SlideShare ist ein Scribd-Unternehmen logo

SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP

Stefan Esser
Stefan EsserIT Security Researcher

With the release of OS X El Capitan Apple has introduced a new protection to the OS X kernel called System Integrity Protection (SIP). The purpose of this new mitigation is to lock down the system from attackers who have already gained root access. In the first part of this session we will elaborate what exactly SIP tries to protect against and how its features are implemented and integrated into the kernel. In the second part of this presentation we will then dive into obvious shortcomings of this implementation and discuss design weaknesses and actual bugs that allow to bypass it. All weaknesses will be demoed to the audience.

SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP

Stefan Esser
Stefan EsserIT Security Researcher

With the release of OS X El Capitan Apple has introduced a new protection to the OS X kernel called System Integrity Protection (SIP). The purpose of this new mitigation is to lock down the system from attackers who have already gained root access. In the first part of this session we will elaborate what exactly SIP tries to protect against and how its features are implemented and integrated into the kernel. In the second part of this presentation we will then dive into obvious shortcomings of this implementation and discuss design weaknesses and actual bugs that allow to bypass it. All weaknesses will be demoed to the audience.

SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP

1 von 71

Recomendados

SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick von
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trickSyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trickStefan Esser
9.1K views16 Folien
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel von
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelStefan Esser
3K views65 Folien
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation von
BlackHat USA 2011 - Stefan Esser - iOS Kernel ExploitationBlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
BlackHat USA 2011 - Stefan Esser - iOS Kernel ExploitationStefan Esser
41.9K views96 Folien
Find your own iOS kernel bug von
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bugGustavo Martinez
12.9K views74 Folien
CanSecWest 2017 - Port(al) to the iOS Core von
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
8.1K views51 Folien
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner... von
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
2.2K views49 Folien
OSX Pirrit : Why you should care about malicious mac adware von
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwarePriyanka Aash
587 views60 Folien
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT von
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
1.4K views56 Folien

Más contenido relacionado

Was ist angesagt?

Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely von
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotelyPharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotelyESUG
643 views38 Folien
Q con shanghai2013-[黄舒泉]-[intel it openstack practice] von
Q con shanghai2013-[黄舒泉]-[intel it openstack practice]Q con shanghai2013-[黄舒泉]-[intel it openstack practice]
Q con shanghai2013-[黄舒泉]-[intel it openstack practice]Michael Zhang
853 views49 Folien
Cross-platform development with Pharo - The PharoLauncher case von
Cross-platform development with Pharo - The PharoLauncher caseCross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseESUG
560 views34 Folien
App armor structure von
App armor structureApp armor structure
App armor structureLongbeo Longnhat
102 views62 Folien
Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat... von
Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat...Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat...
Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat...Techsylvania
462 views37 Folien
Android Direct Boot となにがなんでも鳴るアラームアプリ開発 von
Android Direct Boot となにがなんでも鳴るアラームアプリ開発Android Direct Boot となにがなんでも鳴るアラームアプリ開発
Android Direct Boot となにがなんでも鳴るアラームアプリ開発irgaly
519 views25 Folien
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun von
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator FunWhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator FunStefan Esser
2.3K views11 Folien
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated von
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
17.8K views73 Folien
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi... von
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...Cheng-Yi Yu
3.1K views65 Folien
Forensics WS Consolidated von
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
244 views57 Folien
Snap Your App von
Snap Your AppSnap Your App
Snap Your AppTed Gould
808 views41 Folien
Oracle RAC 11g Rel2 11201 installations von
Oracle RAC 11g Rel2 11201 installationsOracle RAC 11g Rel2 11201 installations
Oracle RAC 11g Rel2 11201 installationsMarkus Michalewicz
2.2K views53 Folien
Mr201305 tizen security_eng von
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_engFFRI, Inc.
1K views22 Folien
Boost Smooth Scrolling with iOS 10 Pre-Fetching APIs von
Boost Smooth Scrolling with iOS 10 Pre-Fetching APIsBoost Smooth Scrolling with iOS 10 Pre-Fetching APIs
Boost Smooth Scrolling with iOS 10 Pre-Fetching APIsAndrea Prearo
167 views13 Folien
BlueHat v18 || The matrix has you - protecting linux using deception von
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
739 views50 Folien

Was ist angesagt? (15)

Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely von ESUG
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotelyPharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
ESUG643 views
Q con shanghai2013-[黄舒泉]-[intel it openstack practice] von Michael Zhang
Q con shanghai2013-[黄舒泉]-[intel it openstack practice]Q con shanghai2013-[黄舒泉]-[intel it openstack practice]
Q con shanghai2013-[黄舒泉]-[intel it openstack practice]
Michael Zhang853 views
Cross-platform development with Pharo - The PharoLauncher case von ESUG
Cross-platform development with Pharo - The PharoLauncher caseCross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher case
ESUG560 views
Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat... von Techsylvania
Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat...Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat...
Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat...
Techsylvania462 views
Android Direct Boot となにがなんでも鳴るアラームアプリ開発 von irgaly
Android Direct Boot となにがなんでも鳴るアラームアプリ開発Android Direct Boot となにがなんでも鳴るアラームアプリ開発
Android Direct Boot となにがなんでも鳴るアラームアプリ開発
irgaly519 views
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun von Stefan Esser
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator FunWhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
Stefan Esser2.3K views
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated von CanSecWest
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest17.8K views
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi... von Cheng-Yi Yu
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Cheng-Yi Yu3.1K views
Snap Your App von Ted Gould
Snap Your AppSnap Your App
Snap Your App
Ted Gould808 views
Mr201305 tizen security_eng von FFRI, Inc.
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_eng
FFRI, Inc.1K views
Boost Smooth Scrolling with iOS 10 Pre-Fetching APIs von Andrea Prearo
Boost Smooth Scrolling with iOS 10 Pre-Fetching APIsBoost Smooth Scrolling with iOS 10 Pre-Fetching APIs
Boost Smooth Scrolling with iOS 10 Pre-Fetching APIs
Andrea Prearo167 views

