Hacking Leopard:Tools and Techniques for Attacking the Newest Mac OS XCharli

1. Hacking Leopard:
2. Tools and Techniques for Attacking the Newest Mac OS X
3. Charlie Miller
4. Jake Honoroff
5. Independent Security Evaluators
6. cmiller@securityevaluators.com
7. jake@securityevaluators.com
8. June 22, 2007
9. Abstract
10. This paper serves as an introduction to the
11. tools and techniques available on the Mac
12. OS X operating system for vulnerability
13. analysis. It is particularly targeted for those
14. security researchers already familiar with
15. tools for Windows and/or Linux. It also re-
16. veals tools that are only found on Mac OS X
17. and how they can be used to find security
18. flaws, especially those that can be used in
19. conjunction with fuzzing. Finally, it introduces
20. a few tools recently ported from Windows to
21. Mac OS X, pydbg and PaiMei.
22. Introduction
23. According to the Apple website, “Mac OS X
24. delivers the highest level of security through
25. the adoption of industry standards, open
26. software development and wise architectural
27. decisions.” Of course, the Month of Apple
28. Bugs and the flurry of activity after the re-
29. lease of Safari for Windows showed that
30. Macs are just as susceptible to vulnerabilities
31. as other operating systems. Arguably, two
32. factors keep the number of announced vul-
33. nerabilities on Mac OS X low: the lack of re-
34. searchers interested in exploring this operat-
35. ing system due to its low market share and
36. the steep learning curve for researchers who
37. are unfamiliar with the platform. The first of
38. these reasons is going away as Apple’s mar-
39. ket share continues to rise. This paper hopes
40. to address the second reason, that is, to pro-
41. vide researchers already familiar with Win-
42. dows and Linux the knowledge and tools
43. necessary to search for new security bugs in
44. this operating system. Specifically, this paper
45. will address the new forthcoming release of
46. “Leopard”, the newest version of Mac OS X.
47. Happily, there are plenty of bugs and some
48. Mac-only tools that help to find them.
49. Legal Disclaimer: Due to the fact Apple
50. pushed back the release of Leopard, and the
51. only releases of Leopard are available under
52. NDA, this paper will avoid using screenshots
53. or code directly from Leopard. Most of the
54. information is not specific to Leopard anyway,
55. besides the Dtrace examples, which are il-
56. lustrated using Solaris 10.
57. Why Hack Macs?
58. While the market share of Apple computers
59. running Mac OS X is still small, at roughly
60. 6.5% of all operating systems, it is growing.
61. The market share has gone up approximately
62. 35% in the last year. This increasing market
63. share is attracting more and more attention
64. by computer researchers.
65. The growing interest in vulnerability analysis
66. of Mac OS X can be seen in some recent de-
67. velopments.
68. The first major event occurred in January
69. 2007 with the "Month of Apple Bugs". Two
70. computer security researchers, LMH and
71. Kevin Finisterre, released a vulnerability a
72. day in Mac OS X or in applications that run in
73. Mac OS X. The types of bugs reported were
74. in a variety of programs and most appear ex-
75. ploitable. There were at least two exploitable
76. default client-side remote exploits. Addition-
77. ally, no less than five local exploits were an-
78. nounced that worked against default configu-
79. rations.
80. A few months later, in April, at CanSecWest,
81. the “Hack a Mac” contest took place. At-
82. tendees were encouraged to try to break into
83. a default, patched MacBook, and if they did,
84. they would win the computer. Eventually, a
85. $10,000 reward was added by TippingPoint’s
86. Zero Day Initiative Program. The attack was
87. successfully announced the next day.
88. Finally, in June, Apple released the Safari
89. web browser for Windows. Within hours, at
90. least 18 critical vulnerabilities were discov-
91. ered in this application by numerous re-
92. searchers including Aviv Raff, David Maynor,
93. and Thor Larhom.
94. So whether you’re interested in Apple’s in-
95. creasing market share, or you’d like to jump
96. on the bandwagon, or you’d just like to shut
97. up the local fanboy, this paper will get you
98. started with some of the basics of vulnerabil-
99. ity analysis for the newest Mac OS X operat-
100. ing system, Leopard.
