Presentation Title: Mac OS Xploitation
MacOS X has so far enjoyed a comparatively safe and malware-free existence on today’s hostile Internet. While many previously believed that this was due to its superior security, public demonstrations of the Mac’s vulnerability to attacks have hopefully proven otherwise. As with any technology, it is important to know both its strengths and weaknesses. This presentation will focus on the exploitatability of memory corruption vulnerabilities in and on MacOS X by applying currently known techniques to a new platform as well as introducing some new techniques as well.
Mac OS X Leopard includes a number of runtime protection features intended to hamper exploitation of memory corruption vulnerabilities. These features include the Execute Disable (XD) bit on Intel processors, Library Randomization, and Sandboxing. While some of these features are familiar and can be seen on other systems, some of them are unique to Mac OS X. This presentation will discuss the design, implementation, limitations, and evasions of these defenses.
Unlike other modern systems, the MacOS X Scalable Zone (szone) heap allocator does not protect against heap metadata overwrite exploits. This presentation will also describe the design and implementation of the szone allocator and demonstrate how it may be exploited with basic heap metadata overwrites. Finally, this presentation will discuss exploit payload construction techniques for Mac OS X, including the necessity of vfork() in threaded applications, resolving symbols in loaded libraries, and pure memory library injection into the vulnerable (or any other) process using Mach system calls and dyld function calls.
Dino Dai Zovi is an information security professional, researcher, and author. Mr. Dai Zovi has been working in information security for over 8 years with experience in red teaming and penetration testing at Sandia National Laboratories, @stake, Bloomberg, and Matasano. He currently manages information security for a technology-based finance firm in New York City. As an independent researcher, he is a regular speaker at industry, academic, and hacker security conferences including presentations of his research on hardware-virtualization assisted rootkits using Intel VT-x, the KARMA wireless client security assessment toolkit, and offensive security techniques and tools at BlackHat USA, Microsoft BlueHat, CanSecWest, the USENIX Workshop on Offensive Technology, and DEFCON. He is perhaps best known in the security and mac communities for winning the first PWN2OWN contest at CanSecWest 2007.