32
Kevin Backhouse Semmle Security Research Team

Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─

Kevin Backhouse

Semmle Security Research Team

Page 3: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─

1. TCP/IP packet structure2. Raw socket programming in C (on Linux)3. XNU’s mbuf datatype4. Using RPC to implement a fake NFS server5. QL query writing

Page 7: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─
Page 8: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─

ipoptions

tcpoptions

payload

20bytes

0 - 40 bytes

20bytes

0 - 40bytes

0-64kbytes

Page 10: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─
Page 11: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─
Page 12: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─

Timeline:

─ 2017-07-14 Reported bug (CVE-2017-13904) to Apple─ 2018-02-09 Asked Apple: “When is it going to be fixed?”─ 2018-02-13 Apple: “We fixed it in December.”

So I had another look ...

Page 13: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─
Page 14: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─
Page 15: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─
Page 16: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─
Page 17: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─

─ No source code until Oct 2018─ Turns out they forgot to fix one of the infinite loop bugs

Page 20: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─

─ Now I know what to look for:─── (aka )──

─ Use dataflow/taint analysis to search for flow from to , to , etc.

Page 21: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─
Page 22: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─
Page 23: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─
Page 24: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─

─ Use rpcgen to create an RPC server application.─ Simplest bug happens at mount time, so only need to

implement a handful of operations:─ NFSPROC3_NULL─ MOUNTPROC3_NULL─ MOUNTPROC3_MNT (returns malicious file handle)

─ Source code is on GitHub.─ Just 46 lines of C and 63 lines of RPC language!

Page 25: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─
Page 26: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─
Page 29: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─

─ Source: ─ Sink:

Page 30: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─

─ Sends an error message when something goes wrong, using the ICMP protocol

─ For example: calls when the ip options are invalid

─ How the exploit works:─ Send a TCP packet with invalid ip options─ Make the TCP/IP headers as big as possible (120 bytes)

Page 31: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─

─ I have taken a break from XNU and am looking at other open source projects─ Goal for 2019: learn exploitation techniques

─ Is XNU’s networking code bug-free now?─ I doubt it─ alone is 3428 lines long─ Not algorithmically complex, just lots and lots of cases

Page 32: Semmle Security Research Team Kevin Backhouse · ─ I have taken a break from XNU and am looking at other open source projects ─ Goal for 2019: learn exploitation techniques ─

Semmle