Recently, a new OS X priv-esc vulnerabilty named 'rootpipe' was disclosed. Apple attempted to patch the vulnerability in OS X 10.10.3, by adding access checks via a new private entitlement:com.apple.private.admin.writeconfig. (see @osxreverser's excellent writeup for details). In theory this seemed a reasonable fix.
However, on my flight back from presenting at Infiltrate (amazing conference btw), I found a novel, yet trivial way for any local user to re-abuse rootpipe - even on a fully patched OS X 10.10.3 system. I the spirit of responsible disclosure, (at this time), I won't be providing the technical details of the attack (besides of course to Apple). However, I felt that in the meantime, OS X users should be aware of the risk.
Phoenix (rootpipe reborn) demo on OS X 10.10.3
Objective-See's first tool, 'Dylib Hijack Scanner' (DHS) has been released! This product attempts to counter a new class of OS X attacks, dubbed 'dylib hijacking.' For details on this novel attack, check out my slides or paper.
By abusing weak or run-path dependent imports, found within countless Apple and 3rd party applications, this attack class opens up a myriad attack scenarios to both local and remote attackers. From stealthy local persistence to a Gatekeeper bypass that provides avenues for remote infections, dylib hijacking is likely to become a powerful weapon in the arsenal of OS X attackers. Apple appears apathetic toward to this novel attack, so download DHS to ensure you haven't been hijacked.
I've tried my best to ensure this tool is both accuracte and stable, but please email me with any issues you may have.
'malware ' 카테고리의 다른 글
| How exploit packs are concealed in a Flash object (0) | 2015.04.22 |
|---|---|
| No iOS Zone” – A New Vulnerability Allows DoS Attacks on iOS Devices (0) | 2015.04.22 |
| Analysis Of MS15-034 (0) | 2015.04.22 |
| Solarbot botnet (0) | 2015.04.21 |
| The Chronicles of the Hellsing APT: the Empire Strikes Back (0) | 2015.04.21 |