Let me present you another TrustedBSD policy module, this time to control execution of suid enabled binaries. The idea to create this started with nemo’s exploitation of bash’s shellshock bug and VMware Fusion. It was an easy local privilege escalation because there are many Fusion suid enabled binaries. This got me thinking that I want to know when this kind of binaries are executed and if possible control access to them....

The iOS 8 security update bulletin has many fixed bugs, one of which is this one: A double free issue existed in the handling of Mach ports. This issue was addressed through improved validation of Mach ports. CVE-2014-4375 : an anonymous researcher. Well, I’ve known this bug for a while and it was insanely fun as anti-debugging measure because of its random effects when triggered. For example, sometimes you get an immediate kernel panic, others nothing happens, and most of the time you get weird CPU spikes not attributed to any process, or system lock ups after a while....

Aloha, Shakacon number 6 is over, it was a blast and I must confess it beat my expectations. Congratulations to everyone involved in making it possible. Definitely recommended if you want to speak or attend, and totally worth the massive jet lag. My presentation was about reverse engineering Hacking Team OS X malware latest known sample. The slide count is 206 and I was obviously not able to present everything. The goal is that you have a nice reference available for this malware and also MPRESS unpacking (technically dumping)....

At BlackHat Asia 2014, Ming-chieh Pan and Sung-ting Tsai presented about Mac OS X Rootkits (paper and slides). They describe some very cool techniques to access kernel memory in different ways than the usual ones. The slides and paper aren’t very descriptive about all the techniques so this weekend I decided to give it a try and replicate the described vulnerability to access kernel memory. The access to kernel task (process 0) was possible before Leopard (or was it fixed in Snow Leopard?...

Enjoy it at Phrack. It’s finally out. It feels a bit old and it is indeed a bit old but still a good paper (or at least I tried to make it that way). The supplied code is for an older version of that rootkit. For example it still has dependencies on importing task, proc and other kernel private structures. The updated version solves all required offsets so it supports easily new and old OS X versions....