Archive for August 26, 2015

Wednesday, August 26, 2015

Safer Block-based NSNotificationCenter API

Arkadiusz Holko:

I wanted to learn how Clang decides when to show a warning, so I did what any reasonable person would do and dove into its source. Retain cycle checking is performed during the semantic analysis phase. Sema::checkRetainCycles is an overloaded method responsible for these checks.

[…]

In case of a message send, the compiler checks for retain cycles only when a selector looks like a setter, i.e., it starts with the word add or set. This check is rather simplistic. A warning isn’t presented to the user when using NSNotificationCenter, because the compiler doesn’t know the lifecycle of that object.

So he made a MCSNotificationController wrapper so that the compiler can detect the retain cycle. It also makes sure that you don’t register for the same notification more than once and automatically unregisters in -dealloc.

Previously: NSNotificationCenter With Blocks Considered Harmful, How Not to Crash #3: NSNotification.

Common Android Lock Patterns

Dan Goodin (via Jamie Zawinski):

Data breaches over the years have repeatedly shown some of the most common passwords are “1234567”, “password”, and “letmein”. Løge said many ALPs suffer a similar form of weakness. More than 10 percent of the ones she collected were fashioned after an alphabetic letter, which often corresponded to the first initial of the subject or of a spouse, child, or other person close to the subject. The discovery is significant, because it means attackers may have a one-in-ten chance of guessing an ALP with no more than about 100 guesses. The number of guesses could be reduced further if the attacker knows the names of the target or of people close to the target.

How to Survive Working at Home

Daniel Jalkut:

Actually being your own boss is one of the greatest challenges of working from home, and in my experience it’s helpful to be, well, bossy with yourself to the extent you are comfortable. Give yourself strict deliverables; I write a checklist in the morning and get very grumpy with myself if the checklist is not completed or rationalized by the end of the day.

[…]

At home, nobody tells you when to stop working. Establish a rule with yourself, or with your family, for when the workday ends and the “lifeday” begins.

I’ve found that having a rough schedule for each day—both when to work and what type of work to do when—helps a lot.

tpwn Privilege Escalation Vulnerability

Juli Clover (comments):

Just days after Apple patched the DYLD_PRINT_TO_FILE security hole with the release of OS X 10.10.5, a developer has found a similar unpatched exploit that could allow attackers to gain root-level access to a Mac.

Luca Todesco shared information (via AppleInsider) on the “tpwn” exploit on GitHub over the weekend. It affects all versions of OS X Yosemite, including OS X 10.10.5, but does not affect OS X El Capitan.

Luca Todesco:

1) I cannot really discuss specifics, but this particular bug would have been hard to find via a traditional IOKit fuzz, since it requires an invalid ‘task’ port passed over to IOServiceOpen. Most fuzzers use mach_task_self for that, and fuzz method calls/traps/properties/etc.

2) When IOServiceRelease is called, vtable+0x20 is called. the vtable pointer is controlled, at +0x20 I place a stack pivot, which sets RSP = RAX and pops 3 times. At 0x18 I place a POP RAX;RET gadget to let the chain begin after 0x28. Payload then locates the credentials structure, sets UID to 0 by bzero()ing, cleans up the memory corruption, decreases the task count for current user and increases task count for root. It then unlocks locks held by IOAudioEngine to prevent your audio from freezing up, and then returns to the userland context.

Luca Todesco:

There is no weakness in address randomization I relied on for exploitation.

It relies on two distinct bugs, an info-leak to obtain a pointer to an allocation in the kalloc.1024 zone and a memory corruption primitive (deriving from a NULL pointer dfr. in IOKit) allowing me to OR 0x10 anywhere in kernel memory.

To break kASLR I corrupt the size of a vm_map_copy struct, which allows me to read the adjacent allocation to the struct, which is a C++ object. First 8 bytes of said C++ object is a pointer to the vtable, which resides in __TEXT of some kernel extension. Since I can calculate the unslid address from userland without any issue, by subtracting what gets leaked with what gets calculated you get to know the kASLR slide.

Just to clarify: The code execution part has 100% reliability rate. The kASLR leaking part does have some chance in it, however empirical evidence indicates that the failure rate is extremely low.

Jeremy Kirk:

Todesco, who said he does security research in his spare time, said he notified Apple of the problems “a few hours before the exploit was published.”

“This is not due to me having issues with Apple’s patch policies/time frames, as others have incorrectly reported,” he wrote.

He also developed a patch called NULLGuard, which he’s included in the GitHub material. Since he does not have a Mac developer certificate, he wrote that he can’t distribute an easy-to-install version of the patch.

Update (2015-09-02): Luca Todesco:

So, tpwn gains root on any OS X box running a system <= 10.10.5 by gaining knowledge of the kernel address space layout randomisation slide followed by kernel code execution kickstarting a stack pivot which allows me to control the stack pointer of a kernel thread belonging to a controlled task.

How to See Your iPhone’s Precise Signal Strength

Josh Centers:

Dial *3001#12345#* and tap the green call button to put your iPhone into a secret Field Test Mode

[…]

Instead of dots, you should now see a negative number in the upper left, like -102. This is your exact signal strength, measured in decibels, called the Received Signal Strength Indication (or RSSI if you want to impress technical support). The higher the number, the better, but note that these are negative numbers, so -1 would be an outstanding signal, while -1000 would be beyond poor. In the real world, you’ll probably see signal strengths somewhere between -40 (a five-bar signal) and -120 (a one-bar signal).