101. Hacker Friendly Features
102. Apple's Mac OS X is touted as the most user
103. friendly operating system available. This is
104. also true for security researchers wishing to
105. test the security of the OS. Consider Safari,
106. the default web browser for Mac OS X. Sa-
107. fari will automatically launch the following ap-
108. plications when it finds corresponding files on
109. the Internet:
110. •Address Book
111. •Finder
112. •iChat
113. •Script Editor
114. •iTunes
115. •Dictionary
116. •Help Viewer
117. •iCal
118. •Keynote
119. •Mail
120. •iPhoto
121. •QuickTime Player
122. •Sherlock
123. •Terminal
124. •BOMArchiveHelper
125. •Preview
126. •DiskImageMounter
127. This list was obtained with the RCDefalutApp
128. application. Therefore, while these applica-
129. tions can not always be given much user
130. supplied data, a vulnerability in a program
131. such as iPhoto, Preview, or QuickTime Player
132. can be easily extended into a Safari exploit.
133. Additionally, by default, Safari will open files
134. associated with these programs (PDF's,
135. MP3's, WAV's, ZIP's, etc) without prompting
136. or warning the user. If that is not enough, by
137. default, Safari allows pop-ups, Java, and
138. Javascript, all by default.
139. Another nice thing about Mac OS X is that
140. some of the source code is available,
141. http://developer.apple.com/opensource/index.
142. html. This includes most of the standard
143. Unix open source tools, as well as Webkit,
144. the html parsing engine for Safari - more on
145. this later.
146. Another friendly feature of Mac OS X is that it
147. allows users to do some system configuration
148. that they normally wouldn't be allowed to do.
149. This includes over fifty setuid root programs
150. on a default install of Mac OS X. Most of
151. these you would have probably never heard
152. of, including:
153. • Locum
154. • NetCfgTool
155. • afpLoad
156. • TimeZoneSettingTool
157. • securityFixerTool
158. while others include familiar files with unfa-
159. miliar file permissions,
160. • netstat
161. • top
162. • ps
163. Most of the files in this last group have not
164. been setuid root on Linux systems in many
165. years.
166. Gotchas
167. While Macs have some great development
168. tools, they do lack some traditional tools used
169. in Linux analysis. There are usually equiva-
170. lent tools available, though, as we’ll see.
171. First, there are differences in naming conven-
172. tions. In Mac OS X, shared objects, a.k.a.
173. dynamic libraries, have the file extension
174. DYLIB. Device drivers, a.k.a. kernel mod-
175. ules, have the file extension KEXT. Finally,
176. the Mac OS X applications reside in /Applica-
177. tions, not /bin or /usr/bin. Furthermore, the
178. actual binary will have a pathname of some-
179. thing like
180. /Applications/Preview.app/Contents/MacOS/Previ
181. ew
182. Probably the first thing someone with a Linux
183. background will notice when they start to look
184. at binaries is there is no ldd command. The
185. Mac OS X equivalent command is otool, see
186. below.
187. $ otool -L /bin/ls
188. /bin/ls:
189. /usr/lib/libncurses.5.4.dylib (compatibil-
190. ity version 5.4.0, current version 5.4.0)
191. /usr/lib/libgcc_s.1.dylib (compatibility
192. version 1.0.0, current version 1.0.0)
193. /usr/lib/libSystem.B.dylib (compatibility
194. version 1.0.0, current version 88.1.5)
195. Likewise, there is no strace or ltrace. The
196. command to use is ktrace (or dtrace in Leop-
197. ard. More on that in a later section).
198. $ ktrace -tc w
199. ...
200. $ kdump
201. 4087 ktrace RET ktrace 0
202. 4 0 8 7 k t r a c e C A L L
203. execve(0xbffff3cc,0xbffff990,0xbffff998)
204. Until February 2007, IDA Pro did not support
205. Universal Binaries, the type of file used by
206. Mac OS X applications. This made disas-
207. sembly very difficult. Luckily, it works now!
208. Another point to remember is that Mac OS X
209. shellcode has a couple of restrictions. First,
210. you cannot call execve() until you call vfork().
211. Also, despite popular belief, it appears you
212. must call vfork() instead of fork().
213. One of the biggest bummers regarding Mac
214. OS X is that ptrace() is hopelessly broken.
215. For example, it doesn't support
216. PTRACE_PEEKUSR, PTRACE_GETREGS,
217. etc. This makes writing a ptrace-based de-
218. bugger impossible. Instead, use the Mach
219. API, the interface into the Darwin kernel.
220. This is how gdb and pydbg both work.
221. The way the heap is handled is different than
222. in Linux and Windows. This, of course, has a
223. large impact on heap overflows in this operat-
224. ing system. The Mac OS X heap is com-
225. posed of zones, which are variable size por-
226. tions of virtual memory, and blocks which are
227. allocated within these zones, see “ OS X
228. Heap Exploitation Techniques”. The docu-
229. ment is a must read. However, since 10.4.1,
230. the large zone is no longer located at an ad-
231. dress smaller than the tiny zone, which
232. makes the overall exploitation method dis-
233. cussed in that paper not work as advertised.
234. So unlike most OS’s, there is not a lot of
235. heap management pointers available on the
236. heap for overwriting. Instead, typically, you
237. need to overwrite application specific data.
238. One last caveat is that on Mac OS X,
239. LD_PRELOAD is replaced by DYLD_IN-
240. SERT_LIBRARIES. You’ll need this if you
241. want to use sharefuzz or perform something
242. similar to Electric Fence.
243. Fuzzing Tools
244. With ptrace() broken, what types of fuzzing
245. tools are available for Mac OS X?
246. While the applications and development tools
247. mentioned throughout this paper were readily
248. available in Mac, there wasn’t much in the
249. way of fuzzers. However, this paper intro-
250. duces two recent Windows tools, pydbg and
251. PaiMei, that are now available from the Pai-
252. Mei website.
253. pydbg is an open source tool that enables a
254. researcher to perform a number of useful ac-
255. tions, all from within the Python programing
256. language. For example, pydbg can be used
257. to monitor a program for exceptions or
258. crashes, to take memory snapshots of the
259. process, or as a general purpose debugger.
260. pydbg was written originally for Windows, but
261. this tool is now available for Mac OS X in a
262. beta release. Most pydbg features are sup-
263. ported. Using pydbg, it is relatively easy to
264. write fuzzing and fuzz monitoring tools.
265. Likewise, PaiMei is a reverse engineering
266. framework, until now only available for
267. Windows. It is built upon pydbg and al-
268. lows for process tracing and file fuzzing
269. while recording all data in a back end da-
270. tabase. Furthermore, it can output data
271. to graphing programs or to IDA Pro.
272. PaiMei is now available for Mac OS X in
273. a beta release from the PaiMei website.
274. Mac Specific Tools and
275. Techniques
276. Up to this point, we've discussed various dif-
277. ficulties for security researchers using Mac
278. OS X and how to get around these problems.
279. However, this is only half the story. There are
280. a number of features of Mac OS X that can
281. significantly help researchers discover vul-
282. nerabilities, especially when fuzzing. Most of
283. these are debugging facilities provided to
284. help debug end user problems, but security
285. researchers can use them as well.
286. Debugging Symbols
287. The first is the ability to use debugging sym-
288. bols from the Mac OS X frameworks. These
289. libraries contain extra asserts and produce
290. Figure 1: PAIMEIFile fuzz for Mac OS X in action
291. verbose output. This output will be on the
292. system console if launched through a stan-
293. dard way, i.e. double clicking on it. Alterna-
294. tively, it will appear in the terminal window if
295. launched from within a terminal window.
296. These additional assertions can be used to
297. help identify when problems in the application
298. arise as early as possible, something nice to
299. do when fuzzing, for example.
300. Core Dumps
301. Core dumps can be useful while fuzzing.
302. They can be enabled globally by editing the
303. /etc/launchd.conf file. Or, within a terminal,
304. they can be enabled by using the ulimit pro-
305. gram. Core files generated by the system
306. can be found in /cores.
307. Environment Variables
308. There are a number of interesting environ-
309. ment variables that can be used for memory
310. allocation.
311. Variable Description
312. Mal-
313. locScribble
314. If set, free() sets each
315. byte of released memory
316. to 0x55
317. MallocPre-
318. Scribble
319. If set, malloc() sets each
320. byte of newly allocated
321. memory to 0xAA
322. Mal-
323. locGuard-
324. Edges
325. If set, adds guard pages
326. before and after large
327. memory allocations.
