PCIleech -vs- Apple Mac OS X

December 19, 2016 ~ hucktech ~ Leave a comment

It appears Mac OS X 10.12.2 has some firmware-related security updates, with some defense against PCILeech:

Grab Mac FileVault passwords from locked macs in 30 seconds! https://t.co/26lyBxYK3g

— Ulf Frisk (@UlfFrisk) December 15, 2016

http://blog.frizk.net/2016/12/filevault-password-retrieval.html
https://github.com/ufrisk/pcileech

One of many reasons to go get 10.12.2 https://t.co/NL3AdP4TaS

— Xeno Kovah (@XenoKovah) December 15, 2016

(while still giving a way to opt back in if you really really need the old OROM auto-run behavior https://t.co/XHg4GJE7tm) [10/x]

— Xeno Kovah (@XenoKovah) December 15, 2016

The quick way to set a fw pass on Macs is "sudo firmwarepasswd -setpasswd -setmode command" from Terminal, and then reboot

— Xeno Kovah (@XenoKovah) December 15, 2016

So the moral of the story is: 1) install 10.12.2, 2) set a firmware password, to opt into higher physically-present attacker defense [13/x]

— Xeno Kovah (@XenoKovah) December 15, 2016

2) @coreykal also changed the behavior of firmware passwords, so that if you have one set, OROMs will not load even with the keypress [11/x]

— Xeno Kovah (@XenoKovah) December 15, 2016

(while still giving a way to opt back in if you really really need the old OROM auto-run behavior https://t.co/XHg4GJE7tm) [10/x]

— Xeno Kovah (@XenoKovah) December 15, 2016

Positive Spin: OS X 10.12.2: macOS LegbaCore Snaredition.
Negative Spin: OS X 10.12.2: Now matching Windows 8 (4 years ago) UEFI security.

— Alex Ionescu (@aionescu) December 16, 2016

macOS FileVault2 Password Retrieval

“macOS FileVault2 let attackers with physical access retrieve the password in clear text by plugging in a $300 Thunderbolt device into a locked or sleeping mac. The password may be used to unlock the mac to access everything on it. To secure your mac just update it with the December 2016 patches. Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable. Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!
[…]
Recovering the password is just one of the things that are possible unless the security update is applied. Since EFI memory can be overwritten it is possible to do more evil …
[…]
December 13th: Apple released macOS 10.12.2 which contains the security update. At least for some hardware – like my MacBook Air.
[…]”

Look at recent Tweets from Xeno Kovah, he has multiple posts with information about the 10.12.2 update:

https://twitter.com/XenoKovah/

Firmware passwords:
https://support.apple.com/en-us/HT202796
https://support.apple.com/en-us/HT204455
https://support.apple.com/en-us/HT203409

I’ll admit, I didn’t find any firmwaer information in their release:
https://support.apple.com/en-us/HT207423

CHIPSEC ported to Apple Mac OS X!

August 27, 2016 ~ hucktech ~ Leave a comment

Wow, CHIPSEC is ported to Mac OS X! This is great news for Mac owners! CHIPSEC requires a native kernel driver to support CHIPSEC’s HAL. Before this, there was only Linux and Windows HAL drivers for CHIPSEC, so Mac OS X users had to reboot with a Linux-based distro which had CHIPSEC (eg, LUV-live). Live use aside, this also probably means you’ll be able to use CHIPSEC on OS X for offline analysis of blobs.

CHIPSEC now natively supports Mac OSX (Alpha version) thanks to @tweksteen https://t.co/GLbja9w1Ft

— CHIPSEC (@CHIPSEC) August 26, 2016

OSX Driver for Chipsec. This driver is currently in alpha release. It is not signed and you will need to disable the System Integrity Protection to load it. It is only compatible with x86_64 kernels, that is any release >= 10.7. How to:
1. (optional) Build the Driver using Xcode (chipsec.xcodeproj)
2. Turn the System Integrity Protection off: see
    https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html
3. Reboot and load the driver
   # kextutil chipsec.kext
4. Within the source/tool directory, run:
   # python chipsec_util.py spi info
   # python chipsec_util.py spi dump rom.bin
5. Unload the driver

https://github.com/chipsec/chipsec/blob/master/source/drivers/osx/README

https://github.com/chipsec/chipsec/pull/69

https://github.com/chipsec/chipsec/commit/b00c037101523212725c60d35f3f70b168a44e1c

