Building a USB analyzer with USB armory

June 15, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/osxreverser/status/875036408133627904

Armory Sandbox – Building a USB analyzer with USB armory
June 14, 2017
By Pedro Vilaca
Some time ago a friend received a mysterious USB pen with a note talking about some kind of heavily persistent malware. He had that USB pen stored untouched and of course my curiosity took over. Since one should never plug in unknown USB devices into a computer (well, any USB device we purchase is unknown but that is another story) and I didn’t want to “burn” a computer just to take a look at the contents I decided to use my USB armory to build an air gap sandbox that would be harder to infect and for malware to escape from it.[…]

https://sentinelone.com/blogs/armory-sandbox-building-usb-analyzer-usb-armory/

Details on OS X syslogd bug

January 22, 2016 ~ hucktech ~ Leave a comment

In a verbose blog post, with lots of screenshots and figures, Pedro Vilaca describes details about the recent Apple Mac OS X syslogd bug:

https://twitter.com/osxreverser/status/690612667946569728

https://reverse.put.as/2016/01/22/reversing-apples-syslogd-bug/

SyScan360

October 16, 2015 ~ hucktech ~ Leave a comment

https://www.syscan360.org/en/schedule/

SyScan is happening soon. There are multiple hardware/firmware-level talks, including one on VxWorks. And, since I’ve a bit of a UEFI focus, there is this one:

Is There An EFI Monster Inside Your Apple?

Pedro Vilaça
A few months ago I publicly disclosed an Apple EFI firmware zero day. It was a very powerful bug allowing direct access to the EFI firmware from the operating system. EFI rootkits are some of the most powerful and most interesting rootkits. Because they work at a very low level they can play a lot of tricks to hide themselves from forensics and persist for a long time. EFI monsters are a bit like jaguars, stealthy and rarely seen by humans. This doesn’t mean they do not exist. EFI monsters are most certainly part of spy agencies rootkits catalog. Very few tools exist to chase them. This talk is about introducing you to the EFI world so you can also start to chase these monsters. EFI world might look scary but it’s a bit easier than you think and a lot of fun. Thunderstrike 2 (to be presented at BlackHat) is a fine example of the power of EFI rootkits and the problems they present.

http://www.businesswire.com/news/home/20151015006011/en/SentinelOne-Apple-Security-Expert-Present-SyScan360

44con presentations available

September 11, 2015 ~ hucktech ~ Leave a comment

44con just finished. I didn’t mention this event earlier, but it included a few interesting presentations and workshops:

Is there an EFI monster inside your apple?
Pedro Vilaça

Hands-on JTAG for fun and root shells
Joe FitzPatrick

Pen Test Partners IoT Workshop
Dave Lodge

USB armory #44con talk pic.twitter.com/mTTfjRfTx8

— hackerfantastic.x (@hackerfantastic) September 11, 2015

Want to see the presentations from #44CON? Go to http://t.co/apDjFtRhAP @44CON

— Sammy Verity (@SamVMal) September 10, 2015

http://www.slideshare.net/44Con

44CON Homepage

Apple EFI vulnerabilities: CVE-2015-3693 and CVE-2015-3692

June 30, 2015June 30, 2015 ~ hucktech ~ Leave a comment

From the security-announce@lists.apple.com announce list, Apple has an EFI update for multiple systems, available from the App Store. Two CVEs are listed:

APPLE-SA-2015-06-30-3 Mac EFI Security Update 2015-001

Mac EFI Security Update 2015-001 is now available and addresses the following:

EFI
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact: A malicious application with root privileges may be able to modify EFI flash memory
Description: An insufficient locking issue existed with EFI flash when resuming from sleep states. This issue was addressed through improved locking.
CVE-ID
CVE-2015-3692 : Trammell Hudson of Two Sigma Investments, Xeno Kovah and Corey Kallenberg of LegbaCore LLC, Pedro Vilaca

EFI
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact: A malicious application may induce memory corruption to escalate privileges
Description: A disturbance error, also known as Rowhammer, exists with some DDR3 RAM that could have led to memory corruption. This issue was mitigated by increasing memory refresh rates.
CVE-ID
CVE-2015-3693 : Mark Seaborn and Thomas Dullien of Google, working from original research by Yoongu Kim et al (2014)

More Information:
https://support.apple.com/en-us/HT204934
https://lists.apple.com/mailman/options/security-announce/

Apple UEFI bootkit

June 1, 2015 ~ hucktech ~ Leave a comment

There’s stories in multiple news sites today about a UEFI firmware bug in Apple systems, by security researcher Pedro Vilaça (@osxreverser), that is somewhat similar to Thunderstrike.

According to Dennis Fisher’s story at Threatpost, “The vulnerability can be exploited remotely, Vilaca said.” Threatpost also states: “He added that he believes Apple may know about this vulnerability already, as it doesn’t seem to be present on machines sold after about the middle of 2014.”

If you have Apple — or perhaps other UEFI-based — hardware, you should follow this story!

More information:

Firmware Bug in OSX Could Allow Installation of Low-Level Rootkits

http://www.pcworld.com/article/2929172/apple-vulnerability-could-allow-firmware-modifications-researcher-says.html
http://www.securityweek.com/efi-zero-day-exposes-macs-rootkit-attacks-researcher