Hack Apple h9!10!2011 Teasers

8/4/2019 Hack Apple h9!10!2011 Teasers

1/28


2/28


3/28
http://www.elearnsecurity.com/r/h9mag_s_2.php


4/284 10/2011

10/2011 (46)

4

team

Editor in Chief: Ewa Dudzicewa.dudzic@ hakin9.org

Managing Editor: Patrycja Przybylowicz [email protected]

Editorial Advisory Board: Rebecca Wynn, Matt Jonkman,Donald Iverson, Michael Munt, Gary S. Milefsky, Julian Evans,Aby Rao

DTP: Ireneusz PogroszewskiArt Director: Ireneusz [email protected]

Marketing Manager: Magorzata Bocianm.bocian@ hakin9.org

Proofreaders: Donald Iverson, Michael Munt, Elliott Bujan, BobFolden, Steve Hodge, Jonathan Edwards, Steven Atcheson

Top Betatesters: Ivan Burke, John Webb, Nick Baronian, FelipeMartins, Alexandre Lacan, Rodrigo Rubira Branco

Special Thanks to the Beta testers and Proofreaders who helpedus with this issue. Without their assistance there would not be aHakin9 magazine.

Senior Consultant/Publisher: Pawe Marciniak

CEO: Ewa [email protected]

Production Director: Andrzej [email protected]

Publisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.hakin9.org/en

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied,concerning the results of content usage.All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine arereserved by the companies which own them.To create graphs and diagrams we used programby

Mathematical formulas created by Design Science MathType

DISCLAIMER!The techniques described in our articles may onlybe used in private, local networks. The editorshold no responsibility for misuse of the presentedtechniques or consequent data loss.

Dear Readers,We decided to dedicate this issue to Apple security. For a verylong time Apple was considered to be more safe than any other computer and iOS more virus proof than the rest of popular systems. This opinion drastically changed in the last few years.Many films about hacking apple devices were published onYouTube and a lot of holes have beed discovered by a widerange of specialists. We cant also forget that the jailbreaklaw status is still unclear in some parts of the world. With thegreater popularity and extending the offer apple became moreattractive target to hackers and now has to deal with it, as wellas its users and clients.

The introducing article: Hacking Tools on iOS by Alexandre

Lacan doesnt refer to security but rather on the contrary. Inthis text you will find out which of popular hacker tools canbe installed on iOS or can play with iPhone or iPad. Its agreat piece for those who never considered their iPod Touchas a discreet pentest tool. In the next article: Apple Memory Tricks, Israel Torres will show you how by using osxmem youcan safely experiment on your system to see what is floatingaround outside of the expected boundaries. This is definitellysomething for those who enjoy run into things.

Our long time contributors: Gary S. Milefsky and JulianEvans will up-date our knowledge on apple (in)security. In their

articles they point out the most popular holes and vulnerabilitiesin apple system. Fortunately, in the end, they both give ussome advices how to tune up the Apple Software.

Just behind the back cover you will find the interview withDavid Harley. David is a Director of the Anti-Malware TestingStandards Organization, a Fellow of the BCS Institute, and runsthe Mac Virus website. Lately he agreed to tell us about someinteresting security issues he deales with in his professionallife. The interview wasnt censored by any company Davidworks for. So, it truly deserves your full attention and I hopeyou will find it educating and enjoyable.

There is also a nice surprise for those who love playing withtools. It this issue Tool Time column is doubled!

Enjoy the reading!Patrycja Przybyowicz

& Hakin9 team

PRACTICAL PROTECTION IT SECURITY MAGAZINE


5/285
http://www.id-theftprotect.com/http://www.id-theftprotect.com/http://www.id-theftprotect.com/http://www.id-theftprotect.com/http://www.id-theftprotect.com/http://www.id-theftprotect.com/http://www.id-theftprotect.com/http://www.id-theftprotect.com/http://www.id-theftprotect.com/http://www.id-theftprotect.com/http://www.id-theftprotect.com/http://www.id-theftprotect.com/http://www.id-theftprotect.com/http://www.id-theftprotect.com/


6/28


7/28www.hakin9.org/en

CONTENTS

a powerful tool known as Paros which acts a proxy between client and server intercepting the data between them () Paros is a freeware and easy to usetool, there are so many other HTTP proxies available which you can use withthe knowledge possessed by using Paros. Besides HTTP proxy, Paros canalso be used as spider and scanner. You can also edit cookies which aresent to the browser. By examining the browser requests for GET and POSTmethods, we can obtain sensitive information like passwords and usernamesin the URL. Also it can trap HTTPS requests send from your browser. Thisarticle is for learning and should not be used for any non-ethical purposes.

38 Prey: From Praying to PreyingBy Mervyn Heng Since the issue 7/2010 article Prey: A New Hope, there have beendevelopments in the device tracking tool. It has been enhanced to now be

able to monitor lost Android smartphones and tablets when activated. Therewas a reported case in May 2011 where a Californian harnessed evidencecollected from a similar tool, Hidden, to recover his stolen Macbook. Thetrend in mobile computing is the increasing popularity and adoption of smartphones as well as tablets which are compact compared to laptopsand netbooks. This is an ideal segment for Prey to aid whilst permittingyou to have peace of mind in tracking your laptops (Windows, Ubuntu, MacOS, Linux) too. (...) Prey is not yet available on iPhones or iPads but couldbe added to the stable in the near future. There has been criticism andscepticism with regards to this service but they can be easily be overcomeby opting for the commercial license. Install Prey on your portable devices

now to have peace of mind and hope in recovering them.

