Tag Archives: rootkit

SyScan360 Singapore 2016 slides and exploit code

The exploit for the bug I presented last March at SyScan360 is today one year old so I decided to release it. I wasn’t sure if I should do it or not since it can be used in the wild but Google Project Zero also released a working version so it doesn’t really make a difference.

I’m also publishing here the final version of the slides that differ slightly from the version made available at the corporate blog.

You can find the slides here and the PoC code at GitHub.

The exploit code is slight different from Ian Beer exploit so you probably might want to give it a look. It’s a pretty clean and neat exploit :-).

You can find Ian Beer’s blog post about this bug here. Bug collisions are not fun, I expected this bug to be alive for a lot longer but Ian Beer is awesome, so hat tip to him.

The bug itself is super fun since it allows you to exploit any SUID binary or entitlements, meaning you can escale privileges to root and then bypass SIP and load unsigned kernel extensions with the same bug. Essentially, massive pwnage with a single bug. The only thing missing is remote code execution. Ohhhhh :-(.

Every OS X version except El Capitan 10.11.4 is vulnerable so if you are running older systems you should consider upgrading asap (they are also vulnerable to other unpatched bugs anyway!).

Have fun,

London and Asia EFI monsters tour!

Finally back home from China and Japan tour, so it’s time to finally release the updated slides about EFI Monsters. After Secuinside I updated them a bit, fixing stuff I wasn’t happy with and adding some new content.

The updated version was first presented at 44CON London. I had serious reservations about going to the UK (not even in transit!) but Steve Lord and Adrian charm convinced me to give it a try. 44CON was great and it’s definitely a must attend European conference. It has the perfect size to meet people and share ideas. I prefer single track conferences, dual track is the max I’m interested in. More than that it’s just too big, too messy, too many choices to be made regarding what to see.

A big thanks to everyone at 44CON who made it possible!

Next was SyScan360 in Beijing. It was the fourth time it happened, and my third time in a row. I do like very much to go there because even with language barriers you can feel what’s happening there. Bought a bunch of (cheap) hardware gear made by 360 Unicorn team. Their “usb condom” is super cheap and super small. Also bought a network tap and a USB to serial (don’t really needed it but it was damn cheap). The SyScan360 badge as usual was super fun, this time with a micro Arduino, Bluetooth and LED modules. Conference went pretty smooth and had lots of fun. They had a gigantic LED panel where slides were displayed at. That was some gigantic TV they had there 🙂

Big thanks to everyone involved in SyScan360 2015.

Last stop, was CODE BLUE happening in my current favorite city outside Portugal, aka Tokyo. Third time happening, my second in a row. Organization is top notch, everything goes smoothly. Congrats to Kana, El Kentaro, Tessy, and everyone else involved.
This year it had two tracks, and a lot more attendees. It’s definitely a conference to put on your calendar. The audience is super interested in learning. Japan is lagging behind in terms of security so they are keen to finally catch up.

Some people approached me and shown some interested about (U)EFI security. This is great, that was the goal of this presentation, to show people (U)EFI research isn’t that hard and that it is really important its issues start to be fixed. We need to start building trustable foundations and not try to solve everything in software on top of platforms we can’t really trust.

Last conference for the year is No cON Name happening in Barcelona next December.

For next year I already got something that hopefully I’ll be able to present at SyScan360 Singapore. Their CFP is open and you should definitely think about submitting.

There were minor changes between 44CON and SyScan360/Code Blue slides. The latter included more references than 44CON version and minor fixes.

Have fun,

44Con 2015 – Efi Monsters.pdf
SyScan360 2015 – Efi Monsters.pdf
CodeBlue 2015 – Efi Monsters.pdf

BSides Lisbon and SECUINSIDE 2015 presentations

I guess my goal for the remaining 2015 of not doing any presentations will not happen.
Two weeks ago I presented at BSides Lisbon 2015 and last week at SECUINSIDE 2015.

I’m very happy to see BSides Lisbon returning after the first edition in 2013. Congrats to Bruno, Tiago, and the rest of the team for making it happen. It’s still a small conference but I’m glad they are making it happen, and I will always do my best to help the Portuguese scene going forward. Everything went pretty well and met some new cool guys. I hope the conference returns in 2016 and keeps growing. Maybe someday it can mutate into something independent of BSides and on its own. Portugal is a great country for conferences, I’m just not the right person to start one, but I’ll definitely help my best anyone who wants to give it a shot.
The presentation is the same as CodeBlue and SyScan since the CFP happened a few months ago. Nothing new in the slides, a fix here and there.