With an OS X port of the CHIPSEC HAL, Apple’s OS is starting to catch up with Linux and Windows. I hope Apple paid @tweksteen for the effort, Apple should have done this port long ago. FreeBSD/OpenBSD/NetBSD: time for you to catch up too! 🙂

Howto Triple Boot Linux/Windows/MacOSX on a UEFI system

July 27, 2016 ~ hucktech ~ Leave a comment

Guide: MultiBooting UEFIhttps://t.co/3ER09CeCfJ pic.twitter.com/glUl01uQEt

— tonymacx86 (@tonymacx86) July 27, 2016

I have just completed an installation of OS X, Windows 10 and Ubuntu 16.0.4 LTS on a single 1Tb HDD on an Asus P8Z77i-Deluxe. It is amazing how easy it is today to Multiboot these 3 OS’s on UEFI systems […]

http://www.tonymacx86.com/threads/guide-multibooting-uefi.197352/

Hex-Rays Decompiler plugin for IDA, updated for OS X

February 4, 2016 ~ hucktech ~ Leave a comment

If you use IDA, check out the Hex-Rays Decompiler plugin is very powerful, and now available for Mac OS X users.

#CodeXplorer finally compiled for IDA on Mac. Thx @agelastic! https://t.co/H11nfQsiJA https://t.co/fHtZF4Posa #REhints

— REhints (@REhints) February 4, 2016

http://www.surrendercontrol.com/2016/02/more-ida-pro-plugins-for-os-x.html
https://github.com/REhints/HexRaysCodeXplorer/tree/master/bin/v2.0%20%5BBlackHat%20Edition%5D/IDA%20v6.8/Mac

The Hex-Rays Decompiler plugin for better code navigation in RE process. CodeXplorer automates code REconstruction of C++ applications or modern malware.

It has multiple experienced contributors:

Alex Matrosov (@matrosov)
Eugene Rodionov (@rodionov)
Rodrigo Branco (@rrbranco)
Gabriel Barbosa (@gabrielnb)

Details on OS X syslogd bug

January 22, 2016 ~ hucktech ~ Leave a comment

In a verbose blog post, with lots of screenshots and figures, Pedro Vilaca describes details about the recent Apple Mac OS X syslogd bug:

"Reversing Apple’s syslogd bug" https://t.co/JnYYrwmiVy or https://t.co/IlyYwFdqA6

— The Uninitialized Pointer Guru 🥇 (@osxreverser) January 22, 2016

https://reverse.put.as/2016/01/22/reversing-apples-syslogd-bug/

Apple security updates for iOS and OSX

January 20, 2016 ~ hucktech ~ Leave a comment

Apple Releases Security Updates for iOS, OS X El Capitan, and Safari https://t.co/fqQ6Wb470T

— US-CERT (@USCERT_gov) January 20, 2016

Apple has released security updates for iOS, OS X El Capitan, and Safari to address multiple vulnerabilities. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

https://www.us-cert.gov/ncas/current-activity/2016/01/19/Apple-Releases-Security-Updates-iOS-OS-X-El-Capitan-and-Safari

https://support.apple.com/en-us/HT205732

https://support.apple.com/en-us/HT205731

MacDBG: new Mac OS X debugger

January 18, 2016 ~ hucktech ~ Leave a comment

Tyler Bohan has released a new debugging tool for Mac OS X, including a Capstone-based dissassembler:

Source code release for my @shmoocon talk with @drraid , OSX VR and Why We wrote Our own Debugger. Check it out: https://t.co/huj5YPQPkq

— tyler bohan (@1blankwall1) January 17, 2016

Excerpt from readme:

Mac Debugger is simple easy to use C and python debugging framework for OSX. Mac Debugger was created with the focus on giving the programmer a powerful framework to programatically create scripts to debug programs on Mac OSX not found in other products for the platform. The core of macdbg, written in C, is kept as minimal as possible to provide enough basic interaction between the kernel and userland to create powerful features. Higher level functionality is left to the Python implementation such as stack tracing, dissasembly, watchpoints, thread state, and more. A wrapper class is provided for the programmer to create a scripting program. […]

https://github.com/blankwall/MacDBG

IOKit-Dumper

January 1, 2016 ~ hucktech ~ Leave a comment

A simple tool to dump the IOKit hierarchy of any KEXT or the kernel -> https://t.co/VVNWV2Uka1

— ~jndok (@jndok) January 1, 2016

OS X tool for dumping and reconstructing the IOKit classes hierarchy. iokit-dumper directly generates DOT files (see here, which can then be processed with dot tool. Keep in mind this tool is in its early release, so stuff may happen. Also, careful when playing with the code, since a wrong read in the kernel will cause a kernel panic. Remember to always slide kernel addresses before reading from them.

https://github.com/jndok/iokit-dumper

osxlockdown

December 30, 2015 ~ hucktech ~ Leave a comment

osxlockdown: A simple tool to audit and fix security settings on Apple OS X 10.11 (El Cap): https://t.co/m8G4bQPs6V

— Summit Route (@SummitRoute) December 30, 2015

https://summitroute.com/blog/2015/12/29/osxlockdown/

https://github.com/SummitRoute/osxlockdown

SummitRoute has a new Mac OS X security tool, OSXlockdown. Excerpt from readme follows, note especially the scarily-humorous warnings at the end. 🙂

osxlockdown was built to audit, and remediate, security configuration settings on OS X 10.11 (El Capitan).

This checks and flips various configuration settings. This is a compilation of numerous resources listed in the Resources section which could be converted to bash scripts. This is different than those resources in that instead of requiring the user to read a 100+ page doc, click through numerous GUIs, and try to decide if some esoteric output is good or bad, this tool combines all the steps into a single command. This tool is focused on enterprise deployments of OSX with regard to what it does, but made to be usable for stand-alone home users as well. Running the command by itself will tell you which audit checks passed and failed. Adding the –remediate flag will fix the problems identified. The commands.json file may be edited to disable certain rules by setting enabled to false.

Warning: Many of the rules disable functionality in the name of security. This may make you sad.

Warning: System commands and dark arts are involved, so ensure you have your system backed up first.

Mac OS X System Integrity Protection bypass

December 7, 2015 ~ hucktech ~ Leave a comment

Jndok has written stfusip, code and exploit for Mac OS X 10.11.1 System Intgrity Protection:

w0w, a nice tool to bypass OSX System Integrity Protection (SIP) using Capstone inside: STFUSIP!https://t.co/kfJ4Mva7oE

— Capstone Engine (@capstone_engine) December 7, 2015

stfusip: System Integrity Protection (SIP) bypass for OSX 10.11.1

https://github.com/jndok/stfusip

launchctl for MacOSX

October 8, 2015 ~ hucktech ~ Leave a comment

J's open-source launchctl (#OSX/#iOS XPC #launchd interface) – from upcoming #MOXiI 2nd Ed! http://t.co/SAsUubvaR8 pic.twitter.com/1inacXci3p

— Technologeeks (@Technologeeks) October 8, 2015

Jonathan Levin has an article about launchd no longer being open-sourced, and a new launchctl interface utility that is available to help:

http://newosxbook.com/articles/jlaunchctl.html

RehabMan’s ACPI tools for OSX

September 14, 2015 ~ hucktech ~ Leave a comment

I just noticed the project Laptop-DSDT-Patch, by RehabMan. It contains “Common DSDT patches for Ivy/Sandy/Haswell laptops for running OS X“, so it’s for ‘hackintosh’ hackers using non-Apple hardware to run Apple’s OS, OS X, and have to deal with non-Apple hardware/firmware, particularly ACPI’s DSDT table, a nice example of how the modding community generates some interesting firmware tools, if nothing else.