(IL)LEGAL42 Facebook and the FuzzBy DrakeMobile telecoms is a very, very hot topic in Britain this year. Much of theyear saw the investigation playing out around mobile phone hacking by

journalist this apparently touched everyone from the Queen to various minor celebrities. In reality, the hacking in question was nothing more than some

journalist being aware of how to access voicemail for which default PIN codeswere in use. Nonetheless, the scandal involved politicians on all sides, andled to calls for the resignation of the Prime Minister. Perhaps, more important,however, is the role of the Blackberry in the wave of riots and looting thatburned across the UK in August. Read the essay column in which the author deals with different current legislation issues and curiosities.

INTERVIEW46 Interview With David HarleyDavid Harley BA CITP FBCS CISSP is an IT security researcher, author and consultant to the security industry living in the United Kingdom,known for his books on and research into malware, Mac security, anti-malware product testing, and management of email abuse. He is a director of the Anti-Malware Testing Standards Organization, a Fellow of the BCSInstitute, and runs the Mac Virus website. Lately he agreed to answer somequestions prapared by Hakin9 Team specially for this issue. Get know thegreat and experenced specialist and find out something more about theissues he is dealing with in his professional life.
http://www.elearnsecurity.com/r/h9mag_13.php


8/2810/201110

BASICS

F or starters, it requires a iDevice (iPod, iPhoneand iPad) jailbroken. An abundant literature isavailable on the Internet, this article will not dwellon the subject.

A first use Cydia, we can apply a filter to display User ,Hack or development. The filter Developer is used to filter ... nothing. Lets be crazy, and activate the filter Developer .

iOS Command LineTo access the command line, you must first installthe OpenSSH server through Cydia, available in theNetwork (Figure 1 & Figure 2). Then, install an SSHclient. Currently, the best client available is iSSH ($7.99 on the App Store). iSSH also has VNC, RDP, andTelnet, they can be tunneled through a SSH tunnel.There are also Pterm ($ 3.99 on the App Store). Then

just connect to address 127.0.0.1 with user IDs mobile or root , the default password is alpine .

It is possible to install applications via the commandline. To update the package list:

# apt-get update

To install the new package versions:

# apt-get upgrade

To install a package and its dependencies

# apt-get install

To remove a package:

# apt-get remove

To list installed packages:

Hacking Tools on iOS

When Defcon17, in 2009, Thomas Wilhelm proposed to transform aniPod Touch into a pentest tool. Even if some tools are not available iniOS, many utilities can play with an iPhone or iPad. In this article youwill learn how to install the most useful tools for hacker.

Figure 1. Openssh_installing Figure 2. Openssh_installing 2


9/2810/201114

ATTACK

Going back to the code I noticed that sometimes I

would get Segmentation Faults (aka segfaults).A lot of the stuff I play with just covers thehappy path and doesnt delve into error handling. Sureits a horrible coding practice but its not all bad in thesandbox (where it just needs to exist and die for themoment). I ended up narrowing down and writing out thestub of interest in under 15 lines for added functionality.Because it shows the user what is running/had run inmemory it aptly named it osxmem.c (Listing 1). A reallysimple and passive way to poke around memory andget interesting results.

Testing osxmem was tedious at first due to notknowing where limitations existed. It just seemedthat the more I looked around the more I found. Enter osxmem-chunks.sh (Listing 2) I created an artificiallimit of 70k sequential entries (0-69,999) and cut eachchunk into 10k chunks; allowing me to keep an eyeas chunks were created and not having to wait for theentire output log to complete. Naturally the limits canbe modified in the bash script via $FSTART , $FFINIS and$FCHUNK. Note for it to make sense on larger numbersyoull need to update the data type in osxmemaccordingly.

After the first run of osxmem-chunks there appearedto be consistency with the first 26 entries beforediving into the ocean of segfaults and nulls (lookingat Console as Crash Report spews all the segfaultsis interesting to say the least) (Figure 1). Pages-deep

there would be chunks within the chunks that logged

more data running in memory; stagnate, in use, etc.The resultant data appears to be what was going onwithin the Terminal Shell at the time it was running. (Inother news dont strictly rely on the data being therethe next time you go looking for it as it appears to bein flux and things load and unload dont be surprisedif you log something tangible during the batch processonly to get a null value in return when attempting toaccess it independently.)

When osxmem-chunks completed I went throughthe logs and was able to find sequential segmentsthat were still available via osxmem. Thinking aboutcreating a filter based off osxmem (where it just ranthrough the default 26 integers and the arbitrary input)I created an extended version named osxmem-react.c (Listing 3) which scans portions of desired areas andacts upon either the filter itself. In the included sourceyou can enter ./osxmem-react VARIABLE= (e.g. ./osxmem-react LOGNAME= will return the account name; in this caseisraeltorres by not including the = sign youll get it inthe returned data) and get the resultant back of whatthe variable is assigned to. It can be further modifiedto trigger additional functions based on other segmentsand the data they contain for their entries. For exampleinterested in see if __dyld_link_edit_error is floatingaround you may run into it around sequence 27608(Figure 2). Need to verify something? Throw it intomemory and see if you can find it.

Apple Memory Tricks

As a researcher it is always fun to run into things while playingwith unexpected behavior. Recently while implementing a cryptochallenge in C on my Mac running Lion I noticed that some of theresultant output was not matching the expected test input. Figuringit was a fluke I didnt think about it too much more until curiosity got

the best of me a few days later...

What you will learn Using C to passively play with live Apple Memory in Terminal

Shell

What you should know Basic programming using gcc and an understanding of OS

memory



Comparing the set environmental variable assignmentsin Terminal Shell (Figure 3).

