CEHv6 module 34 MAC OS x hacking

Trang 1

Ethical Hacking and CountermeasuresVersion 6

Module XXXIVMAC OS X Hacking

Ethical Hacking and Countermeasures v6

Module XXXIV: MAC OS X Hacking

Exam 312-50

Trang 2

The attacker who won the challenge took just 30 minutes to gain the root control on the system

He made use of a vulnerability that was not published or patched by Apple According to security researcher Neil Archibald, various vulnerabilities are present in Mac OS X that can be exploited

by attackers

Trang 3

• MAC OS Security Tools

This module will familiarize you with:

Trang 4

Module Flow

Vulnerabilities in MAC OS

MAC OS Security Tools Anti-Viruses in MAC OS Worm and Viruses in MAC OS

MAC OS

Module Flow

Trang 5

Introduction to MAC OS X

Mac OS X is a uniquely powerful development platform, bringing a bit and 64-bit architecture and multiprocessor capability to the desktop and server arenas

32-It provides an extremely productive high-level programming environment, Cocoa, combined with the full power of real UNIX

Features:

• Runtime Flexibility Built on Powerful Frameworks

• Advanced Developer Tools

• Best Graphics on a Desktop

It includes a number of easy-to-use technologies that play a dual role as great applications and system services, allowing developers to enhance their applications with iChat Theater, Time Machine, Spotlight, Dashboard, Automator, and VoiceOver iChat Theater takes instant messaging far beyond simple text—into the world of multimedia, allowing you to share audio and video As a developer, you too can access these features and create applications that intelligently determine who are online, share videos, and control iChat through AppleScript Mac OS X provides outstanding stability and performance It starts with a 64-bit, open source UNIX core Apple integrated the widely-used FreeBSD 5 UNIX distribution with the Mach 3.0 microkernel to deliver key functionality and a solid foundation Preemptive multitasking, symmetric multiprocessing (SMP), and protected memory forms the cornerstones of this foundation

Trang 6

application's user interface Whether you code in Objective-C, C/C++, or another popular language, Xcode can handle it

Best Graphics on a Desktop

Mac OS X is built around a powerful, integrated stack of graphics technologies, including OpenGL, Core Animation, and Core Image These provide a solid foundation for application developers to create great applications Mac OS X's multithreaded graphics layer handles application windowing, 2D and 3D drawing, animation, and multimedia Together, the subsystems of the graphics layer provide fast, elegant graphics to the operating system and to your application, making possible cutting-edge user interface features

Internationally Savvy

Mac OS X has always been friendly to an international audience Every major release of Mac OS X ships simultaneously in sixteen languages To support this capability, Mac OS X provides conversion utilities to manage locales, dates, currencies, and measurement systems in a consistent manner Mac OS X includes Unicode tools to handle text systems used around the world And, by packaging an application's executable code, libraries, and resource files into single binary, both internationalized and localized software versions can launch dynamically from a single application icon

Trang 7

Vulnerabilities in MAC OS X

Trang 8

Crafted URL Vulnerability

Input validation issue exists in the processing of URL schemes handled by Terminal.app

By enticing a user to visit a maliciously crafted web page, an attacker may cause

an application to be launched with controlled command line arguments, which may lead to arbitrary code execution

This vulnerability affects Apple Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 and v10.5.1, and Mac OS X Server v10.5 and v10.5.1

 Crafted URL Vulnerability

Source: http://www.kb.cert.org/vuls/id/774345

The way Apple Mac OS X handles specially crafted URLs may allow an attacker to execute arbitrary code An input validation issue exists in the processing of URL schemes handled by Terminal.app By enticing a user to visit a maliciously designed web page, an attacker may cause

an application to be launched with controlled command line arguments, which may lead to arbitrary code execution This vulnerability affects Apple Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 and v10.5.1, and Mac OS X Server v10.5 and v10.5.1 A remote, unauthenticated attacker may be able to execute arbitrary code using this vulnerability

Trang 9

CoreText Uninitialized Pointer

By convincing a user to view specially crafted text

an attacker can execute arbitrary code or cause a denial of service on a vulnerable system

 CoreText Uninitialized Pointer Vulnerability

a user to view specially crafted text, a remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system

Trang 10

ImageIO Integer overflow

 ImageIO Integer Overflow Vulnerability

Apple's ImageIO framework contains an integer overflow vulnerability that may allow an attacker

to execute code on a vulnerable system The Graphics Interchange Format (GIF) is a popular image format supported by many Apple Mac OS X applications The ImageIO framework allows applications to read and write various image file formats, including GIF Integer overflow vulnerability exists in the process of handling GIF files By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution This update addresses the issue by performing additional validation of GIF files This issue does not affect systems prior to Mac OS X v10.4 A remote unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition The specially crafted GIF file used to exploit this vulnerability may be supplied on a web page, as an email attachment or inside an email, or by some other means to convince the user for opening the malicious file

Solution:

Apple has published Mac OS X 10.4.9 for Mac OS X 10.4 (Tiger) systems and Security Update 2007-003 for Mac OS X 10.3 (Panther) systems in response to this issue

Trang 11

Solution:

Trang 12

iChat UPnP Buffer Overflow

An unauthenticated attacker on the local network may be able to execute arbitrary code or cause a denial of service

 iChat UPnP Buffer Overflow Vulnerability

Trang 13

ImageIO Memory Corruption

Vulnerability

A remote unauthenticated attacker may be able to execute arbitrary

code or cause a denial-of-service condition

By enticing a user to open a maliciously-crafted image, an attacker can trigger the issue which may lead to an unexpected application

termination or arbitrary code execution

A memory corruption issue exists in the process of handling RAW

images

The RAW Image file format is a popular image format supported by

many Apple Mac OS X applications

 ImageIO Memory Corruption Vulnerability

Apple's ImageIO framework contains a memory corruption vulnerability that may allow an attacker to execute code on a vulnerable system The RAW Image file format is a popular image format supported by many Apple Mac OS X applications The ImageIO framework allows applications to read and write various image file formats, including RAW A memory corruption issue exists in the process of handling RAW images By enticing a user to open a maliciously-crafted image, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution This update addresses the issue by performing additional validation of RAW images This issue does not affect systems prior to Mac OS X v10.4 A remote unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition The specially crafted RAW file used to exploit this vulnerability may be supplied on a web page, as an email attachment or inside an email, or by some other means to convince the user

to open the malicious file

Solution:

Trang 14

Code Execution Vulnerability

Memory corruption issue exists in Safari's handling of feed: URLs

By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution

This update addresses the issue by performing additional validation of feed: URLs and providing

an error message in case of an invalid URL

A remote unauthenticated attacker who can persuade a user to click on a malicious hyperlink may be able to execute arbitrary code

 Code Execution Vulnerability

The Apple Safari web browser contains a vulnerability that may allow an attacker to execute arbitrary code A memory corruption issue exists in Safari's handling of feed: URLs By enticing a user to access a maliciously designed URL, an attacker may cause an unexpected application termination or arbitrary code execution This update addresses the issue by performing additional validation of feed: URLs and providing an error message in case of an invalid URL This issue does not affect systems running Mac OS X 10.5 or later A remote unauthenticated attacker who can persuade a user to click on a malicious hyperlink may be able to execute arbitrary code As per the Apple Security Update 2007-009, this vulnerability only affects versions of Safari shipped with Mac OS X 10.4 and earlier

Trang 15

UFS Filesystem Integer Overflow

OS X system opens a UFS disc image

To trigger the overflow, an attacker needs to convince a user to open a specially crafted disc image

An attacker with the ability to supply a specially crafted DMG file may be able to cause an affected system to crash, thereby creating a denial of service

 UFS Filesystem Integer Overflow Vulnerability

There is an integer overflow in the ffs_mountfs() function, which is used by Apple's OS X operating system to handle UFS disc images Unix File System (UFS) is a file system used by UNIX and other similar operating systems Apple OS X supports UFS, partitions, and images There is an integer overflow error in the ffs_mountfs() function that may occur when an OS X system opens a UFS disc image To trigger the overflow, an attacker would need to convince a user to open a specially crafted disk image Safari web browser's default settings consider UFS disc images to be a safe file type, and will automatically open them after downloading

A remote, unauthenticated attacker with the ability to supply a specially crafted DMG file may cause an affected system to crash, thereby creating a Denial-of-Service Additionally, an attacker may execute arbitrary code using this vulnerability

Disable "Open 'safe' files after downloading"

Source: http://www.cert.org/tech_tips/securing_browser/

Once you select the Preferences menu, the window below will open The first tab to look at is the General tab On this tab, you can set up many options such as “Save downloaded files to:” and Open “safe” files after downloading It is recommended to download files to a folder that you create for that purpose It is also recommended that you deselect the Open “safe” files after running the downloading option

Trang 16

Trang 17

Kernel "fpathconf()" System call

Vulnerability

fpathconf() system call helps applications to find the current value of a configurable system limit

The fpathconf() provided with the Apple Mac OS X kernel is programmed

to panic when it is passed file descriptors associated with types it cannot otherwise handle, such as semaphore descriptors returned by the sem_open() system call for named semaphores

This vulnerability in Mac OS X kernel could allow an authenticated local attacker to cause a denial of service

 Kernel "fpathconf()" System call Vulnerability

Vulnerability in the Mac OS X kernel could allow an authenticated local attacker to cause a Denial-of-Service The fpathconf() system call provides a method for applications to determine the current value of a configurable system limit or option variable associated with a file descriptor The version of fpathconf() provided with the Apple Mac OS X kernel (XNU) is programmed to panic when file descriptors are passed that are associated with the types it cannot handle otherwise, such as semaphore descriptors returned by the sem_open() system call for named semaphores An authenticated local attacker could cause the affected system to crash due

to a kernel panic This condition results in a denial of service

Solution:

Trang 18

UserNotificationCenter Privilege Escalation Vulnerability

Apple's UserNotificationCenter contains a vulnerability that may allow local users to gain elevated privileges

It occurs when UserNotificationCenter runs with elevated privileges while operating on input submitted by users with normal privileges

A user with valid login credentials may be able to run commands or modify system files with elevated privileges

 User Notification Center Privilege Escalation Vulnerability

Apple's User Notification Center contains a vulnerability that may allow local users to gain elevated privileges The Apple UserNotificationCenter contains privilege escalation vulnerability This vulnerability occurs because the Apple User Notification Center runs with elevated privileges, while operating on input submitted by users with normal privileges A user with valid login credentials may be able to run commands or modify system files with elevated privileges

Trang 19

Other Vulnerabilities in MAC

• While decompressing malformed ZIP archives, an error exists in the " BOMStackPop() " function in the BOMArchiveHelper

• While processing malformed BMP images an error exists in the

" ReadBMP() " function

• An error exists in the " CFAllocatorAllocate() " function when processing malformed GIF images

• Two errors exists in the " _cg_TIFFSetField () " and

" PredictorVSetField() " functions when processing malformed TIFF images

The following is the list of some vulnerabilities in MAC that can be exploited by attacker to cause a Denial of Service:

Other Vulnerabilities in MAC

Malicious users can cause a Denial-of-Service using the list of vulnerabilities in MAC OS X mentioned below:

 While malformed ZIP archives are decompressed in BOMArchiveHelper, an error exists

in the "BOMStackPop()" function

 While processing malformed BMP images, an error exists in the "ReadBMP()" function which can be exploited like Safari or the preview application

 While processing malformed GIF images, an error exists in the

"CFAllocatorAllocate()" function, which can be exploited like Safari when a user visits a malicious website

 While processing malformed TIFF images, two errors exists in the " _cg_TIFFSetField ()" and "PredictorVSetField()" functions, which can be exploited like the Finder, Preview, QuickTime, or Safari applications

Trang 20

How a Malformed Installer Package Can Crack Mac OS X

An attacker can modify root-owned files, execute commands as root, by creating a malicious package and setting the authorization level to AdminAuthorization in the package

With this authorization, attacker can modify root-owned files, execute commands as root, or install setuid-root programs without alerting the user

The problem is that over 90% of Mac OS X users run as the administrator user because it is the default user created by the system

The other problem is that the package created by the RootAuthorization key

as a precaution can be modified afterwards to use AdminAuthorization and can be installed without the admin’s password if the account is left logged in

How a Malformed Installer Package Can Crack Mac OS X (cont’d)

When a user opens an installer package set that requires administrative privileges to install, Installer will check that the user is an administrator of the computer

Then the Installer program will run the entire install process as the root user, without prompting the user for the administrator’s account password

By using this method, attacker can open a properly-formed installer package and user’s system will be open to attack

How a Malformed Installer Package Can Crack Mac OS X

There is a key interface problem in Apple Installer program, this package requests AdminAuthorization key while accessing as the Admin Admin user account gives full access to the root level It does not provide any password to the user during installation The difference between the AdminAuthorization key and RootAuthorization key is that the admin user does not have any password Authorization level is set to AdminAuthorization in the malicious package created by the attacker Root-owned files can be modified and commands can be executed as root,

or it can install setuid-root programs without the knowledge of the user Hence, most Mac OS X users run the default administrator user created by the system Another problem is packages created with the RootAuthorization key, as a precaution, can be modified to AdminAuthorization, which can be installed without the administrator password in case that the account is left logged in

Administrative privileges are necessary to install the installer package Before installation, it will check that the current user is admin of that system or not If the user is an admin of the system, the installer package installs the complete program as a root user Then it installs pre- and post-flight scripts in the system

Trang 21

It does not require any of the user’s administrator accounts password Hence, an individual can open a properly formatted installer package, and make themselves attack Malicious user can create a new account by using a logged in system and the scripts in the package

Demonstrated Damage

An installer package needs administrator access that echoes its user ID to temporary files It is accessed for both pre- and post-flight scripts /etc/sudoers file is replaced with a no password requirement version If any system is logged in as administrator, then only the package is opened and run All scripted actions should be performed as root

Admin Creation Results

User can be added in post-flight script using nicl, later it is added to the wheel group

$ nicl -read /groups/wheel users

users: root haxxor

Sudoers Results

Before running:

The sudoers file is compared with the package version

$ diff /etc/sudoers sudoers

After the run:

$ diff /etc/sudoers sudoers

$

Hence, the system cannot be run as admin user for daily activities If it’s run as an administrator,

Trang 22

Worm and Viruses in MAC

OS X

Tiêu đề	Mac OS X Hacking
Trường học	EC-Council
Chuyên ngành	Ethical Hacking
Thể loại	module

Định dạng
Số trang	44
Dung lượng	1,08 MB