328. Malloc-
329. CheckHeap
330. The number of alloca-
331. tions until malloc() begins
332. validating the heap.
333. Malloc-
334. Check-
335. HeapEach
336. The number of alloca-
337. tions between heap vali-
338. dations.
339. INIT_Proce
340. sses
341. If set, delay launch of ap-
342. plications by 15 seconds.
343. Setting these environment variables can be
344. extremely useful during fuzzing. The main
345. benefit they provide is quickly identifying in-
346. puts that have corrupted memory. A couple
347. of common problems when fuzzing is that the
348. heap may become corrupt, but unless the
349. application uses the corrupted memory, it will
350. not crash. This makes finding off-by-one er-
351. rors especially difficult. Another problem is a
352. program that crashes well after the memory
353. corruption occurs. This makes finding the
354. vulnerability time consuming and difficult.
355. These environment variables can help allevi-
356. ate these problems.
357. For example, you can have malloc() check
358. the heap integrity every so many allocations.
359. Additionally, using MallocScribble will help
360. detect double free situations when they arise.
361. Using MallocGuardEdges is similar to using
362. Electric Fence for Linux and will identify
363. buffer overflows when they occur. Using
364. these variables helps make fuzzing more ef-
365. ficient and effective.
366. Another tool, which is similar to the Mal-
367. locGuardEdges environment variable is the
368. Guarded Memory Allocator, libgmalloc. This
369. is analogous to Electric Fence and is started
370. in a similar fashion,
371. DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib
372. TextEdit
373. Command Line Tools
374. There are a number of tools available that
375. can be used to monitor applications, similar
376. to the suite of tools available from sysinter-
377. nals for Windows. Below are some of the
378. most useful,
379. fs_usage: Records file system access for a
380. given process. Similar to a non-GUI filemon.
381. sc_usage: Records system call information
382. for a given process.
383. vmmap: Dumps virtual memory for a process.
384. heap: Gives information about the heap of a
385. process
386. malloc_history: A tool that can either monitor
387. all memory allocation/deallocation or can log
388. memory allocated/deallocated at a specified
389. address.
390. lsof: The standard UNIX tool.
391. Using these tools, information can be gained
392. from a running process that can help identify
393. files being used as well as observing how
394. memory is being used.
395. CrashReporter
396. Much of the fuzzing literature discusses the
397. need to attach a debugger to the target appli-
398. cation in order to monitor when it crashes. In
399. fact, tools like SPIKE, PaiMei, and FileFuzz
400. all do exactly this for their various platforms.
401. Apple was kind enough to let us not worry
402. about such things, thanks to CrashReporter.
403. When an application crashes, CrashReporter
404. will record the crash in the system log
405. ( /var/log/system.log ) and put details of the
406. c r a s h i n t h e c r a s h l o g
407. ( /Library/Logs/CrashReporter/<ProgramName
408. >.crash.log ). This crash log includes the
409. application name, pid, exception information,
410. context information, and a backtrace. If it is a
411. GUI application, it presents you with a dialog
412. box like in Figure 2.
413. Crashreporter can be configured using
414. CrashReporterPrefs application to allow the
415. option to attach to the process with GDB after
416. it crashes, see Figure 3. Also, note that this
417. will run the commands from your .gdbinit file,
418. too.
419. Source Code
420. Having source code can make analysis eas-
421. ier when it is available. For example, appli-
422. cations can be rebuilt with debugging sym-
423. bols or instrumented to provide code cover-
424. age.
425. For Mac OS X, source code is available for
426. the kernel, any open source software in-
427. cluded, and WebKit, the HTML engine used
428. in various applications, including Safari, Mail,
429. and Dashboard.
430. For example, to build WebKit to report code
431. coverage information, simply add the -cover-
432. age flag,
433. Figure 3: Developer information incorpo-
434. rated into CrashReporter
435. Figure 4: CrashReporter with a debug
436. version of WebKit.
437. Figure 2: Standard CrashReporter dia-
438. logue
439. WebKit/WebKitTools/Scripts/build-webkit -cov-
440. erage
441. After fuzzing Safari or any other WebKit en-
442. abled application, code coverage can be
443. viewed using lcov, or a similar package, see
444. Figure 5.
445. Also, don’t symbols make the crash reported
446. earlier much nicer to read (see Figure 4)?