Ignoring update_terminal_cwd () (containing 3 localassignments) we have a total of 51 environmentalassignments:

# non-artifact method

set | grep -c =

51

# artifact method

set > AppleEnvSet.txt; cat AppleEnvSet.txt | grep -c =51

Using osxmem out of the list of 26 resultant data thereare 21 assignments found:

# non-artifact method

./osxmem | grep -c =

21

# artifact method

osxmem > 0.txt

cat 0.txt | cut -f 2 | grep -c =

21

Figure 3. Apple Environment Variables v osxmem default results

Figure 4. Using osxmem-chunks.sh to segfault
http://www.uat.edu/


11/28
http://www.crcpress.com/http://www.crcpress.com/http://www.crcpress.com/http://www.crcpress.com/http://www.crcpress.com/http://www.crcpress.com/http://www.crcpress.com/http://www.crcpress.com/http://www.crcpress.com/


12/2810/201120

DEFENSE

Most recently, if you search for CVEs discovered

in Apple hardware and software over the lastthree months alone, youll find at least 80CVEs (holes) of which most are of a serious, easilyexploitable nature.

Apple iOS Specific CVEsThese are the only well-known holes on the Apple iOSoperating system. The good news is that there are veryfew Apple iOS holes, only three so far, however, theyare of a serious nature.

CVE-2011-0228Summary: The Data Security component in Apple iOSbefore 4.2.10 and 4.3.x before 4.3.5 does not checkthe basicConstraints parameter during validation of X.509 certificate chains, which allows man-in-the-middle attackers to spoof an SSL server by using anon-CA certificate to sign a certificate for an arbitrarydomain.Published: 08/29/2011CVSS Severity: 7.5 (HIGH)

CVE-2011-0227Summary: The queueing primitives in IOMobileFrameBuffer in Apple iOS before 4.2.9 and 4.3.x before4.3.4 do not properly perform type conversion, whichallows local users to gain privileges via a craftedapplication.

Published: 07/19/2011

CVSS Severity: 7.2 (HIGH)

CVE-2011-0226Summary: Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used inCoreGraphics in Apple iOS before 4.2.9 and 4.3.xbefore 4.3.4 and other products, allows remoteattackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via

As Apple Devices GainPopularity The answer is yes. A few years back before the iPod, iPad andiTouch, there were very few CVEs listed in the National VulnerabilityDatabase at http://nvd.nist.gov but today you can find over 2,700.

What you will learn Apple CVEs (holes) Your Apple Hardware Tuning up your Apple Software

What you should know The CVE Standard by MITRE How to install Firmware and Patches Deploying Firewall and HIPS software

Do They Become More Vulnerable to Exploitation?
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0228http://nvd.nist.gov/cvss.cfm?name=CVE-2011-0228&vector=%28AV%3AN%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29&version=2http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0227http://nvd.nist.gov/cvss.cfm?name=CVE-2011-0227&vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AC%2FI%3AC%2FA%3AC%29&version=2http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0226http://nvd.nist.gov/http://nvd.nist.gov/http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0226http://nvd.nist.gov/cvss.cfm?name=CVE-2011-0227&vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AC%2FI%3AC%2FA%3AC%29&version=2http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0227http://nvd.nist.gov/cvss.cfm?name=CVE-2011-0228&vector=%28AV%3AN%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29&version=2http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0228


13/28
http://www.securanoia.com/


14/2810/201126

DEFENCE

Well, the answer is Yes! There are ways, and

one such way is through the use of ImportHooks.Import Hooks[1] are objects that can be injected into

Pythons import mechanism and used to customize howmodules are found and loaded, allowing it to importmodules stored in a non-standard way . As we want toimport encrypted modules, we fall into this non-standard category, ergo, we need to write an import hook.

The The Importer Protocol is presented in thePython-Enhancement Proposal (PEP) 302. Thisprotocol describes Import Hooks and explains howthe import process works for loading Python modules.According to this PEP, when the Python interpreter finds an import statement, it calls the __import__ function from the built-in name space with the name of the module and a reference to the global name space.If the name is a sub-module of a package, __import__ will try to resolve that name relative to that packagefirst. If that fails, __import__ will try an absolute import.

When the interpreter finds a dotted import, it firstsplits the name into components and then tries toimport those components in order, looking for acomponent inside the previous one. Thus, importfoo.bar , becomes first an import of the foo module, andwhen that succeeds, the interpreter imports bar as asub-module of foo , which implies that by the time bar isbeing imported, foo was already loaded successfully.Every time one of these individual imports is made, a

hook is invoked to handle the import. If no hooks exist

or it cant handle the import, then the built-in methodis applied.According to the PEP, The Importer Protocol involves

two objects, the finder and the loader . The finder hasthe task to let the import process know if it knows of aloader for a given module. The finder must implement afunction find_module of this form:

nder. nd_module(fullname, path=None)

Import Hooks For

Encrypted Python ModulesEvery now and again, somebody comes up and ask this question:How can I hide/encrypt/obfuscate my Python code? And theanswers may be different, ranging from things like: Python is notthe Tool; rewrite it in Perl; distribute only your .pyc or .pyo files; and

other creative solutions.

What you will learn Pythons import mechanism and hooks How to import encrypted Python modules

What you should know Basic knowledge of Python Knowledge of Pythons C API Some knowledge of the XOR cipher.

Table 1. Things loader.load_module is

responsible for The _ _ le _ _ attribute of the new module must beset. It could be any string at all, but it must be set.

The _ _ name _ _ attribute must be set. If the module is a package, then the _ _ path _ _ attribute

must be set with a list, although it could be an empty listif not needed.

The _ _ loader _ _ attribute must be set to the Loaderobject.

The loader must execute the code of the module insidethe new modules global namespace (or new _ module. __ dict _ _ ).