The next was SECUINSIDE in Seoul. This is a very special conference to me because it was the first ever conference I presented at, back in 2012. I never had any plans to ever present at security conferences. I liked my low profile and this blog was good enough to spread the knowledge I wanted to. But I try to be flexible and always open to new adventures, so at the time I accepted HiTCON invitation (they were the first ones) and then SECUINSIDE’s invitation. SECUINSIDE was happening first so at the time I created a different presentation. It was a crazy trip because I did a Porto – Seoul roundtrip, and four days later I went to Taiwan. That was some crazy jetlag!
So this year I went back to SECUINSIDE. Thanks to beist, Ryan, trimo, and everyone else for the great time in Seoul.
The presentation is a new one, made in just a week. It’s essentially an introduction to EFI reverse engineering and hunting for EFI rootkits.

I received yesterday the good news that I was accepted to do the same presentation at 44Con. This is great and I will have enough time to improve the slides. Probably add some new content and tools, since there is good stuff expected out of Thunderstrike 2 presentation.

And here they are:

BSides Lisbon 2015 – BadXNU, A rotten apple!

SECUINSIDE 2015 – Is there an EFI monster inside your apple?

As usual, enjoy and have fun.

Reversing Prince Harming’s kiss of death

The suspend/resume vulnerability disclosed a few weeks ago (named Prince Harming by Katie Moussouris) turned out to be a zero day. While (I believe) its real world impact is small, it is nonetheless a critical vulnerability and (another) spectacular failure from Apple. It must be noticed that firmware issues are not Apple exclusive. For example, Gigabyte ships their UEFI with the flash always unlocked and other vendors also suffer from all kinds of firmware vulnerabilities.

As I wrote in the original post, I found the vulnerability a couple of months ago while researching different ways to reset a Mac firmware password. At the time, I did not research the source of the bug due to other higher priority tasks. One of the reasons for its full disclosure was the assumption that Apple knew about this problem since newer machines were not vulnerable. So the main question after the media storm was if my assumption was wrong or not and what was really happening inside Apple’s EFI.

The bug is definitely not related to a hardware failure and can be fixed with a (simple) firmware update. The initial assumptions pointing to some kind of S3 boot script failure were correct.
Apparently, Apple did not follow Intel’s recommendation and failed to lock the flash protections (and also SMRR registers) after the S3 suspend cycle. The necessary information is not saved, so the locks will not be restored when the machine wakes up from sleep.

This also allows finding which Mac models are vulnerable to this bug.
All machines based on Ivy Bridge, Sandy Bridge (and maybe older) platforms are vulnerable. This includes the newest Mac Pro since its Xeon E5 CPU is still based on Ivy Bridge platform. All machines based on Haswell or newer platforms are not vulnerable.

Now let’s jump to the technical part and understand why the bug occurs. I am also going to show you how to build a temporary fix.
Continue reading

BadXNU, a rotten apple! – CodeBlue 2014, SyScan 2015 slides and source code

The last SyScan is almost here so it’s time to get again into a plane and travel to Singapore.
This means that the slides and source code can finally be released. Below you can find the archive with both presentations slides (they are slightly different, SyScan fixes/upgrades a few things) and full source code for both rootkit/kext loaders.

I hope you enjoy them; they are quite fun techniques, in particular the second one which now I sort of regret to disclose because it’s so cool.
I’ve also written a book chapter about both techniques (53 pages before editing) which add a few more tricks. I’m working on the book so hopefully it will finally come out this year.

The archive password will be released on the day of my presentation (27th March) so keep an eye on Twitter and SyScan website. If you crack it before that keep its contents private ;-).

If you are at SyScan feel free to have a chat. I’m there to meet new people and also learn.

Hope you enjoy,

Dropbox Mirror:

Update: The archive password is “syscan_rules_blackhat_sucks!”.
The final version presented at SyScan (really minor changes) can be download here.
The full source code is available at GitHub, diagnostic_service and diagnostic_service2.

Shakacon #6 presentation: Fuck you Hacking Team, From Portugal with Love.


Shakacon number 6 is over, it was a blast and I must confess it beat my expectations. Congratulations to everyone involved in making it possible. Definitely recommended if you want to speak or attend, and totally worth the massive jet lag ;-).

My presentation was about reverse engineering HackingTeam’s OS X malware latest known sample. The slide count is 206 and I was obviously not able to present everything. The goal is that you have a nice reference available for this malware and also MPRESS unpacking (technically dumping).

This sample in particular was thought to be a newer version of this malware but I try to show you that I don’t think it’s the case and instead, it’s the oldest version of HackingTeam’s OS X malware. If this theory is true, it means we have a two years knowledge gap about the OS X version. Interesting challenge ahead!

The tool I promised to release will have to wait a couple more days since I need to fix its code to implement the fixes I suggest regarding the file and memory sizes differences. Keep watching this space, github or Twitter.

Update: MPRESS dumper source code now available at Github.


Links to slides (34.3Mb):

ShakaCon6-FuckYouHackingTeam.pdf (Dropbox mirror)