447. Let Robots Do the Work
448. Another great way to fuzz is using the
449. Automator application. This application al-
450. lows you to perform repetitive actions auto-
451. matically, exactly what we want for fuzzing!
452. There are many built-in actions that can be
453. used in order to piece together something
454. useful. Additionally, arbitrary Applescript can
455. be executed. Most Mac OS X applications
456. have embedded code that allows Applescript
457. to access almost any part of the application
458. for automation, i.e. menu selection, button
459. presses, etc.
460. For a simple example, we’ll build a Preview
461. fuzzer. Simply start automator, drag a few
462. actions into the workflow,
463. Figure 5: LCOV generated code coverage information for WebKit.
464. •Ask for Finder Items
465. •Open Images in Preview
466. •Move to Trash
467. After this, select File->Save As and choose
468. Application. Next, create a bunch of fuzzed
469. files that Preview will read. Finally, launch
470. the fuzzer you built, select the files, and let
471. the thing run!
472. Dtrace
473. One of the most exciting additions to be in-
474. troduced in Leopard is the inclusion of
475. Dtrace, originally for Solaris. Dtrace is a dy-
476. namic tracing mechanism built directly into
477. the kernel and many of the applications.
478. Dtrace uses the language D, a subset of the
479. common C programming language. Pro-
480. grams, or traces, can be written that can be
481. used to dynamically instrument any applica-
482. tion running on Mac OS X.
483. Dtrace works because the operating system
484. has a set of probes located throughout the
485. kernel. Dtrace can bind an action to each of
486. these probes. As each probe fires, the data
487. is returned to Dtrace for reporting. Best of
488. all, Dtrace is designed such that inactive
489. probes or probes that are not firing cause no
490. slowdown to the application or operating sys-
491. tem.
492. What can security researchers use Dtrace
493. for? One of the first things that a researcher
494. needs to known when assessing an applica-
495. tion for potential vulnerabilities is what code
496. is executed. The application may consist of a
497. binary and numerous libraries. Using Dtrace,
498. the researcher can quickly identify the com-
499. ponents that are affected by user controlled
500. input and can get code coverage or instruc-
501. tions traces with little difficulty. It is also pos-
502. sible to monitor applications access to file
503. system, network, or other resources.
504. A set of simple Dtrace programs is provided
505. in the Appendix. The first one emulates the
506. windows program Filemon by monitoring and
507. recording access to the open, close, read,
508. and write system calls. The next sample
509. program is analogous to the Sharefuzz envi-
510. ronment variable fuzzer. It simply returns
511. long strings when programs attempt to call
512. getenv(). Such a program is literally 3 lines
513. of D. Next, a sample program that behaves
514. like the ltrace library tracing program is pro-
515. vided. Additionally, a program that can do
516. instruction traces in a target program is
517. given. Such a program could be automati-
518. cally produced from an IDA Pro plugin. Fi-
519. nally, a Dtrace program is given that records
520. and prints code coverage in a target pro-
521. gram.
522. Leopard also comes with a new application
523. called Xray. This allows tools, including
524. Dtrace applications, to display their results in
525. real time using a timeline editor similar to Ga-
526. rageBand. This customizable application
527. could be configured to be a fuzzing control
528. panel!
529. Conclusions
530. As Mac OS X becomes more prevalent, it
531. also becomes a more obvious target for se-
532. curity researchers. However, for a re-
533. searcher coming from the Windows or Linux
534. world, there can be a steep learning curve to
535. Figure 6: The workflow for a simple Pre-
536. view fuzzer
537. find the equivalent tools that they are accus-
538. tomed to using. By using the tools outlined in
539. this paper, which include both Mac versions
540. of well-known tools and some Mac OS X ex-
541. clusive tools, security researchers can com-
542. fortably focus their efforts on this platform.
