Black Hat: Macs Under Attack?

Mac Hack at Black Hat?

WASHINGTON — Hacking Apple Mac OS X is no easy task. Just ask security researcher Vincenzo Iozzo.

Iozzo today delivered a session on Mac OS X hacking here at the Black Hat security conference, where he attempted to show how he had developed a new vulnerability that allows for a hacker to executes arbitrary code on Apple’s OS X.

But if anything, the effort demonstrated that Apple users don’t have much to fear — for now, at least.

“The attack can only work if you already have access to the machine,” Iozzo said during his presentation. “The attack is not a magic [wand] that can own every machine in your network. You need to have an exploit to gain remote access. This is not for exploiting a new machine from the beginning.”

Iozzo’s finding hinges on injecting a malicious payload directly into OS X memory, bypassing some of Apple’s security filters. According to the researcher, an attack by way of memory injection marks a potentially new and dangerous attack vector for the Mac, which thus far has been largely exempt from the threat of malware plaguing Windows systems.

While it’s unclear whether Iozzo’s discovery could be a harbinger of things to come for Apple users, the attack could have wide-reaching implications, since it may also potentially lead to exploitation of Apple’s iPhone, which shares a similar structure and uses the Safari Web browser, Iozzo said.

Apple spokespeople did not return a request for comment on the presentation by press time.

Iozzo’s presentation at Black Hat comes barely a week after Apple last patched Mac OS X in an update that one security researcher criticized as having taken too long to fix a particular Safari flaw.

Black Hat sessions on Mac security are somewhat of a recent tradition. Earlier this year in a Webcast, researchers discussed Apple Mac security and alleged that the best security feature of OS X is its market share — or lack thereof. The Black Hat Las Vegas 2008 conference also included a pair of Mac security sessions where released a Mac OS X rootkit called Irk. A year ago at Black Hat DC 2008, security researcher Tiller Beuchamp released a Dtrace-based toolfor offensive and defensive security operations on a Mac.

Iozzo’s latest vulnerability findings involve encapsulating shellcode that he calls an autoloader, and injecting it into binary code. The next step is to execute the autoloader in the address space of the attacked process in order to deliver the payload.

In a detailed presentation today, Iozzo explained how his new technique could exploit OS X memory. He noted that his autoloader impersonates the Mac OS X kernel, un-maps the old binary from an existing application process and then maps the new one on the victim’s Mac.

Apple’s Mac OS X uses a technique called Address Space Layout Randomization (ASLR) that could potentially thwart such attempts at memory infection by scrambling memory. But an autoloader could be able to get around ASLR, since not all memory libraries are always randomized, he said.

How likely this seems remains to be seen, however. Iozzo ultimately ran into problems attempting to demonstrate his attack in front of the live Black Hat audience, due to unknown technical difficulties with his presentation Mac. (At one point, Iozzo exclaimed, “This is awful — I cannot show you the command line.”)

Though he ran into obstacles, Iozzo claimed that he is planning on speaking on the topic of Apple security again at the Black Hat Europe conference in April. At that time, he plans to talk about how the same vulnerability appears in the Apple iPhone, in a session he hopes to present alongside mobile hacker Charlie Miller.

News Around the Web