The loader should rst look up the module in sys.modules

and if found, use that module. On the same note, theLoader should append the new loaded module insys.modules .



the given file (see Listing 1), and returns the decryptedcontents to the callee.

With the decrypted code in hand, we proceed toexecute it. But first, we need a reference to our newmodules __dict__ attribute, as the code has to beexecuted with a reference to this dictionary. The secondthing is that we need to provide Py_file_input as thesecond argument to the PyRun_String function that weare going to use to execute our code into the newpython module. If we use something other than Py_file_input , we will get Segfaults all over.

The line (line 55) res = PyRun_String(module_code , Py_file_input , new_module_dict , new_module_dict ) is analogousto the exec code in mod. __dict__ python code you willfind in PEP 302.

After all this, we are ready to run the test.Do you remember we created EncModule.pye a while

ago? It is time to use it. Put EncModule.pye and thecompiled CryptImpHook in the same directory and justexecute the Python test script in Listing 6, and Voila!,we just imported an encrypted module in Python.

Youll find the whole code in http://dev.gentoo.org/ ~neurogeek/CryptImpHook.tar.gz .

References New Import Hooks (PEP 302) http://www.python.org/dev/

peps/pep-0302 [1] XOR Cipherhttp://en.wikipedia.org/wiki/XOR_cipher [2] Python C API http://docs.python.org/c-api/index.html [3]

JESUS RIVERO Jesus Rivero, a.k.a Neurogeek, is a Computer Scientist programming for the past 10 years from embedded systemsto web applications. Currently, he develops software for thenancial world and is a Gentoo GNU/Linux developer.

[email protected]@gentoo.orgWebsite/blog: http://dev.gentoo.org/~neurogeek
http://dev.gentoo.org/~neurogeek/CryptImpHook.tar.gzhttp://dev.gentoo.org/~neurogeek/CryptImpHook.tar.gzhttp://www.python.org/dev/peps/pep-0302http://www.python.org/dev/peps/pep-0302http://en.wikipedia.org/wiki/XOR_cipherhttp://docs.python.org/c-api/index.htmlmailto:[email protected]:[email protected]://dev.gentoo.org/~neurogeekmailto:[email protected]://dev.gentoo.org/~neurogeekmailto:[email protected]:[email protected]://docs.python.org/c-api/index.htmlhttp://en.wikipedia.org/wiki/XOR_cipherhttp://www.python.org/dev/peps/pep-0302http://www.python.org/dev/peps/pep-0302http://dev.gentoo.org/~neurogeek/CryptImpHook.tar.gzhttp://dev.gentoo.org/~neurogeek/CryptImpHook.tar.gz


16/2810/201132

ID FRAUD EXPERT SAYS...

T here are two sections Mac OS X and iOS (iPad;iPod & iPhone). There are many contributors, sowed like to thank all of them for the use of their research material in this article.

Apple / Mac OS X LionSecurity / Hacking NewsNews: Mac OS X MacDefender Scareware Threat May 2011Antivirus firm Intego discovered a new malware knownas MacDefender targeting Mac OS X users via Safari.According to the report, the malware appeared to bebeing deployed via JavaScript as a compressed ZIPfile reached through Google searches. When a user clicked on a link after performing a search on a searchengine such as Google, this took them to a web sitewhose page contained JavaScript that automaticallydownloaded a file. In this case, the file downloadedwas a compressed ZIP archive, which, if a specificoption in a web browser was checked (Open safe files after downloading in Safari, for example), wouldopen.

Users running administrator accounts and with theSafari option to open safe files automatically checked,appeared to be most at risk, with some claiming thatno notification of installation was seen or passwordrequired. Only when a screen popped up asking for acredit card number to sign up for virus protection didthey realize that malware had been installed on their systems. This was the first major scareware threat tothe Mac OS X platform. Apple fixed the exploit by simplyblocking the MacDefender threat from running or beinginstalled.

Source: Intego

News: Hacking Apple Laptop Batteries July 2011Security researcher Charlie Miller, widely known for hiswork on Mac OS X and Apples iOS, has discoveredan interesting method that enables him to completelydisable the batteries on Apple laptops, making thempermanently unusable, and perform a number of other unintended actions. The method, which involves

accessing and sending instructions to the chip housedon smart batteries, could also be used for moremalicious purposes down the road.

What he found is that the batteries are shipped fromthe factory in a state called sealed mode and thattheres a four-byte password thats required to changethat. By analyzing a couple of updates that Apple hadsent to fix problems in the batteries in the past, Miller found that password and was able to put the battery intounsealed mode .

From there, he could make a few small changes to thefirmware, but not what he really wanted. So he pokedaround a bit more and found that a second passwordwas required to move the battery into full access mode,which gave him the ability to make any changes hewished. That password is a default set at the factoryand its not changed on laptops before theyre shipped.Once he had that, Miller found he could do a lot of interesting things with the battery.

That lets you access it at the same level as thefactory can , he said. You can read all the firmware,make changes to the code, do whatever you want. And those code changes will survive a reinstall of the OS,so you could imagine writing malware that could hideon the chip on the battery. Youd need a vulnerability inthe OS or something that the battery could then attack,though .

Source: Charlie Miller , Apple security expert

Apple OS X and iOSHacking News This months article focuses on Apple technologyhacking that has been identified thus far in 2011.Here you will find a compilation of some highprofile media reports and research from the Web onthe hacking of Apple technology.
http://bit.ly/a18B97http://bit.ly/a18B97


17/28

Apple OS X and iOS Hacking News

www.hakin9.org/en 33

At the heart of the Mac servers insecurity is a proprietaryauthentication scheme known as DHX thats trivial tooverride. While Mac servers can use the much moresecure Kerberos algorithm for authenticating Macs on localnetworks, iSec researchers found it was trivial to force OSX server to resort back to Apples insecure protocol.