543. References
544. Mac OS X internals: A Systems Approach,
545. Amit Singh, Addison Wesley, 2006
546. Apple - Mac OS X - Leopard Sneak Peak:
547. http://www.apple.com/macosx/leopard/
548. Mac OS X Debugging Magic:
549. http://developer.apple.com/technotes/tn2004/
550. tn2124.html
551. CrashReporter:
552. http://developer.apple.com/technotes/tn2004/
553. tn2123.html
554. AppleScript:
555. http://www.apple.com/macosx/features/apple
556. script/
557. Automator:
558. http://www.apple.com/macosx/features/autom
559. ator/
560. PaiMei:
561. http://pedram.redhive.com/PaiMei/docs/
562. Abusing Mach on Mac OS X:
563. http://www.uninformed.org/?v=4\&a=3\&t=pdf
564. DTrace to be included in Next Mac OS X:
565. http://sun.systemnews.com/articles/102/2/ne
566. ws/16842
567. DTrace User Guide
568. http://docs.sun.com/app/docs/doc/819-5488
569. MacPython OSA Modules:
570. http://www.python.org/doc/2.3.5/mac/scripting
571. .html
572. Fuzzing Software Tools // iDefense Labs:
573. http://labs.idefense.com/software/fuzzing.php
574. \#more\_spikefile
575. Kernel Programming Guide: Mach API Ref-
576. erence:
577. http://developer.apple.com/documentation/Da
578. rwin/Conceptual/
579. OS X Heap Exploitation Techniques
580. http://felinemenace.org/papers/p63-0x05_OS
581. X_Heap_Exploitation_Technqiues.txt
582. Hack a Mac, get $10,000
583. http://news.com.com/8301-10784_3-9710845
584. -7.html
585. Safari for Windows: Released and hacked in
586. a day
587. http://www.infoworld.com/article/07/06/11/Saf
588. ari-for-Windows-released-and-hacked-in-a-da
589. y_1.html
590. Trends in Mac Market Share
591. http://arstechnica.com/journals/apple.ars/200
592. 7/04/05/trends-in-mac-market-share
593. With Windows port, a bug-hunting Safari for
594. Apple
595. http://www.infoworld.com/article/07/06/12/Wit
596. h-Windows-port-a-bug-hunting-Safari-for-App
597. le_1.html
598. Mac OS X PPC Shellcode Tricks
599. http://uninformed.org/?v=1&a=1&t=pdf
600. Figure 7: Advertisement for X-ray.
601. Appendix
602. Filemon in dtrace
603. /*
604. * dtrace -qs filemon.d <PID>
605. */
606. syscall::open:entry,
607. syscall::open64:entry
608. /pid == $1 /
609. {
610. printf("%s(%s)", probefunc, copyinstr(arg1));
611. }
612. syscall::open64:return,
613. syscall::open:return
614. /pid == $1 /
615. {
616. printf("\t\t = %d\n", arg1);
617. }
618. syscall::read:entry,
619. syscall::write:entry
620. /pid == $1/
621. {
622. printf("%s(%d, %s, %4d)", probefunc, arg0, stringof(copy-
623. in(arg1,arg2)), arg2);
624. }
625. syscall::read:return,
626. syscall::write:return
627. /pid == $1/
628. {
629. printf("\t\t = %d\n", arg1);
630. }
631. syscall::close:entry
632. /pid == $1/
633. {
634. printf("%s(%d)\n", probefunc, arg0);
635. }
636. sharefuzz in dtrace
637. /*
638. * dtrace -wp `pgrep test` -s sharefuzz.d
639. */
640. pid$target::getenv:return
641. /execname == "test"/
642. {
643. copyoutstr("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
644. , arg1, 128);
645. }
646. ltrace in Dtrace
647. /*
648. * dtrace -qp `pgrep test` -s ltrace.d
649. */
650. pid$target:::entry
651. /execname == "test"/
652. {
653. printf("%s", probefunc);
654. }
655. pid$target:::return
656. /execname == "test"/
657. {
658. printf("\t\t=%d\n", arg1);
659. }
660. Instruction tracer in Dtrace
661. /*
662. * dtrace -qp `pgrep test` -s trace.d
663. */
664. pid$target:a.out:foo:*
665. /execname == "test2"/
666. {
667. printf("08%x\n", uregs[R_EIP]);
668. }
669. Code coverage using Dtrace
670. /*
671. * dtrace -qp `pgrep test` -s code_coverage.d
672. */
673. pid$target:a.out:foo:*
674. /execname == "test2"/
675. {
676. @code_coverage[uregs[R_EIP]] = count();
677. }