Tag Archives: sandbox

Fixes for the TrustedBSD backdoor – Rex the wonder dog v0.2

I like things well done and the healthy discussion with snare about this topic remembered me this PoC was a bit incomplete. So I decided to close the missing gaps.
The fix is pretty simple. Retrieve a new kauth credential with uid and gid equal to 0 and replace the old one (the code seems stable even without process locks). It also seems to work fine without the allproc lock.
The backdoor also had a small “bug” that I didn’t noticed due to a coincidence. If you are using iStat Menus then you have a daemon running as root that is collecting info from processes and uses task_for_pid() on them. So the trick of getting the task_for_pid for any process even without permissions worked because of this coincidence (the backdoor failed but iStat daemon called task_for_pid() on the process and so backdoor was activated, duh!). The fix is to do a task_for_pid() on itself. It was one of those things that you don’t feel it’s right but you don’t pay much attention to.

The only catch is that the symbol for kauth_cred_setuidgid() is not exported so it’s manually configured for Snow Leopard 10.6.8. To resolve the kernel symbols is another project 😉

Have fun,

SHA256(rexthewonderdog_v0.2.zip)= 890faeafef5ff00ac289e6289e14abee2d744b8e6155ac05b0b51eaf3ac4448f

All previous versions do not work with Lion because proc structures changed (check xnu/bsd/sys/proc_internal.h).
Version 0.3 adds support to Lion 10.7.1. Edit the main source file and change the define accordingly.

SHA256(rexthewonderdog_v0.3.zip)= c85f5273497430e7328364c52d6d772ccb154c068250fb8a7ef73532b067b713

Abusing OS X TrustedBSD framework to install r00t backdoors…

While poking around OS X implementation of TrustedBSD to write the sandbox guide I had the idea of trying to abuse it for backdooring purposes. It’s kind of funny that something designed to protect can be so “easily” abused to install backdoors.
This is not rocket science or a big breakthru post – I was just curious about the possibility to abuse the framework. You still need to find a way to install the kernel module!

So without further delay, I present you Rex, The Wonder Dog. It is a very simple policy module for TrustedBSD that gives r00t privileges to a process named “xyz”, if it calls task_for_pid(). For some unknown reason I couldn’t yet do the same with fork() (it was only working for Safari). I was doing this at 3am so I really didn’t bothered too much about it. It is based on SEDarwin sample policies code.
I had some trouble to compile the policy module (duplicate symbols) if I try to use the macro to initialize the module. I strongly suspect this is because I am using XCode’s kernel extension template. This is just a lazy PoC 😉

The code is unstable. Processes start crashing and crash reporter isn’t executing. It could be due to the very lazy way that r00t privileges are changed for the target process (it only starts to happen after backdoor is activated). Kernel land is dangerous territory! It is tested only with Snow Leopard 10.6.8. Might work with Lion without any problems. Load it as a normal kernel module, with kextload.

Dmesg log when module is loaded:

calling mpo_policy_init for rex_the_wonder_dog
calling mpo_policy_initbsd for rex_the_wonder_dog
Security policy loaded: Rex, the wonder dog! (rex_the_wonder_dog)

Starting the backdoor and getting a r00t shell:

$ ./xyz
[info] calling task_for_pid()
[info] task for pid returned 0
[info] uid 501 euid 0
[info] setting uid to 0...
[info] uid 0 euid 0
[info] executing r00t shell...
# id
uid=0(root) gid=0(wheel) egid=20(staff) groups=0(wheel),204(_developer),100(_lpoperator),98(_lpadmin),80(admin),

Policy modules open interesting possibilities for implementing other things. Maybe your own binary integrity check module? Or maybe some nice anti-debug for software who must use kernel modules 😉

Sorry for the lazy and unstable code. I’m not that much interested in backdoors, I was just interested in testing the possibility. It’s (just) a clean way to activate a kernel backdoor. If you improve and want to share your code feel free to send it!

Have fun,

Here are the goodies.

SHA256(rexthewonderdog_v0.1.zip)= 4d75ab5859d6a3259de12a9e21a7ee4530b1bc1adb673e2fb24a4f66b9109eac

SHA256(xyz.c)= 3e24337fc7b61f392066e0812051007e8942060a2906d720d345f019de894576

Apple Sandbox Guide v1.0

Here it is a version I consider good enough  to come out of draft status. I have added more information – one thing I was especially interested was to match the available operations in the SBPL syntax with the system/kernel functions that they control. This helps to better understand what is the impact of each operation. Appendix B features the lazy IDC script I used to extract this information from the sandbox kernel module (then I had to match with xnu kernel sources).
I tried to provide examples for all operations and make notes of some problems/features where available. Also added a few more references about this subject. The book “Enterprise Mac Security: Mac OS X Snow Leopard” has a pretty good chapter dedicated to this.

I hope it’s useful for you. I have been using it as reference while developing some custom profiles.


Apple Sandbox Guide v1.0.pdf
SHA256(Apple Sandbox Guide v1.0.pdf)= c6ae8502a48f09a6309a9485e9bf7794389e969fd9ab65c46d805307a9a1cb8e

SHA256(vienna.sb)= 0831910e4d2a92253e5b64e92ec0f27e1408b926253eca9eee3f9918036077c0

Apple’s Sandbox Guide v0.1 – early draft release

After quite a few hours typing and testing stuff, here it is a very early draft of my attempt to document Apple’s sandbox implementation.
The most difficult part in writing technical documentation or business plans is to get the first draft more or less ready. It’s even worse when there’s not much information about the subject. But here it is something with already quite some significant content.
In this draft I don’t like the writing style – it’s still very confuse and boring. The layout of the reference section is also a bit confuse.

What I would like to hear from you is about the content and the direction I took. If it is useful this way, if it can be (easily) understood, how can it improve, what to add more, etc.
Leave a comment, write a mail, or send me a tweet. Any feedback is appreciated! This is not an easy task 😉


Apple Sandbox Guide v0.1.pdf
SHA256(Apple Sandbox Guide v0.1.pdf)= a7e966d03014938af92df5a9f9eb5cfbabf01d3c22dacb701768af2aaca1866d

An improved version 0.2 is now available. Layout is improved and more content added. Still missing the mach operations. File-write-data appears to be buggy (or I am missing something…).

Apple Sandbox Guide v0.2.pdf

SHA256(Apple Sandbox Guide v0.2.pdf)= a22e5baf0e88413077fdf0b421920c02f02bfae7b897ba49fb6ae5709b3e460d