Source: ID Theft Protect

News: Apple Website Hacked by Hacker CalledHodLuM August 2011One of the Apple Sub-Domains has it is claimed beendefaced by known hacker HodLuM. The deface link is

just an image uploaded to the Apple domain. The hacker uses the N00BZ characters for all Hackers including thecracking group Anonymous, Lulzsec, Turkish hackers,Inj3t0rs and Exploit-DBs. The AOL Postmaster Website

was also hacked by HODLUM some months ago.Source: The Hacker News

News: OS X Lion Password Security IssueIdenti ed September 2011Apple has dropped a couple of monumental passwordsecurity clangers this year with the release on OS X Lion,according to security blogger Patrick Dunstan. Dunstan,who posted an important piece on cracking Mac OS Xpasswords a couple of years ago, decided to revisit thesubject with the release of OS X Lion (version 10.7).

Dunstan discovered Apples developers had made user security worse in two important ways: firstly, its possible tochange the password of the current user without needingto know the original password, as Dunstan explains.

It appears Directory Services in Lion no longer requiresauthentication when requesting a password change for the current user , he writes. So, in order to change the

password of the currently logged in user, simply use: $ dscl localhost -passwd /Search/Users/bob .

And that isnt the only backward step. Previously onlya user with root (admin) privileges to a machine wasable to get at the password hashes for other users,which are held in so-called shadow files . With OS XLion this restriction is easily circumvented.

It appears in the redesign of OS X Lions authenticationscheme a critical step has been overlooked, Dunstanexplains . Whilst non-root users are unable to accessthe shadow files directly, Lion actually provides non-root users the ability to still view password hash data. Thisis accomplished by extracting the data straight fromDirectory Services .

All users on the system, regardless of privilege, havethe ability to access the ShadowHashData attributefrom any other users profile , he adds.

None of the major brute force crackers support OSX Lion hashes because the OS was only releasedin late July. Dunstan has created a python script todo the job, which is intended for password auditing.

News: Apple Safari 5.0.4 Security VulnerabilitiesIdenti ed July 2011Apple released Safari 5.0.4 the latest version of Apples browser software for Windows and Mac users

patching an eye-watering 62 security vulnerabilities inthe process. The vulnerabilities, described in an Appleknowledgebase article, were disclosed at the same timeas a host of security holes in the iOS software used bythe iPhone, iPad and iPod touch were also revealed bythe company. What this means is, just like their iPhone/iPod touch/iPad-owning cousins, people who run Safarion their Mac or Windows computers would be wise tocheck out the latest available security updates as soonas possible. Apple doesnt like to assign severity levelsto the security vulnerabilities found in its products,but the bugs in Safari look pretty critical to me. 57 of

the 62 bugs can be exploited just by a user visiting amaliciously-crafted website. If thats not a reason toinstall a security update to your Safari browser, Im notsure what is.


News: AntiSec Group Posts Passwords FromApple Survey Server July 2011A group of computer hackers posted a document itclaimed contains usernames and passwords for anApple Inc. server, the latest in a string of brazen attacks

that have compromised government and corporatewebsites around the world. AntiSec , a hacking campaign that includes hackers

from both the online vigilante group Anonymous andhackers from the now-defunct Lulz Security, posteda document containing a link to a supposed Appleserver along with a list of 26 administrative usernamesand passwords. AntiSec is Internet shorthand for anti-security . The hackers said in a statement posted to Twitter that they had accessed Apples systems due to a securityflaw used in software used by the Cupertino, Calif.-basedgadget maker and other companies. But dont worry ,the hackers said, we are busy elsewhere . A spokesmanfor Apple didnt immediately respond to a request for comment.


News: Apple Mac OS X Server APT and DHXVulnerability August 2011Apple Macs according to iSec are more vulnerable toAPTs short for advanced persistent threats. APTs areusually the work of state-sponsored hackers who goto great lengths to infiltrate government and corporatenetworks with malware that steals classified informationand proprietary data. The problem with Macs stemsfrom the OS X server that administrators use to pushupdates to large numbers of machines. The serversauthentication routine is inherently insecure .


18/2810/201134

ID FRAUD EXPERT SAYS...

The password security foibles discovered by Dunstanraise further questions about the overall security of Mac OS X Lion, already highlighted by earlier LDAPpassword security weaknesses. Another Lion flawdiscovered by Dunstan enables a skilled hacker to viewthe computers password hash data by extracting itfrom the Directory Services file. (Password hashes arethe results of running passwords through encryptionalgorithms. Those algorithms are supposedlyunbreakable, but in truth, automated password-crackingsoftware can run through the millions of possible resultsfrom a fixed algorithm to brute force the passwords intoplain text).

Its important to note that these password attacks dontyet allow a victims computer to be exploited by far-off strangers; the hacker must have either physical access

to the target system, or have been granted remotelimited-user access to it. But in the seconds it wouldtake to perform these password takeovers, Defence inDepth says a physical attacker could also visit a Webpage rigged with malicious code that would then connecta remote attacker to the compromised machine. Fromthere, the possibilities for exploitation are endless.