Quoting from from the beginning of RehabMan’s HP-ProBook-4x30s wiki on How to patch your DSDT (useful background even if you don’t this HP model):

Although there are pre-patched DSDTs available as downloads from the tonymacx86.com forums and in installer packages such as the HP ProBook Installer, there can be differences in individual DSDTs that can cause delays in booting and perhaps other problems. Perhaps there are slight differences in BIOS settings, memory installed, etc, that is causing these differences. It is best, therefore, to patch your own DSDT and install it into /Extra/dsdt.aml (Chameleon) or EFI/Clover/ACPI/patched (Clover). I have included five different methods for extracting your native DSDT. Just pick the method that seems easiest for you. The easiest one will depend on whether you still have Windows installed, whether you already have a Linux USB stick prepared, and just how familiar you are with both systems.

Quoting from the OSx86 wiki, for the Mac OSX-perspective on it, ACPI’s DSDT is:

The Differentiated System Description Table is the main table in the ACPI part of a computer’s BIOS. The Advanced Configuration and Power Interface (ACPI) defines a large number of tables that provide the interface between an ACPI-compliant operating system and system firmware. These allow description of system hardware in a platform-independent manner in ACPI Machine Language (AML). The problem is that OS X has an incomplete ACPI implementation which supports only a subset of DSDT. Modifying the DSDT allows the user to better support their hardware. For example, fixing Time Machine and the UUID 35 error is possible after modifying the DSDT. To patch your DSDT, you must either use a new table file that someone else has provided, or extract and modify your own. Then tell your bootloader to use the new DSDT file instead of the BIOS. On a few motherboards it is also possible to replace the BIOS with an updated BIOS with a patched DSDT. One of the simplest ways to extract your DSDT from your BIOS is by using DSDT Editor. Once you have downloaded DSDT Editor, open it and press File –> Extract DSDT. After 2-15 seconds, your DSDT should appear on the screen.

Look at the various ACPI-centric projects RepoMan has, there’re many! Also, the Ubuntu wiki and SmackerelOfOpinion blog are both excellent for ACPI diagnostic tips.

These ‘modding community’-based ACPI changes for OS X are educational, to see how people can extend their purchases for use cases beyond those that the vendor could imagine. As systems get more tamper-proof, it seems likely that users will have less and less ability to change things. [There also exists a HUGE modding community by photographers and their smartcameras (embedded devices). They add amazing new features. The other day I saw one talk about how they update the system to be able to take pictures of lighting better. Nice example of how owners can add features to their purchases, if able to update their firmware. 🙂 And of course there is custom ‘firmware’ for smartphones, entire distros.]

Personal modding hobbies aside, how much time, if any, do enterprise sysadmins currently spend fixing OEM ACPI tables and other firmware features, to make their systems work properly?

More Info:
https://github.com/RehabMan/Laptop-DSDT-Patch
https://github.com/RehabMan/HP-ProBook-4x30s-DSDT-Patch/wiki/How-to-patch-your-DSDT
https://bitbucket.org/RehabMan/os-x-maciasl-patchmatic
http://www.insanelymac.com/forum/topic/223205-dsdt-editor-and-patcher/
https://github.com/RehabMan?tab=repositories
http://uefi.org/acpi
http://smackerelofopinion.blogspot.com/2009/10/dumping-acpi-tables-using-acpidump-and.html
http://acpi.sourceforge.net/dsdt/
https://01.org/linux-acpi/documentation/overriding-dsdt
http://www.tldp.org/HOWTO/ACPI-HOWTO/dsdt.html
http://wiki.osdev.org/DSDT
http://wiki.osx86project.org/wiki/index.php/DSDT
https://msdn.microsoft.com/en-us/library/windows/hardware/dn495660%28v=vs.85%29.aspx#dsdt
https://wiki.debian.org/OverridingDSDT
http://www.insanelymac.com/forum/topic/278170-dsdt-%E2%80%94-what-is-it-and-how-do-i-get-it/
https://wiki.ubuntu.com/Kernel/Reference/ACPITricksAndTips
https://www.kernel.org/doc/Documentation/acpi/dsdt-override.txt
http://smackerelofopinion.blogspot.com/search/label/ACPI
http://clover-wiki.zetam.org/Configuration/ACPI#DSDT