Ähnlich wie SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP

Hp fortify source code analyzer(sca) von
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Nagaraju Repala
5.6K views12 Folien
OSX/Pirrit: The blue balls of OS X adware von
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareAmit Serper
675 views58 Folien
Jordan Hubbard Talk @ LISA von
Jordan Hubbard Talk @ LISAJordan Hubbard Talk @ LISA
Jordan Hubbard Talk @ LISAguest4c923d
575 views117 Folien
Auditing the Opensource Kernels von
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
888 views81 Folien
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019 von
Eclipse Plugin for ESP-IDF -  EclipseCon Europe 2019Eclipse Plugin for ESP-IDF -  EclipseCon Europe 2019
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019Kondal Kolipaka
225 views28 Folien
Hardening solaris von
Hardening solarisHardening solaris
Hardening solarisFemi Adeyemi
479 views40 Folien
Docker and the Oracle Database von
Docker and the Oracle DatabaseDocker and the Oracle Database
Docker and the Oracle DatabaseInsight Technology, Inc.
1.5K views77 Folien
Legacy Lowdown - Options When Migrating Solaris Applications von
Legacy Lowdown - Options When Migrating Solaris ApplicationsLegacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsAppZero
1.1K views36 Folien
How To Add System Call In Ubuntu OS von
How To Add System Call In Ubuntu OSHow To Add System Call In Ubuntu OS
How To Add System Call In Ubuntu OSPratik Tambekar
5.4K views34 Folien
Nullbyte 6ed. 2019 von
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Ricardo L0gan
168 views29 Folien
Ansible101 von
Ansible101Ansible101
Ansible101Hideki Saito
3.7K views31 Folien
Jonny_Martin-Asterisk von
Jonny_Martin-AsteriskJonny_Martin-Asterisk
Jonny_Martin-Asterisktutorialsruby
621 views61 Folien
Jonny_Martin-Asterisk von
Jonny_Martin-AsteriskJonny_Martin-Asterisk
Jonny_Martin-Asterisktutorialsruby
1.6K views61 Folien
Jonny_Martin-Asterisk von
Jonny_Martin-AsteriskJonny_Martin-Asterisk
Jonny_Martin-Asterisktutorialsruby
793 views61 Folien
Jonny_Martin-Asterisk von
Jonny_Martin-AsteriskJonny_Martin-Asterisk
Jonny_Martin-Asterisktutorialsruby
1.1K views61 Folien
Install .Net Core, SQL Server V-Next on Linux and deploy .Net core applicatio... von
Install .Net Core, SQL Server V-Next on Linux and deploy .Net core applicatio...Install .Net Core, SQL Server V-Next on Linux and deploy .Net core applicatio...
Install .Net Core, SQL Server V-Next on Linux and deploy .Net core applicatio...Ajith Ramawickrama
193 views18 Folien
Char Drivers And Debugging Techniques von
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesYourHelper1
48 views35 Folien
A Tour of Open Source on the Mainframe von
A Tour of Open Source on the MainframeA Tour of Open Source on the Mainframe
A Tour of Open Source on the MainframeAll Things Open
222 views25 Folien
RISC-V-Day-Tokyo2018-suzaki von
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiKuniyasu Suzaki
855 views14 Folien
Spectre meltdown performance_tests - v0.3 von
Spectre meltdown performance_tests - v0.3Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3David Pasek
1.9K views55 Folien

Ähnlich wie SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP (20)

Hp fortify source code analyzer(sca) von Nagaraju Repala
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
Nagaraju Repala5.6K views
OSX/Pirrit: The blue balls of OS X adware von Amit Serper
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
Amit Serper675 views
Jordan Hubbard Talk @ LISA von guest4c923d
Jordan Hubbard Talk @ LISAJordan Hubbard Talk @ LISA
Jordan Hubbard Talk @ LISA
guest4c923d575 views
Auditing the Opensource Kernels von Silvio Cesare
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
Silvio Cesare888 views
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019 von Kondal Kolipaka
Eclipse Plugin for ESP-IDF -  EclipseCon Europe 2019Eclipse Plugin for ESP-IDF -  EclipseCon Europe 2019
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019
Kondal Kolipaka225 views
Legacy Lowdown - Options When Migrating Solaris Applications von AppZero
Legacy Lowdown - Options When Migrating Solaris ApplicationsLegacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris Applications
AppZero1.1K views
How To Add System Call In Ubuntu OS von Pratik Tambekar
How To Add System Call In Ubuntu OSHow To Add System Call In Ubuntu OS
How To Add System Call In Ubuntu OS
Pratik Tambekar5.4K views
Install .Net Core, SQL Server V-Next on Linux and deploy .Net core applicatio... von Ajith Ramawickrama
Install .Net Core, SQL Server V-Next on Linux and deploy .Net core applicatio...Install .Net Core, SQL Server V-Next on Linux and deploy .Net core applicatio...
Install .Net Core, SQL Server V-Next on Linux and deploy .Net core applicatio...
Ajith Ramawickrama193 views
Char Drivers And Debugging Techniques von YourHelper1
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging Techniques
YourHelper148 views
A Tour of Open Source on the Mainframe von All Things Open
A Tour of Open Source on the MainframeA Tour of Open Source on the Mainframe
A Tour of Open Source on the Mainframe
All Things Open222 views
Spectre meltdown performance_tests - v0.3 von David Pasek
Spectre meltdown performance_tests - v0.3Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3
David Pasek1.9K views