Source: Defense in Depth security blog

iOS Security IssuesDino Dai Zovi conducted research earlier this year

(Blackhat) into security concerns surrounding iOS 4.0. Heidentified it is possible to remotely exploit built-in or third-party apps by injecting a malicious web page in Safari or third-party app with embedded browser (i.e. Facebookor Twitter); malicious e-mail message or attachment inMail; and MITM and corrupt network communication of third-party app. Dino identified applications that use aUIWebView were at most risk (as they didnt use PIEsupport) i.e. embedded browser in Twitter and Facebook.

iOS is a very robust OS however jailbroken deviceswill open iOS to kernel exploits, Apples review and OTAdownloads will bypass Apples review. iOS is one of themost robust mobile operating systems (aside of QNX

see last months article in Hakin9 A brief overview of mobile and tablet app coding security ) which is onlyvulnerable to exploits if the device is jailbroken.

News: Jailbreaking has just been made a little bitmore di cult July 2011Apple has released a software update for its iOSdevices, including the iPhone 4, iPhone 3GS, iPad 2,iPad and generation 3 and 4 of iPod Touch. Availablenow, itll bring your device to version 4.3.4. The freeupdate fixes a vulnerability in the way PDF files handlefonts, where a malicious PDF file could sneak malwareinto your iOS device, giving hackers access to your hardware. However, that same vulnerability allowseasy jailbreaking of iOS 4.3.3 with the web-based

JailBreakMe 3.0, which frees users from the tightrestrictions Apple places on its iOS software. Applecertainly wanted to stop that as quickly as possible.

Source: Apple Inc

News: iOS update xes aw in SSL July 2011Apple released a software update to fix a flaw inthe latest version of iOS back in July for its mobileoperating system for the iPhone, iPad and iPod Touch.The new software, version 4.3.5, addressed a flaw inthe way Apples software authenticates Secure SocketsLayer data; the mishandling of this commonly usedcommunication protocol could allow an attacker withelevated network privileges to capture or modify data,Apple wrote on its support blog.

Apples software update comes just five days after

the company released the previous iOS, version4.3.4, which was primarily a security fix for a PDF bugexploited by Jailbreakme 3.0 , a service that allowsiPhone and iPad users to jailbreak their devices, aprocess which allows users to install apps unauthorizedby Apple. Jailbreakme encountered its own problems;on July 11, Jailbreakmes website was flagged incorrectly, it turned out as containing malware. Note:Jailbreakmes founder Nicholas Allegra (nicknamecomex ) has been hired (August) as an intern by Apple,no doubt to help identify and close the holes in iOS.

Source: Security News Daily

News: Apples MDM could be vulnerable to MITMattack vector August 2011Security researcher David Schuetz identified a possibleMobile Device Management (MDM) attack vector. After having worked out how MDM worked he identified apotential issue with HTTPS which could expose MDM toa man in the middle (MITM) attack. David developed aresearch MDM tool which allowed people to experimentwith. The way it works is you enroll a mobile deviceand then you send commands to the iOS device fromthe MDM tool and the researcher gets to see whatthe response is Schuetz noted that without a publiclyavailable MDM server for iOS, it has been difficult if not impossible to see how users could be exploitedvia social engineering or other means via MDM. Thisparticular attack POC provides evidence that MDMcould very well be a attack vector.


News: iOS 5.0 untethered jailbreak opens theexploit door September 2011Great news for all jailbreakers the Dev-Team has justannounced at the worlds first iOS jailbreak conventionMyGreatFest , that theyve nearly completed a userland

jailbreak for iOS 5 and it will be untethered.p0sixninja , one of Chronic Dev-team member, announced that the jailbreak
http://bit.ly/q0FTdbhttp://bit.ly/q0FTdbhttp://bit.ly/q0FTdbhttp://bit.ly/q0FTdb


19/28

Apple OS X and iOS Hacking News

www.hakin9.org/en 35

will apparently use five different exploits that have beendiscovered for the Apple A5 chip which is currently usedon the iPad 2 and possibly will also be used for the nextgeneration iPhone 5. This is really good news for peoplewho want their iPhone5 to be jailbroken.

According to a tweet from @veeence the team iswaiting for the actual hardware (iPhone 5) to get releasedand all Apple devices supporting iOS 5 will be eligiblefor untethered jailbreak. The five exploits, discoveredby the team member P0d2g, will allow the next jailbreakto be userland and p0sixninja also added that it will bethe most amazing jailbreak yet. To make things moreexciting, MuscleNerd announced that hes been workingon a 06.15 iPad baseband downgrade and unlock for iPhone 3G and 3GS and it will also be released after iOS5 will reach users. Seems jailbreaking and the expected

exploits, will not be going away anytime soon.

Final Thoughts The Mac OS X AntivirusProtection QuestionMost readers will know Mac OS X runs on the UNIXplatform, which means the underlying code base is moresecure than say Windows. Cracking the UNIX system isvery difficult in fact probably the most difficult of anyoperating system (QNX might have something to sayabout that, which is based on the Linux OS). OS X alsoincludes a useful technology called sandboxing which is

where applications run and processes are separated.Mac OS restricts both file access and applicationexecution. The sandboxing model is both more secureand less likely to be exploited by malware in the wild. If you visit the Apple website, they will tell you that you stillrequire antivirus for your Mac. What it really comes downto is knowledge knowledge of what users need to do;be aware of and remembering not to click on links thatmight be suspicious. Most security experts will tell you,its always better to be safe rather than sorry, so most if not all will suggest Mac OS X antivirus protection.

The iOS Antivirus Protection QuestioniOS which has its roots in FreeBSD focuses on traditionalaccess control techniques such as passwords and idlescreen locking to protect the device itself; applicationprovenance which involves testing, verifying andtamper proofing individual apps and secure signingand hashing using a digital signature; encryption which involves protecting device data in the event of loss or theft; isolation this limits system and accessto sensitive data; and lastly permission-based accesscontrol granting apps a specific set of permissions tolimit access to specified data and systems.

iOS architecture restricts what legitimate apps cando within iOS (i.e. there are for example restrictionson scanning another apps memory), which unlikeWindows makes it virtually impossible for malware towork. This puts the trust with Apple (rather than say

JULIAN EVANS Julian Evans is an internet security entrepreneur and Managing Director of education and awareness company ID Theft Protect. IDTP leads the way in providing identity protection solutions to consumers and also works with largecorporate companies on business strategy within the sector on a worldwide basis. Julian is a leading global information security and identity fraud expert who is referenced by many leading industry publications.

a mobile security product) who set about banishingantivirus software because iOS apps are sandboxedand cannot communicate with another app (exceptionsdo apply to some of Apples own apps). You dont needantivirus running in the background, when apps aresandboxed its that simple. That said as highlightedabove, jailbreaking a device i.e. jailbreakme (seeprevious section) opens the door to buffer overrunattacks and load jailbreak code into the iOS startupprocesses. Safaris PDF viewer was the culprit this time.Jailbreakme is jailbreak code that has one distinctiveadvantage it is agnostic. This means it can work onevery iOS platform/hardware iPad, iPhone and iPodTouch.

ConclusionIt is useful to conclude this article by highlighting someuseful security hints and tips for Mac OS X users. Mostexpert users will already know about them, but there isnothing like a useful refresh.

Apple Mac OS X 10.6 provides a useful firewallcalled Application Firewall and ipfw (an open sourceFreeBSD packet filtering and traffic accountingfirewall). Encryption is provided by an applicationcalled FileVault. This will encrypt everything inside asystem home directory (not any files or folders outsideof it). Some users might also wish to encrypt the virtual

memory of their Mac OS this is turned on by defaultin 10.6 Snow Leopard. For older OS X versions, userswould need to turn on secure virtual memory. Usersshould also consider using Password Assistant andKeychain (SSO) the latter stores internet passwords,SSL certificates, servers, applications, websites andmore for Single Sign On (SSO).

Security experts agree users should never run asan administrative account as any breach would onlyallow access to an account rather than the entire OS.In conclusion, there is no doubting that Mac OS X andiOS is more secure than the popular Windows/WindowsPhone 7 platform for example. That said, as more andmore Apple OS devices reach the market and endusers look to synchronize these devices in the iCloud,the security risks could well increase. Then and onlythen will the malware writers stand up and take notice


20/2810/201136

TOOL TIME

W hen we talk about Man-in-the-Middle attacks,we come across two modes in it; one ispassive and the other is active. Passive isthe one in which the attacker regularly monitors theconversation between two persons without modifyingthe data or contents affecting confidentiality. Whereasthe active is more dangerous compared to passive inwhich the attacker modifies the whole data between the

two parties affecting integrity of data.Now we will look after a powerful tool known asParos which acts a proxy between client and server intercepting the data between them.

What is HTTP Proxy?Proxy is a process in which it receives the requestsfrom clients and forwards them to the server, basedupon some predefined filtering rules. HTTP proxyis concerned with internet access where it residesbetween client and web server. Proxies may able tomodify the requests and responses without permissionsfrom both clients and servers. We will see how to modifythe http requests arriving from client and pass on to theserver using Paros tool.

Paros ProxyParos Proxy is a GUI based freeware tool mainlydeveloped with an intention of evaluating the securityof web applications. It was totally written in Javalanguage. Its main goal is to assess the vulnerabilitiespresent in the web applications by acting as a HTTP/HTTPS proxy. By using this we can intercept all HTTPand HTTPS data between client and server and can

modify the data related to cookies and form fields. Itcan also be used for performing active MITM attacksby modifying the contents of the conversation betweenclient and server. This tool can be downloaded for freefrom http://www.parosproxy.org/ .

Step 1Download Paros from above said link and install it onyour system. As it is totally developed in Java, it requiresJRE pre installed in your system to work properly. StartParos by clicking on the icon. Next thing you shouldbe cautious about is configuring it as a proxy in your system. To do that navigate to Tools>Options>Local Proxy and enter the address as localhost and port8080 , also make sure that no other application is using

Interception With ParosProxyAbraham Lincoln once said Give me six hours to chop down a tree andI will spend the first four sharpening the axe. So, selecting a perfect tooland possessing the knowledge of how to use is most important beforestarting a task. Now, I am going to talk about a tool which acts as a proxythat modifies the conversation between the client and server.

Figure 1. Paros proxy Figure 2. Proxy settings in Paros
http://www.parosproxy.org/http://www.parosproxy.org/


21/2810/201138

TOOL TIME

T he trend in mobile computing is the increasingpopularity and adoption of smartphones aswell as tablets which are compact compared tolaptops and netbooks.

This is an ideal segment for Prey to aid whilstpermitting you to have peace of mind in tracking your laptops ( Windows , Ubuntu , Mac OS , Linux ) too.

SetupPrey is a simple Android app to install and configure.

NoteThis article will focus on setting up Prey 0.5.3 on a DellStreak.

Register for an account with the Prey website (ie.http://control.preyproject.com/signup ).

Install the Prey app from Android Market (Figure 1).

Launch Prey and a prompt will appear remindingyou to register with the Prey website. Click on Yes(Figure 2).

Enter your account information to add your deviceto your Control Panel (Figure 3).

The Phone Added ! message will appear uponsuccessful registration. Click OK to proceed(Figure 4).

Click Activate to protect Prey (Figure 5). The Prey app menu is simple with several options

available (Figure 6).

Accessing the Device section of the Control Panel , you will see the registered Android device(Figure 7).

Key FeaturesThe Prey app starts collecting information pertaining toits current state when the SMS activation message issent to the device.

