backtop


Print 52 comment(s) - last by themaster08.. on Feb 28 at 5:44 AM


Vincenzo Iozzo  (Source: Black Hat DC)
Claims he can overwrite other programs’ code in memory without leaving a trace

Vincenzo Iozzo, a student security researcher at Politchnico di Milano University in Italy, unveiled a startling new attack against Mac OS X computers that allows hackers to inject malicious code into another program’s memory space – and then vanishes as soon as the computer is switched off.

Speaking at the Black Hat DC cybersecurity conference in Washington, DC, Iozzo said his technique relies on injecting arbitrary code into a program’s executable memory while it is running, guided by the memory locations described in the actual program binary, which is stored in a file format called Mach-O. The injected code runs when the code it originally overwrote is called upon by its host.

Attacks of this kind are nothing new, however, and the secret behind Iozzo’s memory injection attack is that it runs completely from RAM, leaving no trace on the host machine’s hard drive; other techniques have generally required, at least minimally, some form of temporary storage.

The main weakness of his attack is that it relies on an unspecified means of executing arbitrary code on the computer in the first place: according to Iozzo’s presentation (PDF), an attacker must have knowledge of remote code execution “in his pocket” in order to convince his mark’s computer run a bootstrapper that initiates the attack.

While it is unclear as to whether or not Iozzo’s technique allows hackers to tamper with code running at System-level privileges – Iozzo describes the attack as limited to “userland”, or regular desktop applications – it does allow an attacker to modify a program like Safari to do something malicious like monitoring passwords and keystrokes.

Iozzo’s technique most closely resembles Firewire-port memory injection attacks that previously felled Windows, Mac OS X, and Linux: both make use of some transient medium to arbitrarily inject code into the program section of a computer’s memory, which is normally heavily protected from attack. Once the malicious code is in, an attacker can make a computer do pretty much the OS would allow the original host program to do – all without setting off security software.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: This is only the start
By BZDTemp on 2/20/2009 7:52:21 AM , Rating: -1
Nothing special about this. Once you have access to any sort of machine all sorts of mischief is possible.

However without access the it is a no go so "the apple fan boys" has no reason to "stfu". In fact I can think of some one else which should consider shutting up :-)


RE: This is only the start
By tastyratz on 2/20/2009 8:33:10 AM , Rating: 5
Well that's the case with a majority of attacks - It is far more common to need to execute something before malicious code can do something. Just go into an apple chatroom, say your 18/f, and say your webcam software made a slideshow of you getting dressed this morning. You will have 100 lemmings line up to run your special "slideshow"

Apple has a significant security flaw that cant be corrected - lemming users with a god complex. They think they are invincible to attacks and Virii because Apple doesn't acknowledge most security problems, so they don't think twice before opening things.


RE: This is only the start
By zaxxon on 2/20/2009 10:03:55 AM , Rating: 1
And why would this be limited to an Apple chatroom?

Why should stupidity and acne-faced lemmingness be confined to a specific architecture/software-design?


RE: This is only the start
By Master Kenobi (blog) on 2/20/2009 10:04:48 AM , Rating: 5
Users are always the biggest threat to Security, This is why Apple is screwed ^2 compared to other vendors.


RE: This is only the start
By psychobriggsy on 2/20/2009 10:27:01 AM , Rating: 5
I think this is why Windows keeps on getting screwed over.

Face it, 95% of people using computers should be forced to take the computer equivalent of a driving test.


RE: This is only the start
By zaxxon on 2/20/09, Rating: 0
RE: This is only the start
By djc208 on 2/20/2009 12:05:06 PM , Rating: 5
80 years ago we're talking about cars most of us would recognize, post model T even. They were much simpler to work on and deal with than today. While they required more "normal maintenance" (grease joints, points, dwell, brake adjustments), they were far from hard to work on. A basic set of tools and one or two specialy items and you were set.

Driving them was no more complex than today, outside of the fact that many fewer were automatics, and you had to have some muscle since power steering and brakes were luxury items.

Today you need much more to work on the car, and technically more to drive it. However there's almost no "regular maintenace" outside of an oil change, air filters, and the occasional wiper blade. The car even tells you when the tires need air. But today cars have MP3 players, bluetooth, GPS, power adjustable everything, cruise control, etc.

Cars haven't gotten easier to use, just harder to use in different ways from their predecessors.


RE: This is only the start
By eman7613 on 2/21/2009 3:02:14 PM , Rating: 3
Actually, this type of attack can only run and effect the same things the original program had permission to attack. So actually, everything in /dev, /usr, and most all the directors (which means all the programs, since Applications directory requires root to edit) are safe. The most you could realy do is delete or download stuff to the user's home directory - and since apple allows you to send programs the kill signal, this is something that realy is not that huge a problem.

Also, it said that a bootstrap needed to be run first, and while that statement alone makes little sense (what are we bootstraping?), it does indicate that some other program needs to be run first. So im very doubtful as to how realist or practicle a threat this is.


RE: This is only the start
By Makaveli on 2/20/09, Rating: 0
RE: This is only the start
By Smilin on 2/20/2009 11:53:25 AM , Rating: 5
With physical access you could certainly cause more mischeif but this doesn't require it. It would just take the usual "trick someone into running an app" social engineering.

You couldn't do this on a Vista box.

First of all UAC is going to pop if you ran such an app. Even assuming the user is "UAC condiditoned" and hits yes it still wouldn't work. Userland apps can't reach each other's memory space without popping an Access Violation. You would have to break things in kernel mode to get around this. Good luck with that: Pool tagging, ASLR, DEP, etc..


“We do believe we have a moral responsibility to keep porn off the iPhone.” -- Steve Jobs

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki