH 7 DYLD_INSERT_LIBRARY 7 Code Injection 7 Conclusion 8
  • 3. W H I T E PA P E R Page3 Introduction This ThreatMetrix™ Labs report is the second part of a series about Man-in-the-Browser (MitB) for Apple Mac OS X. In our first report in November 2011, we provided an overview of different ways to perform MitB on Apple Mac OS X. We identified three possible ways and provided initial details. All three approaches will overload a function in one way or another and each approach has its advantages and disadvantages. We will look in detail at each of these three approaches. This ThreatMetrix™ Labs report will provide important intelligence to understand the threat of MitB for platforms other than Windows. MitB: Mac OS X Edition Part 2 As mentioned above, the main problem we have to solve is to “hook” a function. If we can “redirect” a function that resides within the operating system to our own “malicious” code, then we can successfully perform a MitB attack. (For example all browsers call an operating system function to make an Internet request. If we can redirect this function, we can see all Internet traffic.) But what do we really need to hook a function? At a basic level, hooking requires a way of diverting a system function call to somewhere else. The system function call (the victim of our hook) will then be called by our hook code, so the apparent functionality stays the same. Last time we mentioned three different methods. There are undoubtedly more than this, but this makes a good start. To recap: 1. Library overloading using DYLD_LIBRARY_PATH 2. Function overloading using DYLD_INSERT_LIBRARIES 3. Code injection Before we take a look at each of these, let’s take a quick look at how symbol resolution works on Mac OS X. Afterwards we will take each method in turn and examine the benefits and disadvantages.
  • 4. W H I T E PA P E R Page4 Lazy Symbol Resolution When an application is run, it almost always uses system libraries to perform common tasks. In fact, today Mac OS X SDKs ship with very few static libraries, so outside of a trivial program, it’s very difficult to avoid using shared libraries. Things as simple as comparing strings, or as complex as drawing a window on the screen, are all done via system (shared) libraries. This is a good thing, as it means there is a lot of code reuse, and binaries are smaller than they otherwise would be. However, there is a disadvantage to this method as well. When your binary runs, there needs to be a process whereby the functions or symbols it needs are found. In the early days, this would happen at start-up but the result of this was very slow program starts, and it was realized that many symbols are not needed until much later (or at all) in a program’s life cycle. So, the idea of lazy resolution was introduced. This means that a symbol is not resolved until it’s called the first time. The dynamic linker (dyld) is responsible for finding (linking) the symbols that a binary needs.
  • 5. W H I T E PA P E R Page5 As an aside, if you want to see just how slow program starts can be without lazy linking, its possible to start an application with DYLD_BIND_AT_LAUNCH set, which forces non-lazy linking. Combine this with a C++ application that makes use of C++ libraries (C++ is particularly bad as classes generate a large number of symbols) and the results can be less than ideal. The following diagram shows what an executable looks like when it’s loaded into memory. There are a few important things to note. First, the TEXT segment is not writable but the DATA segment is. However it’s not executable. Second, , the shared library is loaded independently of the executable rather than embedded in it (which is pretty much the point of a shared library). However, this poses a problem, as we need to know where in memory it was loaded to be able to call functions from that library. Additionally, it has to be able to be loaded at any address to avoid conflicts with other libraries. The way this works, is we call a function in our code (‘printf’ for example), but the actual address that is embedded in our code by the compiler, is in the symbol stub section. The symbol stub is very small, it simply calls a function based on a value at an address in the lazy symbol pointer table. Now, the first time this happens, the pointer will point to the stub helper section. The stub helper calls the dynamic linker and essentially says “where is printf?” The dynamic linker finds the function in question and then we update the pointer with the address of the function. The second time our code calls ‘printf’, the pointer in the lazy symbol pointer table now points directly to the shared library (the dotted line). That is roughly how symbol resolution works on Mac OS X. The details are slightly different for 64 bit binaries but the concept is the same This may seem to be a bit of a roundabout way of handling the symbol resolution. You may ask, wouldn’t it be simpler to just rewrite the symbol stub with the actual address? We mentioned earlier that each segment has different permissions. The process doesn’t have write permissions for that segment, hence the need for the Lazy Symbol Pointer table inside the (writable) DATA segment. If we want to hook a library function and pervert it somehow, we can simply change the pointer in the lazy symbol pointer table to point to our injected code.