The app starts to acquire Geo and Network information about its location silently in the background.The app will harness the gadgets internal GPS or Wifihotspots to reveal its geographical location and IPaddress (Figure 8).

Click on SMS activation message from the Prey appmenu to enter your predefined SMS text message that

Prey: From Praying to

PreyingSince the issue 7/2010 article Prey: A new hope, there have beendevelopments in the device tracking tool. It has been enhancedto now be able to monitor lost Android smartphones and tabletswhen activated. There was a reported case in May 2011 where aCalifornian harnessed evidence collected from a similar tool, Hidden,

to recover his stolen Macbook.

Figure 1. Prey app Figure 2. Prey registration prompt
http://control.preyproject.com/signuphttp://control.preyproject.com/signup


22/28
http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/http://www.andevcon.com/


23/2810/201142

IL LEGAL

Perhaps more important, however, is the role of the

Blackberry in the wave of riots and looting thatburned across the UK in August. On Thursday 4thAugust, a 29 year old man was shot by police in the northLondon suburb of Tottenham, in an incident allegedlyinvolving an illegal firearm. The next day, peaceful protests

began against police. Police shootings are rare in the UK;

in the last three years there have been a total of eight.By the evening of Saturday the 6th of August, these hadturned into violent attacks against businesses and thepolice. By Sunday evening, more attacks were occurring inother London districts, such as Brixton, Battersea (15 km

Facebook and the Fuzz

Mobile telecoms is a very, very hot topic in Britain this year.Much of the year saw the investigation playing out aroundmobile phone hacking by journalist this apparently touchedeveryone from the Queen to various minor celebrities. In reality,

the hacking in question was nothing more than some journalistbeing aware of how to access voicemail for which default PINcodes were in use. Nonetheless, the scandal involved politicianson all sides, and led to calls for the resignation of the PrimeMinister.

Smartphones, Social Media, and PolicingCivil Disturbances

Figure 1. Mobile subscriptions per 100 inhabitants


24/28
http://www.ivizsecurity.com/


25/2810/201146

INTERVIEW

How did you get started in the field of Anti-

malware research?I think I actually told part of that story in VirusesRevealed, but Im happy to revisit it. Perhaps it willgain a bit of glamour since Im now ten years further away from the event. In 1989 I was working (primarilyas an administrator) for a research department in ahospital in London, but I was taken on by what wasthen the Imperial Cancer Research Fund (now Cancer Research UK) to work with a small team set up to runa couple of major meetings/conferences for peopleinvolved in the Human Genome Mapping Project.Just after I started there, the hospital rang me toask about a problem they had with the AIDS trojan(http://en.wikipedia.org/wiki/AIDS_(trojan_horse) ).As it happened, while I had no direct involvement insecurity at the time, I knew enough about that trojan torefer them to Jim Bates, whod cracked the encryptionand had developed tools to remove the malwareand reverse the encryption. I always say that I canremember the beginning of my involvement in securitybecause it was the same day that my daughter wasborn, and in fact I got the phone call just as I was onmy way out to the hospital.

Having I set up antivirus on workstations for theHGM11 conference: Dr. Solomons provided us with freescanning software and I wrote some utilities to make itharder to escape the eagle eye of what was essentiallyan on-demand scanner: not quite a complete memory-

resident shell, but a suite of MS-DOS utilities that I used

to enforce scanning at login and logout, scheduledscanning, in fact several of the features we now takefor granted in modern security software in a multi-tasking operating system. Subsequently, I was takenon by the IT unit, and one of my first jobs was to cleanup and document the AV installation process, I wascommissioned to do an article on viruses for an externalnewsletter, and things kind of snowballed from there.

In one of your bios, it was mentioned that youare interested in the psychosocial aspects of Security. What exactly do you mean by that?Probably this reflects my academic background,which is a slightly strange mixture: I started off in the1960s reading social sciences and psychology, and atthe time I started to drift into security, I was finishingwhat was primarily a computer science degree. But Iactually think that makes for quite a good mixture inthis field. While Id like to think I have a better than fair technical grasp of the topics Im alleged to be expertin, I havent been a hands-on tech guy for a long time,and there are many people who can do malwareanalysis and development better than I do, but I thinkthat its important to have people in the industry whocan place malware and anti-malware technology ina broader social context. Technology is critical, butyou cant, as they say, fix social problems with purelytechnical solutions.

Interview With

David HarleyDavid Harley is an IT security researcher, authorand consultant to the security industry living in theUnited Kingdom, known for his books on and research into malware, Macsecurity, anti-malware product testing, and management of email abuse.He is a director of the Anti-Malware Testing Standards Organization,a Fellow of the BCS Institute, and runs the Mac Virus website, and wepersuaded him to take some time out from talking to the press andwriting presentations to talk to us instead.
http://en.wikipedia.org/wiki/AIDS_(trojan_horse)http://en.wikipedia.org/wiki/AIDS_(trojan_horse)


26/28

In the next issue ofExtra

magazine:

If you would like to contact Hakin9 team, just send an email [email protected]. We will reply a.s.a.p.

Botnets

Available to downloadon October 15 th

Soon in Hakin9!

Online Anonymity, Social Network Security, Exploiting Software, Rootkits, Hacking Data , Security SQLInjection, Stuxnet, Port scanner, IP scanners, ISMS, Security Policy, Data Recovery, Data ProtectionAct, Single Sign On, Standards and Certificates, Biometrics, E-discovery, Identity Management, SSLCertificate, Data Loss Prevention, Sharepoint Security, Wordpress Security


27/28
http://lostpassword.com/kit-forensic.htm


28/28
http://hackerhalted.com/

Documents

Hack Apple h9!10!2011 Teasers