backtop


Print 52 comment(s) - last by themaster08.. on Feb 28 at 5:44 AM


Vincenzo Iozzo  (Source: Black Hat DC)
Claims he can overwrite other programs’ code in memory without leaving a trace

Vincenzo Iozzo, a student security researcher at Politchnico di Milano University in Italy, unveiled a startling new attack against Mac OS X computers that allows hackers to inject malicious code into another program’s memory space – and then vanishes as soon as the computer is switched off.

Speaking at the Black Hat DC cybersecurity conference in Washington, DC, Iozzo said his technique relies on injecting arbitrary code into a program’s executable memory while it is running, guided by the memory locations described in the actual program binary, which is stored in a file format called Mach-O. The injected code runs when the code it originally overwrote is called upon by its host.

Attacks of this kind are nothing new, however, and the secret behind Iozzo’s memory injection attack is that it runs completely from RAM, leaving no trace on the host machine’s hard drive; other techniques have generally required, at least minimally, some form of temporary storage.

The main weakness of his attack is that it relies on an unspecified means of executing arbitrary code on the computer in the first place: according to Iozzo’s presentation (PDF), an attacker must have knowledge of remote code execution “in his pocket” in order to convince his mark’s computer run a bootstrapper that initiates the attack.

While it is unclear as to whether or not Iozzo’s technique allows hackers to tamper with code running at System-level privileges – Iozzo describes the attack as limited to “userland”, or regular desktop applications – it does allow an attacker to modify a program like Safari to do something malicious like monitoring passwords and keystrokes.

Iozzo’s technique most closely resembles Firewire-port memory injection attacks that previously felled Windows, Mac OS X, and Linux: both make use of some transient medium to arbitrarily inject code into the program section of a computer’s memory, which is normally heavily protected from attack. Once the malicious code is in, an attacker can make a computer do pretty much the OS would allow the original host program to do – all without setting off security software.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: This is only the start
By eman7613 on 2/21/2009 3:02:14 PM , Rating: 3
Actually, this type of attack can only run and effect the same things the original program had permission to attack. So actually, everything in /dev, /usr, and most all the directors (which means all the programs, since Applications directory requires root to edit) are safe. The most you could realy do is delete or download stuff to the user's home directory - and since apple allows you to send programs the kill signal, this is something that realy is not that huge a problem.

Also, it said that a bootstrap needed to be run first, and while that statement alone makes little sense (what are we bootstraping?), it does indicate that some other program needs to be run first. So im very doubtful as to how realist or practicle a threat this is.


"Google fired a shot heard 'round the world, and now a second American company has answered the call to defend the rights of the Chinese people." -- Rep. Christopher H. Smith (R-N.J.)

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki