ARDAgent Exploit, MacOS X Malware, and Snow Leopard, Oh My!

As also reported by Intego and Matasano, a new local privilege escalation vulnerability has been found that gives local root access on MacOS X Tiger and Leopard.  While Intego calls this a critical vulnerability, I’m mostly with Ptacek on this one where I am saying this vulnerability is not nearly that serious.  For one, it only works when it is run as the user who is logged into the console.  This means that no MacOS X servers are affected by this, but it can allow a web exploit or trojan horse to gain root access without the user’s knowledge or permission.  Also while root access is pretty serious, it is not necessary in order for the malware to do bad things to your system (i.e. install itself to run automatically, backdoor Safari, etc).  So I will dub this a serious, but not critical, vulnerability.

Perhaps the most interesting fact about this vulnerability is where it came from: a  thread (from Google cache because the forums seem to be down now) on the forums at Mac Shadows, a mac underground web site.  The aforementioned thread was discussing how to build AppleScript-based trojans until “callmenames” discovered the vulnerability and the discussion moved towards the vulnerability and ensuing news and attention.  And at the time of writing, the forums on the site have been taken offline.

The big question on everyone’s mind is when malware will begin to seriously affect MacOS X and what will happen when it does.  As for when, I am betting that it completely depends on market share, as per Adam O’Donnell’s game theoretic analysis.  As for how bad, that will all depend on Snow Leopard: when it will ship, how it will improve MacOS X security, and how many users will install it.

Snow Leopard will hopefully raise the bar for MacOS X as much as Vista did for Windows.  Of course it won’t stop all security attacks, but it should make exploiting them beyond the reach of most attackers.  I’d personally like to see the following improvements:

  • Real address space layout randomization.  Library randomization with dyld loaded at a fixed location just doesn’t cut it.
  • Full use of hardware-enforced Non-eXecutable memory (NX).  Currently, only the stack segments are enforced to be non-executable.  Welcome to the new millennium where buffer overflows aren’t only on the stack.
  • Default 64-bit native execution for any security-sensitive processes.  I don’t particularly care that it may waste 5% more memory and a little bit of speed, I want Safari, and just about everything else that has security exposure to run as a 64-bit process.  Simply because function arguments are passed in registers rather than on the stack, this makes working around ASLR and NX damn near impossible for many exploits.
  • Sandbox policies for Safari,, and third-party applications.  Code execution vulnerabilities aren’t the only kind of vulnerabilities and good sandbox policies for security-exposed applications can help mitigate the exploitation of code execution and other vulnerabilities in these applications.  I love the scheme-based policies, by the way.
  • Mandatory code signing for any kernel extensions.  I don’t want to have to worry about kernel rootkits, hyperjacking, or malware infecting existing kernel drivers on disk.  Most kernel extensions are from Apple anyway and for the few common 3rd party ones, they should be required to get a code signing certificate. 

I’m hoping that Snow Leopard ships before we see too much Mac malware, fixes all of the above, and that it is a free upgrade.  Yes, I know that’s unlikely, but users will not pay money for security features.  When users don’t upgrade and are subjected to malware, Apple may still get a bad rap for it.

Pwnie Awards Nominations Open

It’s about that time of year: the days when a young man’s thoughts drift from work and toil to lighter things. Like pwnies. No, not the Lisa Simpson kind of pony, but the 2nd Annual Pwnie Awards at BlackHat USA.

The pwnie awards are an annual awards ceremony to celebrate the successes and failures of the security research and larger security community. Check out the site for more info and send in your nominations. Please submit nominations for vulnerabilities or research disclosed between June 1, 2007 and May 31, 2008 and the nominations will be announced on July 14th.

And make sure to come to the ceremony to enjoy the stand-up comedy, musical performances, and exquisitely handmade gold-painted My Little Pony dolls (with little imperfections so that you know they were made by a real-live Pwnie Judge).

REcon 2008 Review

This last weekend, I made it out to my first REcon and had a blast.  Hugo, the Daves, and the rest of the organizers deserve a lot of credit for putting on an excellent conference.  The conference is one of the most hardcore technical that I have been to and just about every talk had assembly code in their slides and the audience grokked it immediately.  And best of all there was no commercial presence, so it felt more like an academic conference than a conference where the presentations are just there to get you to show up and walk by the vendor booths.

Pedram wrote up some great day by day recaps of the conference, but I’m going to review some of my personal highlights.

Day One

Methods for analyzing malicious Office documents – Bruce Dang

Bruce works in Microsoft’s Secure Windows Initiative and spends a lot of time analyzing targeted malicious office documents, often ones exploiting Office 0day. How cool is that? He has noticed a familiar pattern of documents with payloads that run their trojan, extract a “clean” document from the original file, and then reopen the “clean” document in Office. Nasty stuff. Moral of the story: Use Office 2003 SP3, MOICE, and/or Office 2007 if you deal with a lot of office documents from external sources.

Ilfak Guilfanov – Building plugins for IDA Pro

Um, he’s Ilfak and to (badly) paraphrase Dave Ahmad’s introduction: Everyone loves Ilfak. Everyone, whether they are finding vulnerabilities, writing exploits, analyzing exploits, analyzing malware, or writing malware uses IDA. He talked about the architecture of IDA and how to write plugins for it. He could have just stood there for an hour and everyone still would have been happy.

Under the iHood, Cameron Hotchkies

Cameron gave a good overview of the internals of MacOS X and how a reverser might try to understand this space-alien technology: Bundles, Mach-O, Objective-C and how to rebuild Objective-C classes and method calls from compiled binaries. He also was so kind as to plug Charlie Miller’s and my upcoming book.

Day Two

Unfortunately, I missed a few of the earlier talks on Day 2 and my memory was a bit fuzzy on the other ones. I blame Pedram for all of the bottles that he bought at the club the night before.

Hacking Culture, Dr. Michael Strangelove

Michael has some interesting ideas about media ecology and the Internet, and I especially love his phrase, “democratizing the cultural means of production.” He also gave a very interesting performance at the REcon party on friday night. One thing though: Michael, you aren’t supposed to edit your own Wikipedia page.

Alexander Sotirov – Blackbox Reversing Of XSS Filters

Alex started off by scaring everyone in the room in the first minute of his presentation by confirming everyone’s unspoken fears: everything is moving to the web. He consoled the frightened conference-goers, however, by reminding everyone that there can be interesting reverse engineering challenges on the web and you won’t have to take a turpentine shower after dealing Cross-Site Scripting vulnerabilities. In a nutshell, Alex crafted input to Facebook to reverse engineer their anti-XSS filters in order to build a local model of them to simulate attacks against. He then used this model to find real live Facebook XSS bugs and forcibly shut down the Zombie army application. Oh wait, I just wished that he’d do that last bit.

Day Three

Yes, on sunday I only made it to one talk. However, you’d be amazed at how good poutine tastes at like 5am. Or just how bad it’ll make you feel at 6am.

Tiller Beauchamp – RE:Trace – Applied Reverse Engineering on OS X

DTrace is freaking cool. Solaris has it, FreeBSD has it, and MacOS X has it. Linux should begin to feel totally left out around now and for also missing out on the gravy train of cool that is ZFS. Oh yeah, back to Tiller’s talk. Tiller showed off a lot of cool ruby debugging and reversing tools for MacOS X so I was bound to like his talk. Check out his slides once they go up on the REcon site for DTrace tricks to detect stack and heap smashes among other nifty techniques.


REcon is back and in Montreal this year, so I’m going to be flying up there for the weekend to check it out.  I’ve heard great things about this con and am looking forward to some interesting talks:

  • Ilfak Guilfanov – Building plugins for IDA Pro
  • Tiller Beauchamp – RE:Trace – Applied Reverse Engineering on OS X
  • Cameron Hotchkies – Under the iHood
  • Gera – Two very small reverse engineering tools: a python disassembling engine and an iterative reverse engineering framework
  • Alexander Sotirov – Blackbox Reversing Of XSS Filters
Wait, Alex Sotirov the ANI/HeapFengShui ninja does XSS?!?  This should be interesting…

Dead Bugs Society: Introduction and AnswerBook2

Looking back, I have been finding and exploiting security vulnerabilities for almost a decade at this point and have always loved remote code injection exploits the most.  Notice that I didn’t call them “buffer overflows,” because I think that is too specific.  The rest of the industry has started calling them “remote code execution,” which is much better, but I still prefer my terminology from back when I was playing hacker-turned academic.

I refer to these vulnerabilities as memory trespass vulnerabilities since that is a more general term that is an accurate description of buffer overflow, format string injection, out-of-bounds array access, double-free, and uninitialized variable vulnerabilities where the attacker can write to memory outside of the semantics of the programming language runtime.  While these vulnerabilities can be exploited in a number of ways, the most popular technique is a code injection exploit where a standalone machine code fragment, the exploit payload, is executed by the target process via an injection vector.  Popular injection vectors include overwriting stack return addresses, exception handlers, and other code pointers.  I consider techniques that do not inject payloads but merely reuse code that already exists in the address space (i.e. return into system() to run a chosen command) a different way to exploit memory trespass vulnerabilities.  Those are far less common anyway.

So what does this have to do with anything and what is the “Dead Bugs Society?”  This will be an until-I-get-bored-with-it blog feature where I dredge up some old exploit, publish it, and wax poetic about it.  Most of these will be of the code injection variety, so I wanted to introduce my terms.  To be clear, these are all old long-ago patched vulnerabilities.  I will also only publish an exploit or detailed information for a vulnerability that has been fixed for at least a year.  These are for educational purposes only, unless you have a time machine in which case you better share because I’d like to go rock 1994 with my 2008 skills also.

For the debut of this series, I’m publishing the first remote zero-day code execution exploit that I wrote: a remote format string/stack overflow exploit against the AnswerBook2 web server that was enabled by default in Solaris 2.6 – 8 on TCP port 8888.  I reported these vulnerabilities to Sun immediately, but they took their sweet time in fixing them and I finally published the advisory 2 years later.  I tend to comment heavily, so it should be pretty self-explanatory.  Enjoy the antique warez!

Thoughts on the Flash Malware Attack

It has almost been a week since the Adobe Flash zero-day attack false alarm.  Since then, a number of people have called Symantec out as being irresponsible for crying wolf and announcing the raising the ThreatCon without fully researching the vulnerability (Full disclosure: Based on that information, I wrote here that the exploit took advantage of a zero-day vulnerability before I had tested it on a patched system — I was more interested in reversing the malware payload at the time).  We must be careful, however, to make sure that the real lesson isn’t lost while we all breathe a collective sigh of relief: the vulnerability may as well have been zero-day.

Google Analytics has a nifty feature where it will give you information on your visitor’s browser capabilities, including the version of Flash installed down to the revision level1. I was looking through the analytics for my other, more neglected web site and noticed that less than a third of my high-technical visitors had a current version of Flash. An anonymous robot contributed statistics for a larger site that had significantly more visitors2 and the statistics confirmed the low percentage of up-to-date Flash players.

Date % up-to-date
5/26 15.28
5/27 15.93
5/28 16.50
5/29 17.51

Remember, this is still 7 weeks after the update was released. This brings me to my main points:

  • Flash 9 has 97.2% penetration in mature markets
  • After roughly 2 months, less than 20% of users had applied an update that addresses a critical remote code execution vulnerability
  • At CanSecWest’s PWN2OWN 2008, Shane Macaulay and Alexander Sotirov proved that with proper Feng Shui and a Java applet, a flash vulnerability is still very much exploitable even on Vista SP1 with ASLR, Hardware-enforced DEP, etc.
  • TippingPoint’s Zero Day Initiative has 7 upcoming advisories for high-risk vulnerabilities in Adobe products.  I doubt any of them are in Photoshop.
How does the average user know that they should update flash and how to do so?  By reading the trade press?  Microsoft learned that you have to harass the user into patching their operating system and even then, it should be as automatic as possible.  As Flash currently enjoys an essentially universal market share, now is the time to make significant security improvements without having to repeat the lessons that others have had to so painfully learn.

1. Actually, you only get revision numbers if the user’s browser is FireFox. I believe it is safe to assume that the average FireFox user would be more Internet security savvy than the average Internet Explorer user, so we may consider these numbers an upper bound.

2. Data is based on several hundred thousand unique visitors.

“Virtual Worlds, Real Exploits” Presentation Posted

Charlie Miller and I presented our research into exploiting SecondLife at ShmooCon 2008 and they have just posted our materials online.  Check out the video to see Charlie and I running our Linden-stealing QuickTime exploit in SecondLife, live and on ice stage.  For more information, check out the slides or more details at Independent Security Evaluators.  This year was my first ShmooCon and I really had a blast, so props to the Shmoo crew for putting on a fun con.

UPDATE @ 20080605: An authoritative reader corrected me on the slides that, “ was a heap overflow parsing the Reason-Phrase.  I think the vulnerability was actually CVE-2007-6166 which was a stack buffer overflow in the parsing of the Content-Type and which had a PoC by h07.”

Very true, we got the links wrong, the exploit was for the Content-Type stack overflow.


Get every new post delivered to your Inbox.

Join 5,896 other followers