MountEFI – mac tool to select drive containing an EFI to mount

This Mac-centric bash script has been rewritten as a Mac-centric Python script:

“A more robust edition of my previous MountEFI script. Added my usual collection of disk functions – plus some experimentation with callback functions.

def custom_quit():
     head(“MountEFI”)
     print(“by CorpNewt\n”)
     print(“Thanks for testing it out, for bugs/comments/complaints”)
     print(“send me a message on Reddit, or check out my GitHub:\n”)
     print(“www.reddit.com/u/corpnewt”)
     print(“www.github.com/corpnewt\n”)
     print(“Have a nice day/night!\n\n”)
exit(0)

https://github.com/corpnewt/MountEFI

macOS vuln in IOHIDFamily

Siguza, 01. Dec 2017 (published 31. Dec 2017)
IOHIDeous

“IOHIDFamily once again.”
This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel r/w and can be exploited by any unprivileged user. IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements. I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability discussed herein.[…]

https://siguza.github.io/IOHIDeous/
https://github.com/Siguza/IOHIDeous/blob/master/docs/index.md

https://github.com/Siguza/iokit-utils
https://github.com/Siguza/hsp4
https://github.com/Siguza/ios-kern-utils

efivalidate (and mojo_thor)

Rick Mark has released efivalidate, a macOS-centric Ruby-based EFI checking tool. Also, by same author, Mojo_Thor project has activity. I thought it was a one-time drop, but it is actively being updated:

efivalidate is a ruby utility to take a given input EFI payload from macOS and to compare it against Apple’s validation schema. Being written in ruby this can occur off-box to ensure that the utility itself hasn’t been compromised

https://github.com/rickmark/efivalidate

Loki / Thor / Mojo are a triad of Apple internal tools and malware that infects the SMC, EFI and macOS of Apple MacBooks. It is believed that direct access to the hardware is gained by re-flashing the Thunderbolt controller (via ThorUtil)

https://github.com/rickmark/mojo_thor

https://rickmark.me/

Apple macOS High Sierra: can login as root with empty password!

Intel open sources HAXM, Hardware Accelerated Executation Manager for Mac/Windows

Intel Hardware Accelerated Execution Manager (HAXM)

HAXM is a hardware-assisted virtualization engine (hypervisor) that uses Intel Virtualization Technology to speed up IA (x86/ x86_64) emulation on a host machine running Windows or macOS. It started as an Android SDK component, but has recently transformed itself into a general accelerator for QEMU. HAXM can be built as either a kernel-mode driver for Windows or a kernel extension for macOS.[…]

https://github.com/intel/haxm

 

See-also:

https://01.org/android-ia/q-and-a/what-haxm

https://software.intel.com/en-us/articles/intel-hardware-accelerated-execution-manager-intel-haxm

https://github.com/Nukem9/Haxm

Trammell: eficheck finds Thunderstrike 2

Trammell Hudson tests Apple macOS’s eficheck against Thunderstrike2:

https://trmm.net/Thunderstrike
https://trmm.net/Thunderstrike_2
https://support.apple.com/en-us/HT207475

Thunderstrike 2

Apple macOS automatic EFI checks

High Sierra automatically checks EFI firmware each week

Upgrading to High Sierra brings a new and significant security feature: your Mac will automatically check its EFI firmware. In a series of tweets, Xeno Kovah, one of the three engineers responsible for the new tool, has outlined how this works.[…]

High Sierra automatically checks EFI firmware each week

AFAICT, the article references Tweets from earlier today that appear to have subsequently been deleted from Twitter.

new Apple tools: eficheck (and nvm)

Apple has apparently created a tool for examining Apple Mac EFI firmware, called eficheck. As I understand things, it was released, then pulled due to some issues (bugs?), and is apparently now avabilable in latest macOS updates. Also, it sounds like there might be another tool for NVMe diagnostics.

usage: eficheck: [–save -b] [ –cleanup -b] [–generate-hashes [-b] [-p]] [–integrity-check [-h [-b]]] [–show-hashes [-h] | [-b]]

https://pikeralpha.wordpress.com/2017/08/18/apple-to-cleanup-a-bios-region-of-your-ami-and-phoenix-bios/
https://www.apple.com/macos/sierra/
https://en.wikipedia.org/wiki/MacOS_High_Sierra
https://www.macrumors.com/roundup/macos-10-13/
https://firmwaresecurity.com/2017/01/25/eficheck

Maybe someday there’ll be more info on eficheck, if you find any manpage or other info, please leave a Comment.
https://www.apple.com/us/search/eficheck
https://twitter.com/search?q=eficheck&src=typd

Apple on Secure Kernel Extension Loading

On June 19th, Apple released a document describing how loading secure kernel extensions (.kext) would change with High Sierra and how this would impact enterprise customers.[…]

System Extension Blocked

http://blog.eriknicolasgomez.com/2017/07/25/Kextpocalypse-High-Sierra-and-kexts-in-the-Enterprise/

https://developer.apple.com/library/content/technotes/tn2459/_index.html

 

Dmytro on Apple PCI-E Thunderbolt

Setting up Mac for EFI development

Setup EFI Development environment on Mac OSX Sierra (10.12.X)

Mikal Villa Mikal Villa • 07/10/2017

Oh no! a lot of text. Well, luckly half of the post is troubleshooting. EFI development setup is easy 🙂

Okay, before starting this guide you should have some tools installed already.[…]

https://0xcc.re/setup-efi-development-environment-on-mac-osx-sierra-10-12-x/

Monitor for macOS

Introducing Monitor.app for macOS
March 31, 2017 | by Stephen Davis | Threat Research
As a malware analyst or systems programmer, having a suite of solid dynamic analysis tools is vital to being quick and effective. These tools enable us to understand malware capabilities and undocumented components of the operating system. One obvious tool that comes to mind is Procmon from the legendary Sysinternals Suite from Microsoft. Those tools only work on Windows though and we love macOS. macOS has some fantastic dynamic instrumentation software included with the operating system and Xcode. In the past, we have used dynamic instrumentation tools such as Dtrace, a very powerful tracing subsystem built into the core of macOS. While it is very powerful and efficient, it commonly required us to write D scripts to get the interesting bits. We wanted something simpler. Today, the Innovation and Custom Engineering (ICE) Applied Research team presents the public release of Monitor.app for macOS, a simple GUI application for monitoring common system events on a macOS host.[…]

https://www.fireeye.com/blog/threat-research/2017/03/introducing_monitor.html

https://www.fireeye.com/services/freeware/monitor.html