Último

chatgptandthefutureofwork-clarkboyd1-230329144127-81b35f6b (3).pdf von
chatgptandthefutureofwork-clarkboyd1-230329144127-81b35f6b (3).pdfchatgptandthefutureofwork-clarkboyd1-230329144127-81b35f6b (3).pdf
chatgptandthefutureofwork-clarkboyd1-230329144127-81b35f6b (3).pdfroystoncdsouza7
10 views69 Folien
Processor Refactoring.pdf von
Processor Refactoring.pdfProcessor Refactoring.pdf
Processor Refactoring.pdfDavid Harrison
11 views15 Folien
AFNOG 1: Afghanistan IP Deployment Status von
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
244 views14 Folien
AFSIG 2023: APNIC - Registry & Development von
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAPNIC
239 views30 Folien
LLMs for the “GPU-Poor” - Franck Nijimbere.pdf von
LLMs for the “GPU-Poor” - Franck Nijimbere.pdfLLMs for the “GPU-Poor” - Franck Nijimbere.pdf
LLMs for the “GPU-Poor” - Franck Nijimbere.pdfGDG Bujumbura
9 views17 Folien
Car cleaning von
Car cleaningCar cleaning
Car cleaningSHECALLmeCHIKOO
5 views1 Folie
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink von
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkRIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkAPNIC
168 views32 Folien
NORFest 2023: Early Career Researcher Panel on Research Assessment von
NORFest 2023: Early Career Researcher Panel on Research AssessmentNORFest 2023: Early Career Researcher Panel on Research Assessment
NORFest 2023: Early Career Researcher Panel on Research Assessmentdri_ireland
10 views44 Folien
Satellite advantages and disadvantages and data transmission von
Satellite advantages and disadvantages and data transmissionSatellite advantages and disadvantages and data transmission
Satellite advantages and disadvantages and data transmissionbhoumik413
5 views27 Folien
scopusresults citar ca los autores en apa 7 von
scopusresults citar ca los autores en apa 7scopusresults citar ca los autores en apa 7
scopusresults citar ca los autores en apa 7ciriloallccagaray5
5 views1 Folie
ZKorum: Building the Next Generation eAgora powered by SSI von
ZKorum: Building the Next Generation eAgora powered by SSIZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSISSIMeetup
77 views42 Folien
COMPUTER NETWORK(Introduction, classification)NETWORK TOPOLOGY.pptx von
COMPUTER NETWORK(Introduction, classification)NETWORK TOPOLOGY.pptxCOMPUTER NETWORK(Introduction, classification)NETWORK TOPOLOGY.pptx
COMPUTER NETWORK(Introduction, classification)NETWORK TOPOLOGY.pptxHalimaTarin
8 views33 Folien
Internet Service Provider,Faria Zaman, Northern University Bangladesh, von
Internet Service Provider,Faria Zaman, Northern University Bangladesh,Internet Service Provider,Faria Zaman, Northern University Bangladesh,
Internet Service Provider,Faria Zaman, Northern University Bangladesh,zamanfaria29
29 views16 Folien
IDNIC OPM 2023 - Internet Number Registry System von
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemAPNIC
236 views26 Folien
Afghanistan IGF 2023: The ABCs and importance of cybersecurity von
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAPNIC
254 views11 Folien
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less von
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessAPNIC
241 views20 Folien
MOTIVATE YOURSELF NEVER LIKE BEFORE IT IS MIND.pdf von
MOTIVATE YOURSELF NEVER LIKE BEFORE IT IS MIND.pdfMOTIVATE YOURSELF NEVER LIKE BEFORE IT IS MIND.pdf
MOTIVATE YOURSELF NEVER LIKE BEFORE IT IS MIND.pdftuanminhlam102
11 views1 Folie
Coding Course Power Point - ICD 10 Coding. von
Coding Course Power Point - ICD 10 Coding.Coding Course Power Point - ICD 10 Coding.
Coding Course Power Point - ICD 10 Coding.kushal924962
14 views119 Folien
38. Magento Meetup Austria: Ivan Cuk - From Core to Custom. A Deep Dive into ... von
38. Magento Meetup Austria: Ivan Cuk - From Core to Custom. A Deep Dive into ...38. Magento Meetup Austria: Ivan Cuk - From Core to Custom. A Deep Dive into ...
38. Magento Meetup Austria: Ivan Cuk - From Core to Custom. A Deep Dive into ...Magento Meetup Austria
8 views17 Folien
5 steps of purchasing USA International sim card von
5 steps of purchasing USA International sim card5 steps of purchasing USA International sim card
5 steps of purchasing USA International sim cardAnjaliKhangarot
6 views1 Folie

Último (20)

chatgptandthefutureofwork-clarkboyd1-230329144127-81b35f6b (3).pdf von roystoncdsouza7
chatgptandthefutureofwork-clarkboyd1-230329144127-81b35f6b (3).pdfchatgptandthefutureofwork-clarkboyd1-230329144127-81b35f6b (3).pdf
chatgptandthefutureofwork-clarkboyd1-230329144127-81b35f6b (3).pdf
roystoncdsouza710 views
AFNOG 1: Afghanistan IP Deployment Status von APNIC
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
APNIC244 views
AFSIG 2023: APNIC - Registry & Development von APNIC
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
APNIC239 views
LLMs for the “GPU-Poor” - Franck Nijimbere.pdf von GDG Bujumbura
LLMs for the “GPU-Poor” - Franck Nijimbere.pdfLLMs for the “GPU-Poor” - Franck Nijimbere.pdf
LLMs for the “GPU-Poor” - Franck Nijimbere.pdf
GDG Bujumbura9 views
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink von APNIC
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkRIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
APNIC168 views
NORFest 2023: Early Career Researcher Panel on Research Assessment von dri_ireland
NORFest 2023: Early Career Researcher Panel on Research AssessmentNORFest 2023: Early Career Researcher Panel on Research Assessment
NORFest 2023: Early Career Researcher Panel on Research Assessment
dri_ireland10 views
Satellite advantages and disadvantages and data transmission von bhoumik413
Satellite advantages and disadvantages and data transmissionSatellite advantages and disadvantages and data transmission
Satellite advantages and disadvantages and data transmission
bhoumik4135 views
ZKorum: Building the Next Generation eAgora powered by SSI von SSIMeetup
ZKorum: Building the Next Generation eAgora powered by SSIZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSI
SSIMeetup77 views
COMPUTER NETWORK(Introduction, classification)NETWORK TOPOLOGY.pptx von HalimaTarin
COMPUTER NETWORK(Introduction, classification)NETWORK TOPOLOGY.pptxCOMPUTER NETWORK(Introduction, classification)NETWORK TOPOLOGY.pptx
COMPUTER NETWORK(Introduction, classification)NETWORK TOPOLOGY.pptx
HalimaTarin8 views
Internet Service Provider,Faria Zaman, Northern University Bangladesh, von zamanfaria29
Internet Service Provider,Faria Zaman, Northern University Bangladesh,Internet Service Provider,Faria Zaman, Northern University Bangladesh,
Internet Service Provider,Faria Zaman, Northern University Bangladesh,
zamanfaria2929 views
IDNIC OPM 2023 - Internet Number Registry System von APNIC
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
APNIC236 views
Afghanistan IGF 2023: The ABCs and importance of cybersecurity von APNIC
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
APNIC254 views
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less von APNIC
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
APNIC241 views
MOTIVATE YOURSELF NEVER LIKE BEFORE IT IS MIND.pdf von tuanminhlam102
MOTIVATE YOURSELF NEVER LIKE BEFORE IT IS MIND.pdfMOTIVATE YOURSELF NEVER LIKE BEFORE IT IS MIND.pdf
MOTIVATE YOURSELF NEVER LIKE BEFORE IT IS MIND.pdf
tuanminhlam10211 views
Coding Course Power Point - ICD 10 Coding. von kushal924962
Coding Course Power Point - ICD 10 Coding.Coding Course Power Point - ICD 10 Coding.
Coding Course Power Point - ICD 10 Coding.
kushal92496214 views
38. Magento Meetup Austria: Ivan Cuk - From Core to Custom. A Deep Dive into ... von Magento Meetup Austria
38. Magento Meetup Austria: Ivan Cuk - From Core to Custom. A Deep Dive into ...38. Magento Meetup Austria: Ivan Cuk - From Core to Custom. A Deep Dive into ...
38. Magento Meetup Austria: Ivan Cuk - From Core to Custom. A Deep Dive into ...
5 steps of purchasing USA International sim card von AnjaliKhangarot
5 steps of purchasing USA International sim card5 steps of purchasing USA International sim card
5 steps of purchasing USA International sim card
AnjaliKhangarot6 views

SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP

  • 1. Stefan Esser <stefan.esser@sektioneins.de> OS X El Capitan - Sinking the S IP http://www.sektioneins.de H /
  • 2. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Sinking the SH/IP? • sorry this is not Titanic Part II • this talk is about System Integrity Protection (SIP) in OS X El Capitan • and several weaknesses in it • so we are sinking the SH/IP 2
  • 3. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 What is System Integrity Protection (SIP)? 3
  • 4. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 System Integrity Protection (SIP) • first leaked to media as “rootless” ➡ lead to assumption that Apple would remove root user • but in reality it is just a “root” user that can do “less” • part of “rootless” already in kernel source code of Yosemite • but re-branded for outside world as System Integrity Protection (SIP) 4
  • 5. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 System Integrity Protection (SIP) • Apple thinks power of “root” user is too dangerous (WWDC 2015) • because often only protected by simple password • only a single privilege escalation exploit needed • gaining “root” should not mean total system compromise • SIP tries to lock down system from “root” • probable intention: stop malware that got root from persisting 5
  • 6. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 System with and without SIP 6 System without System Integrity Protection System with System Integrity Protection • SIP adds some additional checks here and there • but SIP is mostly a sandbox around the whole 
 system/platform • internally called platform_profile
  • 7. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 What SIP is not … • SIP is not a protection against kernel (memory corruption) bugs • SIP is not designed to protect against those • therefore any kernel exploit is not a SIP bypass • SIP just bluntly assumes that kernel (memory corruption) bugs are • unavailable to the attacker • or too hard to exploit • or that they do not exist 7
  • 8. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Attack Surface (without SIP) 8 sandboxed application unsandboxed application root • as root user the attack surface is gigantic • many more APIs, lots of drivers, …
  • 9. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Attack 
 Surface of new SIP code Attack Surface (with SIP) 9 sandboxed application unsandboxed application root Attack Surface closed by SIP • SIP is mostly a blacklisting approach so it kills some attack surface • but it only kills a small part and new SIP code adds new attack surface
  • 10. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Absent Kernel Bugs … ?!? • assumption that attackers cannot have access to kernel bugs 
 to bypass SIP is highly questionable • in the real world there is no shortage of kernel bugs • just look at every single OS X update • Google and some other companies seem to pay very much 
 to let their engineers secure Apple’s OS X kernel • and in reality there are many more that do not get reported to Apple
 (e.g. because no bug bounties) 10
  • 11. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Before we start … so that we are on the same page 11
  • 12. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 What are entitlements? • snippets of XML embedded in code signature • used to e.g. give a binary special permissions • from a security point of view comparable with SUID binaries 12 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.rootless.install</key> <true/> </dict> </plist>
  • 13. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 How to read (binary) sandbox profiles? • there are more than 100 operations that are controlled by 
 sandbox profiles • interesting profiles are kept in binary only form • open source tools like sandbox_toolkit can visualize them 13
  • 14. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 How to read (binary) sandbox profiles? 14 sandboxed operation filter filter parameter final decision
  • 15. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Yeah but now tell me about SIP … 15
  • 16. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 SIP Sandbox by default a blacklist • SIP’s sandbox profile (platform_profile) by default allows everything • therefore overall strategy is blacklisting of dangerous operations 16
  • 17. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 System Integrity Restrictions • load only signed kernel extensions • disallow debugging of restricted apps • disallow modifications of protected areas on filesystem • restricts use of dtrace • disallow arbitrary modifications of nvram • … other related restrictions 
 (like disallowing unload of not whitelisted launchd services) 17
  • 18. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 System Integrity Protection Configuration • csrutil tool to enable/disable System Integrity Protection • requires recovery mode boot to be fully usable • csrutil enable [--without kext|fs|debug|dtrace|nvram] [--no-internal] 18 $ csrutil usage: csrutil <command> Modify the System Integrity Protection configuration. All configuration changes apply to the entire machine. Available commands: clear Clear the existing configuration. Only available in Recovery OS. disable Disable the protection on the machine. Only available in Recovery OS. enable Enable the protection on the machine. Only available in Recovery OS. status Display the current configuration. netboot add <address> Insert a new IPv4 address in the list of allowed NetBoot sources. list Print the list of allowed NetBoot sources. remove <address> Remove an IPv4 address from the list of allowed NetBoot sources.
  • 19. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 System Integrity Protection Configuration • System Integrity Protection internally controlled via nvram variables • csr-active-config = bitmask of the enables/disabled protections • csr-data = variable to store netboot configuration • csrutil uses these nvram variables, too configure SIP • these variables cannot be modified in non-recovery mode 19
  • 20. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 System Integrity Protection Configuration Flags 20 /* Rootless configuration flags */ #define CSR_ALLOW_UNTRUSTED_KEXTS (1 << 0) #define CSR_ALLOW_UNRESTRICTED_FS (1 << 1) #define CSR_ALLOW_TASK_FOR_PID (1 << 2) #define CSR_ALLOW_KERNEL_DEBUGGER (1 << 3) #define CSR_ALLOW_APPLE_INTERNAL (1 << 4) #define CSR_ALLOW_UNRESTRICTED_DTRACE (1 << 5) #define CSR_ALLOW_UNRESTRICTED_NVRAM (1 << 6) #define CSR_ALLOW_DEVICE_CONFIGURATION (1 << 7) csr-active-config nvram value enable %10%00%00%00 disable %77%00%00%00 enable without kext %11%00%00%00 enable without nvram %50%00%00%00 enable without dtrace %30%00%00%00 enable without debug %14%00%00%00 enable without fs %12%00%00%00
