Uncategorized

PCIleech -vs- Apple Mac OS X

It appears Mac OS X 10.12.2 has some firmware-related security updates, with some defense against PCILeech:

http://blog.frizk.net/2016/12/filevault-password-retrieval.html
https://github.com/ufrisk/pcileech

 macOS FileVault2 Password Retrieval

“macOS FileVault2 let attackers with physical access retrieve the password in clear text by plugging in a $300 Thunderbolt device into a locked or sleeping mac. The password may be used to unlock the mac to access everything on it. To secure your mac just update it with the December 2016 patches. Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable. Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!
[…]
Recovering the password is just one of the things that are possible unless the security update is applied. Since EFI memory can be overwritten it is possible to do more evil …
[…]
December 13th: Apple released macOS 10.12.2 which contains the security update. At least for some hardware – like my MacBook Air.
[…]”

Look at recent Tweets from Xeno Kovah, he has multiple posts with information about the 10.12.2 update:

https://twitter.com/XenoKovah/

Firmware passwords:
https://support.apple.com/en-us/HT202796
https://support.apple.com/en-us/HT204455
https://support.apple.com/en-us/HT203409

I’ll admit, I didn’t find any firmwaer information in their release:
https://support.apple.com/en-us/HT207423

Standard
Uncategorized

CHIPSEC ported to Apple Mac OS X!

Wow, CHIPSEC is ported to Mac OS X! This is great news for Mac owners! CHIPSEC requires a native kernel driver to support CHIPSEC’s HAL. Before this, there was only Linux and Windows HAL drivers for CHIPSEC, so Mac OS X users had to reboot with a Linux-based distro which had CHIPSEC (eg, LUV-live). Live use aside, this also probably means you’ll be able to use CHIPSEC on OS X for offline analysis of blobs.

OSX Driver for Chipsec. This driver is currently in alpha release. It is not signed and you will need to disable the System Integrity Protection to load it. It is only compatible with x86_64 kernels, that is any release >= 10.7. How to:
1. (optional) Build the Driver using Xcode (chipsec.xcodeproj)
2. Turn the System Integrity Protection off: see
    https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html
3. Reboot and load the driver
   # kextutil chipsec.kext
4. Within the source/tool directory, run:
   # python chipsec_util.py spi info
   # python chipsec_util.py spi dump rom.bin
5. Unload the driver

https://github.com/chipsec/chipsec/blob/master/source/drivers/osx/README

https://github.com/chipsec/chipsec/pull/69

https://github.com/chipsec/chipsec/commit/b00c037101523212725c60d35f3f70b168a44e1c

With an OS X port of the CHIPSEC HAL, Apple’s OS is starting to catch up with Linux and Windows. I hope Apple paid @tweksteen for the effort, Apple should have done this port long ago. FreeBSD/OpenBSD/NetBSD: time for you to catch up too! 🙂

Standard
Uncategorized

Howto Triple Boot Linux/Windows/MacOSX on a UEFI system

I have just completed an installation of OS X, Windows 10 and Ubuntu 16.0.4 LTS on a single 1Tb HDD on an Asus P8Z77i-Deluxe. It is amazing how easy it is today to Multiboot these 3 OS’s on UEFI systems […]

http://www.tonymacx86.com/threads/guide-multibooting-uefi.197352/

Standard
Uncategorized

Hex-Rays Decompiler plugin for IDA, updated for OS X

If you use IDA, check out the Hex-Rays Decompiler plugin is very powerful, and now available for Mac OS X users.

http://www.surrendercontrol.com/2016/02/more-ida-pro-plugins-for-os-x.html
https://github.com/REhints/HexRaysCodeXplorer/tree/master/bin/v2.0%20%5BBlackHat%20Edition%5D/IDA%20v6.8/Mac

The Hex-Rays Decompiler plugin for better code navigation in RE process. CodeXplorer automates code REconstruction of C++ applications or modern malware.

It has multiple experienced contributors:

Alex Matrosov (@matrosov)
Eugene Rodionov (@rodionov)
Rodrigo Branco (@rrbranco)
Gabriel Barbosa (@gabrielnb)

 

Standard
Uncategorized

Details on OS X syslogd bug

In a verbose blog post, with lots of screenshots and figures, Pedro Vilaca describes details about the recent Apple Mac OS X syslogd bug:

Reversing Apple’s syslogd bug

Standard
Uncategorized

Apple security updates for iOS and OSX

Apple has released security updates for iOS, OS X El Capitan, and Safari to address multiple vulnerabilities. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

https://www.us-cert.gov/ncas/current-activity/2016/01/19/Apple-Releases-Security-Updates-iOS-OS-X-El-Capitan-and-Safari

https://support.apple.com/en-us/HT205732

https://support.apple.com/en-us/HT205731

 

Standard
Uncategorized

MacDBG: new Mac OS X debugger

Tyler Bohan has released a new debugging tool for Mac OS X, including a Capstone-based dissassembler:

Excerpt from readme:

Mac Debugger is simple easy to use C and python debugging framework for OSX. Mac Debugger was created with the focus on giving the programmer a powerful framework to programatically create scripts to debug programs on Mac OSX not found in other products for the platform. The core of macdbg, written in C, is kept as minimal as possible to provide enough basic interaction between the kernel and userland to create powerful features. Higher level functionality is left to the Python implementation such as stack tracing, dissasembly, watchpoints, thread state, and more. A wrapper class is provided for the programmer to create a scripting program. […]

https://github.com/blankwall/MacDBG

Standard