  • 6. W H I T E PA P E R Page6 If you read the last article on MitB, then this image will look strangely familiar. Sound like too much work? Any knowledgeable UNIX user might be thinking that the above is all a bit too hard and that there must be an easier way. Well this is true. There is. Given the dynamic linker’s specialty is resolving symbols, can’t we get it to do some of the heavy lifting here? Most UNIX’s have some variant of LD_LIBRARY_PATH (and LD_PRELOAD), which allows you to specify your own path for loading libraries. In this way you can tell the dynamic linker to load your library instead, and ensure that your code runs first. Mac OS X is no different. It has a variant of that, however, it also has something much better that we will discuss later.
  • 7. W H I T E PA P E R Page7 The three approaches in detail DYLD_LIBRARY_PATH • Please refer to the full ThreatMetrix Labs report for technical details. You can request a copy of the report by contacting us at labs@threatmetrix.com DYLD_INSERT_LIBRARY • Please refer to the full ThreatMetrix Labs report for technical details. You can request a copy of the report by contacting us at labs@threatmetrix.com Code Injection The last method that we are going to discuss is, in some ways, the best method. It is definitely the most complicated, but it is also the hardest of these three to detect. Depending on exactly how the other two are implemented, detecting them could be as simple as checking the environment variables, or querying dyld. Code injection, however, is done without dyld knowing about it. • Please refer to the full ThreatMetrix Labs report for technical details. You can request a copy of the report by contacting us at labs@threatmetrix.com Easy enough. So all we need to do is put this address into the lazy symbol pointer of our injected code. We could, of course, do this for every symbol we wanted to use but its easier to let dlsym() do the work for us.
  • 8. W H I T E PA P E R Page8 Conclusion We have looked at three different methods of hooking functions on Mac OS X, and there are other variations that could also be done. The one benefit is that these methods all only work without privileges if we can control the start-up of the application we want to hook. However, this isn’t a large hurdle. Most users would not think anything very suspicious was happening if their browser appeared to crash and restart. Even without doing that, the Dock could be hooked and then infect any processes the user started from that point forward. While the examples given were written and tested on Apple Mac OS X 10.6, I have ported the code to 10.7, and, although the more aggressive ASLR makes things slightly more difficult, its still easily possible. The two biggest differences with Apple Mac OS X Lion are ASLR is now default, and affects the dynamic linker image, and privilege separation. (I’m lumping sandboxing in with privilege separa- tion, which isn’t technically correct, but will do for the sake of this discussion.) The first of these is not a major issue as there are some simple ways of figuring out the “slide” value and therefore finding the image in memory. The second of these doesn’t affect us at all because we are not discussing an attack vector here but an attack payload. The first two methods are well documented and well known (Apple Mac OS X Internals by Amit Singh covers dyld interposing), and black hat presentations by Dino Dai Zovi have talked about injecting into other processes. These methods are mostly well known, easy to use and provide the same level of compromise as on Windows. So the question isn’t “Is Apple Mac OS X vulnerable to MitB attacks?” Rather, “Why hasn’t there been widespread MitB attacks on Apple Mac OS X?” © 2012 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the ThreatMetrix Cybercrime Defender Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners. Contact Us USA Corporate Headquarters: ThreatMetrix Inc. 160 West Santa Clara Street Suite 1400 San Jose, CA, 95113 Telephone: +1.408.200.5755 Fax: +1.408.200.5799 EMEA Headquarters: ThreatMetrix B.V. Laan van Vredenoord 33-39 2289 DA Rijswijk The Netherlands Telephone: +31 (0)70 8200 508 www.threatmetrix.com www.threatmetrix.com/fraudsandends