In recent days, after an article on The Register, there was a lot of buzz regarding a vulnerability that affects Mac OS X. The author of the discovery is an italian security researcher, Vincenzo Iozzo, that we decided to interview (italian version available) to obtain some more details.
My attack is an implementation of a technique called userland-exec. This technique makes it possible to launch an executable on a machine without invoking the kernel and that it is present on your disk. But it can not be considered a vulnerability in the usual sense. In fact, the attack is made possible in practice because of an inherent problem of Mac OS X has long known, namely the lack of randomization dynamic linker within space processes.
It should be noted that my technique does not allow to break into a machine more easily, but makes it easier the execution of code within the system attacked. The innovation of my research is the fact you can inject into a process not just a simple shellcode but an entire executable, in the past this was not possible on OS X.
Using the vulnerability you can prevent intrusion detection systems to identify malicious software on the system. What are the difficulties, for computer forensic analysis, on a machine compromised with your exploit code?
The payload developed by me does not leave traces on the hard disk of the victim system. It is therefore possible to detect the attack using a network intrusion detection system, or by using an anomaly intrusion detection system. Currently, however, such systems are not on the market because of the difficulties of daily use. You can also detect the compromise of the system by investigating the address space of the victim machine.
This attack makes it more difficult investigation for forensic analysis since, if the machine was turned off, there would be no more traces
The vulnerability that you discovered affects only XNU kernel used by Apple or could also affects other *BSD-like systems?
There are implementations of userland-exec on other operating systems, including BSD-like systems. On Windows systems, meterpreter, payload in Metasploit, can be considered a partial implementation of this attack.
What tools have you used for revealing this vulnerability on Mac OS? What is your toolbox when you go hunting for bugs?
When I search, the tools I use are: gdb, IDA Pro and BinDiff.
After the talk, do you plan to release an exploit integrated in Metasploit Framework?
After the talk I will release a proof of concept for Mac OS X 10.5 written in C. At the time, I did not plan to rewrite the code in Ruby to integrate with Metasploit.
Do you think that your discovery represents a threat for Mac OS X’s security, or those who use Mac are still a more difficult target than Windows users?
Unfortunately, the media coverage of my research has distorted the perception of what it really represents. It is not designed to spread malware, so the percentage of attacks to be conducted on Mac OS X will remain unchanged. However, it could make attacks more sophisticated and increase the difficulty identifying.
Are you already working to identify some new vulnerability?
First things first, I’m finishing the material for Black Hat DC. I would like to conclude the interview denying italian articles that, perhaps because of an incorrect translation, assigned me the role of researcher at Politecnico di Milano. As stated by Dan Goodin on The Register, I am a student and not a researcher at Politecnico di MIlano.