Fixes for the TrustedBSD backdoor – Rex the wonder dog v0.2

I like things well done and the healthy discussion with snare about this topic remembered me this PoC was a bit incomplete. So I decided to close the missing gaps.
The fix is pretty simple. Retrieve a new kauth credential with uid and gid equal to 0 and replace the old one (the code seems stable even without process locks). It also seems to work fine without the allproc lock.
The backdoor also had a small “bug” that I didn’t noticed due to a coincidence. If you are using iStat Menus then you have a daemon running as root that is collecting info from processes and uses task_for_pid() on them. So the trick of getting the task_for_pid for any process even without permissions worked because of this coincidence (the backdoor failed but iStat daemon called task_for_pid() on the process and so backdoor was activated, duh!). The fix is to do a task_for_pid() on itself. It was one of those things that you don’t feel it’s right but you don’t pay much attention to.

The only catch is that the symbol for kauth_cred_setuidgid() is not exported so it’s manually configured for Snow Leopard 10.6.8. To resolve the kernel symbols is another project 😉

Have fun,
fG!

rexthewonderdog_v0.2.zip
SHA256(rexthewonderdog_v0.2.zip)= 890faeafef5ff00ac289e6289e14abee2d744b8e6155ac05b0b51eaf3ac4448f

Update:
All previous versions do not work with Lion because proc structures changed (check xnu/bsd/sys/proc_internal.h).
Version 0.3 adds support to Lion 10.7.1. Edit the main source file and change the define accordingly.

rexthewonderdog_v0.3.zip
SHA256(rexthewonderdog_v0.3.zip)= c85f5273497430e7328364c52d6d772ccb154c068250fb8a7ef73532b067b713

3 thoughts on “Fixes for the TrustedBSD backdoor – Rex the wonder dog v0.2

  1. Nice one dude. Just looking at the missingproc* files made me cringe remembering what a pain dealing with the type definition dependencies can be when stealing code from the kernel. I think I ended up doing something like char lock[26] just to avoid the stupid “private” kernel definition dependencies.

    1. /*
      The symbol address for kauth_cred_setuidgid().
      This is for Snow Leopard 10.6.8
      0x00470092 T _kauth_cred_setuidgid

      for Lion 10.7.1
      0x0054cb90 T _kauth_cred_setuidgid
      */

      I was wondering how you got those symbol addresses

      1. You can retrieve those addresses by using the nm command on /mach_kernel. Use the -arch i386 option for the x86 symbols (default is x86_64).

Leave a Reply

Your email address will not be published. Required fields are marked *