  • 21. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 System Integrity Protection User Space Integration • user space tools and daemons can check SIP status via csr_check() • internally this uses the csrctl syscall • int csrctl(uint32_t op, user_addr_t useraddr, user_addr_t usersize) 21 /* Syscall flavors */ #define CSR_OP_CHECK 0 #define CSR_OP_GET_ACTIVE_CONFIG 1 #define CSR_OP_GET_PENDING_CONFIG 2
  • 22. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Load Only Signed Kernel Extensions • not really new - was like that since Yosemite only different implementation • signature check user space driven • entitlement com.apple.rootless.kext-management makes the difference • AppleKextExcludeList.kext controls whitelist / blacklist of kext 22
  • 23. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Load Only Signed Kernel Extensions (II) • AppleKextExcludeList.kext’s Info.plist contains • whitelist of KEXT that get loaded without signature
 OSKextSigExceptionHashList • blacklist of KEXT that get not loaded although valid signed
 OSKextExcludeList • important example of blacklisted extension is Apple’ own AppleHWAccess.kext that gives arbitrary r/w access to physical memory • handling of exclusion is done in user-space AND kernel-space 23
  • 24. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 File System Integrity Protection • parts of the file system are protected against modifications • can find a list of protected files at 
 /System/Library/Sandbox/rootless.conf 24 ... /Applications/Utilities/VoiceOver Utility.app /Library/Preferences/SystemConfiguration/com.apple.Boot.plist /System * /System/Library/Caches booter /System/Library/CoreServices * /System/Library/CoreServices/Photo Library Migration Utility.app /System/Library/CoreServices/RawCamera.bundle * /System/Library/Extensions /System/Library/Extensions/* UpdateSettings /System/Library/LaunchDaemons/com.apple.UpdateSettings.plist * /System/Library/Speech * /System/Library/User Template /bin dyld /private/var/db/dyld /sbin /usr * /usr/libexec/cups * /usr/local * /usr/share/man # symlinks /etc /tmp /var
  • 25. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 File System Integrity Protection • and a list of exceptions at 
 /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths 25 /System/Library/CFMSupport /System/Library/CoreServices/Applications/Directory Utility.app/Contents/PlugIns/ADmitMac.daplug /System/Library/CoreServices/CoreTypes.bundle/Contents/Library/iLifeSlideshowTypes.bundle /System/Library/CoreServices/SecurityAgentPlugins/CentrifyPAM.bundle /System/Library/CoreServices/SecurityAgentPlugins/CentrifySmartCard.bundle /System/Library/CyborgRAT.kext /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleRTL815XComposite109.kext /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleRTL815XEthernet109.kext /System/Library/Filesystems/DAVE /System/Library/Filesystems/fusefs_txantfs.fs /System/Library/Filesystems/ufsd_NTFS.fs /System/Library/Fonts/encodings.dir /System/Library/Fonts/fonts.dir /System/Library/Fonts/fonts.list /System/Library/Fonts/fonts.scale /System/Library/HuaweiDataCardDriver.kext /System/Library/LaunchAgents/com.paragon.NTFS.notify.plist /System/Library/LaunchDaemons/com.absolute.rpcnet.plist /System/Library/LaunchDaemons/com.intel.haxm.plist /System/Library/LaunchDaemons/com.seagate.TBDecorator.plist /System/Library/LaunchDaemons/de.novamedia.nmnetmgrd.plist ... • list can be updated with rootless_whitelist_push() if right entitlement
  • 26. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 File System Integrity Protection • files in the protected areas can be modified if tools have special entitlements - e.g. com.apple.rootless.install • on disk extended attribute com.apple.rootless to protect files • security sensitive operations use rootless_check_trusted() if file is protected and not in the whitelist • enforcement is done inside the sandbox by addition of new filters 26
  • 27. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 File System Integrity Protection (as DOT) 27
  • 28. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 System Integrity Protection Sandbox Filters • SIP introduces new filters for sandbox profiles • (csr %d) • (rootless-boot-device-filter) • (rootless-file-filter) • (rootless-disk-filter) • (rootless-proc-filter) • to understand what they do reverse engineering is required • Sandbox extension has all the filters in its _eval() function 28
  • 29. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 System Integrity Protection Sandbox Filters • (csr %d)
 matches if specific SIP configuration bit is set • (rootless-boot-device-filer)
 matches if SIP configuration forbids a boot device • (rootless-proc-filter)
 matches if SIP forbids access to this process
 entitlement com.apple.system-task-ports overrides • (rootless-file-filter)
 matches if access to file is forbidden by SIP
 evaluates xattr (com.apple.rootless), checks if process is considered an installer
 various entitlements like com.apple.rootless.internal-installer-equivalent, com.apple.rootless.storage.* • (rootless-disk-filter)
 matches if access to disc is restricted by SIP
 override by entitlements like com.apple.rootless.internal-installer-equivalent, com.apple.rootless.restricted-block-devices 29
  • 30. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Protection of restricted processes • processes marked as restricted get protected from debuggers • restricted processes are those with • a __RESTRICT segment • with special flags in code signing information • or with special Apple entitlements • or if executed from protected filesystem areas 30
  • 31. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Protection of nvram • because nvram controls SIP configuration and boot device access is limited • access to csr-.* is forbidden unless in recovery mode access controlled by entitlements • com.apple.private.iokit.nvram-csr • com.apple.rootless.restricted-nvram-variables • access to kernel boot arguments is whitelisted 31
  • 32. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Launch Daemon Protection • launchd has a whitelist of launch daemons that can be removed • others considered sensitive and cannot be removed • also task_set_special_port() ensures that no one except launchd can hijack special ports 32 /System/Library/Sandbox/com.apple.xpc.launchd.rootless.plist
  • 33. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Sinking the SH/IP Sinking the SH/IP 33
  • 34. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Remember … one of the assumptions was:
 
 SIP because kernel exploitation is too hard for attacker 34
  • 35. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 APIs that make kernel exploitation easier … • host_zone_info() / zprint • output helps with kernel heap feng shui • unfixed • kas_info() • gives kernel KASLR slide to root user • fixed in OS X 10.11.3 35
  • 36. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Boot Arguments that make exploitation easier • SIP explicitly allows setting kernel boot arguments • this includes boot arguments with security relevance / mitigations • -pmap_smep_disable • -pmap_smap_disable • wpkernel • dataconstro • kmapoff • … • used to reboot into a kernel exploitation friendly environment 36
  • 37. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Kernel Debugger ?!!! 37
  • 38. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Kernel Debugger • the internet believes that SIP stops kernel debugging from working • however this is not true at all • setting the debug boot-arg allows activation of the kernel debugger • attacker with network access to machine in LAN can attach • requires reboot and something to trigger the debugger after boot 38
  • 39. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Triggering Kernel Debugger • before OS X 10.11.2 • host_reboot(HOST_REBOOT_DEBUGGER) triggers debugger • since OS X 10.11.2 • any kernel crash only bug will trigger debugger • and while at it - activating remote kernel crash dumps might leak interesting kernel only data to attacker 39
  • 40. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Abusing Kernel Debugger • it should be obvious that a remote attacker attached to your kernel • can easily disable SIP or steal kernel only data 40
  • 41. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Mount Malicious 41
  • 42. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Mount Malicious (I) • in security updates for OS X 10.11.2 Apple mentions a union mount bug • this was reported by an external party: MacDefender • as usual Apple release announcements are very vague about bugs • so not really sure if it is exactly this bug … 42
  • 43. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Mount Malicious (II) • so what is the first thing you would try when there is a protected area on the filesystem that you are not allowed to modify? • IMHO one of the first things one would try is to mount a different filesystem over these areas in order to trick code running on it • apparently Apple security did not think so and needed an external party to find this problem 43
  • 44. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Create DMG and mount it … mkdir evil … hdiutil create -srcfolder evil evil.dmg hdiutil attach -mountpoint /System/Library/Sandbox/ evil.dmg 44
  • 45. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 How to exploit? (I) • create a malicious version of rootless.conf • disable protection of /System/Library/Kernels/kernel • create an empty com.apple.rootless.repair • create two DMGs one containing the malicious version of both files • and one containing the original rootless.conf 45
  • 46. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 How to exploit? (II) • mount the malicious one over /System/Library/Sandbox/ • run /usr/libexec/rootless-init -b • patch the kernel binary to disable SIP • mount the clean DMG over /System/Library/Sandbox/ • run /usr/libexec/rootless-init -b • run touch /Library/Extensions;reboot • enjoy SIP disabled system 46
  • 47. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 DEMO 47
  • 48. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Abuse of Entitlements 48
  • 49. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Abuse of Entitlements • binaries with entitlements are the new SUID binaries • it took years to eradicate exploitable bugs from SUID binaries • so people tried hard to have as few of those as possible • Apple has to harden every single binary they gave entitlements 49
  • 50. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Abuse of SIP Entitlements • in context of SIP: ➡ binaries with com.apple.rootless.install most dangerous • so how hard is it to abuse this at the moment in OS X 10.11.4? 50
  • 51. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 What about fsck_cs? • the core storage fsck tool fsck_cs has com.apple.rootless.install • one look into the manpage reveals there is an -l option
 
