Mac Os Xploitation presented at SOURCE Boston 2009

by Dino Dai Zovi (Trail of bits),

Tags: Security Exploitation

Summary : MacOS X has so far enjoyed a comparatively safe and malware-free existence on today's hostile Internet. While many previously believed that this was due to its superior security, public demonstrations of the Mac's vulnerability to attacks have hopefully proven otherwise. As with any technology, it is important to know both its strengths and weaknesses. This presentation will focus on the exploitatability of memory corruption vulnerabilities in and on MacOS X by applying currently known techniques to a new platform as well as introducing some new techniques as well.
Mac OS X Leopard includes a number of runtime protection features intended to hamper exploitation of memory corruption vulnerabilities. These features include the Execute Disable (XD) bit on Intel processors, Library Randomization, and Sandboxing. While some of these features are familiar and can be seen on other systems, some of them are unique to Mac OS X. This presentation will discuss the design, implementation, limitations, and evasions of these defenses.
Unlike other modern systems, the MacOS X Scalable Zone (szone) heap allocator does not protect against heap metadata overwrite exploits. This presentation will also describe the design and implementation of the szone allocator and demonstrate how it may be exploited with basic heap metadata overwrites. Finally, this presentation will discuss exploit payload construction techniques for Mac OS X, including the necessity of vfork() in threaded applications, resolving symbols in loaded libraries, and pure memory library injection into the vulnerable (or any other) process using Mach system calls and dyld function calls.