 -l logfile Reproduce all console output, as well as additional 
 status and error messages, to the specified file.
 • so unless hardened this will allow to append “garbage” to files in protected filesystem areas 51
  • 52. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 What about fsck_cs? bash-3.2# fsck_cs -l /bin/i_am_here fsck_cs: specify CoreStorage device(s) to verify bash-3.2# ls -la /bin/i_am_here -rw-r--r-- 1 root wheel 0 Mar 20 10:51 /bin/i_am_here 52
  • 53. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Leveraging this? • can we leverage this SIP file create/appending bypass vulnerability? • file parsers by Apple often ignore garbage at end (of e.g. plists) • did not come up with a way to abuse this except for file creation • However … there is more … 53
  • 54. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Abuse of Entitlements via Kernel • not only SUID binaries had to be hardened • kernel had to be hardened to protect SUIDs from themselves • here one of such protections • of course a similar protection is required for binaries with SIP filesystem entitlements 54 /* * Radar 2261856; setuid security hole fix * XXX For setuid processes, attempt to ensure that * stdin, stdout, and stderr are already allocated. * We do not want userland to accidentally allocate * descriptors in this range which has implied meaning * to libc. */ for (i = 0; i < 3; i++) { if (p->p_fd->fd_ofiles[i] != NULL) continue; /* * Do the kernel equivalent of * * if i == 0 * (void) open("/dev/null", O_RDONLY); * else * (void) open("/dev/null", O_WRONLY); */
  • 55. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Use fsck_cs again … • the following example on the command line • closes file descriptor 1 prior to execution • makes fsck_cs open /dev/diskX (which can be a symbolic link) • output on stdout is redirected into that opened file fsck_cs /dev/diskX 1>&- 55
  • 56. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Leveraging this? • we can use a symbolic link to let /dev/diskX point anywhere • this time the write happens to beginning of the file • we can use that to destroy the content of e.g.
 /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist • after reboot there is no kext exclude list active anymore ➡we can load AppleHWAccess.kext and write to physical memory ➡Game Over for SIP 56
  • 57. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Single Tweet to disable Apple Kext Exclude List Did I mention that the attack easily fits into a single tweet? ln -s /S*/*/E*/A*Li*/*/I* /dev/diskX;fsck_cs /dev/diskX 1>&-;touch /Li*/Ex*/;reboot 57
  • 58. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 DEMO 58
  • 59. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 dyld simulator DYLD_ROOT_PATH backdoor 59
  • 60. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 DYLD_ROOT_PATH backdoor • with OS X 10.9.0 Apple added a backdoor to the dynamic linker to support the iOS / WatchOS / TvOS simulators • DYLD_ROOT_PATH environment variable loads a dyld_sim binary into address space of any program allowing to execute code with its permissions • backdoor allows execution with SUID status and entitlements of original binary 60
  • 61. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 You call it Backdoor? Really? • backdoor, yes… • how else do you call an undocumented functionality • that allows injection of code into any executable • taking over the privileges of that executable 61
  • 62. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Any protection? • Apple protected this code by checking if dyld_sim binary is 
 owned by the root user (uid=0) • this is however not a protection at all • default user of OS X is admin and can write to some files that are owned by root due to group membership (e.g. DiagnosticReports) • also several services, applications, … on a default system create root owned files that are writable by everyone (just search with find) • and in context of SIP we would even assume to be already root • reported to Apple by beist one year ago around March 2015 (afaik) 62 // verify simulator dyld file is owned by root struct stat sb; if ( fstat(fd, &sb) == -1 ) return 0; if ( sb.st_uid != 0 ) return 0;
  • 63. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 New “protection” in OS X 10.10.5 (2015-08-13) • Apple removed code to check if dyld_sim binary is owned by uid=0 • Instead they enforced that the dyld_sim binary is codesigned • they added a new flag to kernel to allow special verification of dyld_sim • however due to relaxed mach-o parser for dyld_sim loading an integer overflow could be triggered that allowed to bypass codesign enforcement 63 if ( codeSigCmd == NULL ) return 0; fsignatures_t siginfo; siginfo.fs_file_start=fileOffset; // start of mach-o slice in fat file siginfo.fs_blob_start=(void*)(long)(codeSigCmd->dataoff); // start of code-signature in mach-o file siginfo.fs_blob_size=codeSigCmd->datasize; // size of code-signature int result = fcntl(fd, F_ADDFILESIGS_FOR_DYLD_SIM, &siginfo); if ( result == -1 ) { dyld::log("fcntl(F_ADDFILESIGS_FOR_DYLD_SIM) failed with errno=%dn", errno); return 0; }
  • 64. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 New “protection” in OS X 10.11.0 (2015-09-30) • Apple now enforces a very strict mach-o header layout for dyld_sim • this kinda closed the integer overflow attack • however the code had at least another flaw so that arbitrary execution could still be performed - not mine to share • might be the bug that Apple credits to beist in their 10.11.4 release 64
  • 65. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 New “protection” in OS X 10.11.4 (2016-03-22) • was released yesterday - no time to check fully • according to release notes fixes a dyld bug reported by beist again • would be the 3rd fix for the DYLD_ROOT_PATH backdoor • and the 4th attempt at a “protection” against loading arbitrary code • NOTICE: somewhen between the 2nd and 3rd fix Apple contacted me by e-mail and asked me to review their fix - too bad they don’t offer bug bounties… 65
  • 66. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 But why? • i can not understand why Apple attempts to fix the backdoor by hardening the checking of dyld_sim • correct fix is to remove the code completely from the system’s dynamic linker and compile simulator binaries in a different way with Xcode • there is absolutely no valid reason why simulator functionality should be injectable into every single binary • especially because most users are not developers in the first place 66
  • 67. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 And now revisit this … • all the time the only thing Apple tried to protect against is a malicious simulator dyld • they completely ignore the fact that dyld_sim is a dynamic linker by itself • the purpose of dyld_sim is already to load and execute code in libraries • an attack is possible by simply using an original Apple dyld_sim plus evil libs 67
  • 68. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Okay how to exploit? • dyld_sim is a hack by itself the code has so many hacks to make things work that it will take a while to close them all • injection into SUID binaries via original dyld_sim seems to not work • however injection of libraries into entitled binaries works 
 (can use DYLD_INSERT_LIBRARIES) • remember ROOTPIPE ? - we can still get root via dyld_sim by borrowing 
 com.apple.private.admin.writeconfig and writing to /etc/sudoers • can defeat SIP by borrowing com.apple.rootless.install once we are root
 
 68
  • 69. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Howto… #!/bin/sh INSTALL_PATH=<<<<CENSORED>>>> DYLD_ROOT_PATH=$INSTALL_PATH DYLD_INSERT_LIBRARIES=getroot.dylib /usr/bin/tmutil #!/bin/sh INSTALL_PATH=<<<<CENSORED>>>> DYLD_ROOT_PATH=$INSTALL_PATH DYLD_INSERT_LIBRARIES=bypass_sip.dylib /sbin/ fsck_msdos 69
  • 70. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 DEMO 70
  • 71. Stefan Esser • OS X El Capitan - Sinking the SH/IP • March 2016 Questions ? 71