Hacking Mac OS X - Black Hat

More documents

Recommendations

Info

More pre-release fun Pwn2Own bug Contest on March 27, 2008 March 28, 2008 WebKit site: Regular expressions with large nested repetition counts can have their compiled length calculated incorrectly. pcre/pcre_compile.cpp: (multiplyWithOverflowCheck): (calculateCompiledPatternLength): Check for overflow when dealing with nested repetition counts and bail with an error rather than returning incorrect results. Patched 3 weeks later
Server Side mDNSResponder (sandboxed) ntpd (sandboxed) CUPS (only on UDP) Network and wireless kernel code Non-default services: printing, file sharing, vnc, etc Its going to be pretty tough
Page 1 and 2: Owning the Fanboys: Hacking Mac OS
Page 3 and 4: Outline Leopard security Tracing ex
Page 5 and 6: Sandboxing Done via Seatbelt kext C
Page 7 and 8: More sandboxing Some applications a
Page 9 and 10: Leopard firewall Disabled by defaul
Page 11 and 12: One final note on Leopard “Securi
Page 13 and 14: Truss syscall:::entry /execname ==
Page 15 and 16: Memory Tracer pid$target::malloc:en
Page 17 and 18: iTunes hates you (gdb) attach 7551
Page 19 and 20: Inside iTunes In gdb (0x1f = PT_DEN
Page 21 and 22: Jump tables EIP relative data addre
Page 23 and 24: Result of script
Page 25 and 26: Typical disassembly of Obj-C
Page 27 and 28: objc_msgSend Typically the first ar
Page 29 and 30: The code get_func_name(cpu.eip + di
Page 31 and 32: More results: xrefs!
Page 33 and 34: Changelog snooping Apple forks proj
Page 35: Apple’s pre-release vulnerabiliti
Page 39 and 40: Safari Native support /Applications
Page 41 and 42: ReportCrash aka CrashReporter launc
Page 43 and 44: Monitoring script #!/bin/bash X=0;
Page 45 and 46: Exploiting Safari Massaging the hea
Page 47 and 48: Heap spray This unpredictability wa
Page 49 and 50: The plan Occurs in three steps Defr
Page 51 and 52: Create adjacent allocations Keep re
Page 53 and 54: JavaScript Safari JavaScript code i
Page 55 and 56: Therefore... In JavaScript var name
Page 57 and 58: Heap overflows Some protections on
Page 59 and 60: Win var name = new Array(1000); nam
Page 61 and 62: Pwn2Own - feng shei try{ for(i=0; i
Page 63 and 64: Heap defragmentation Breakpoint 3,
Page 65 and 66: Right in the hole! Breakpoint 3, 0x
Page 67 and 68: iPhone Apple’s phone Runs a strip
Page 69 and 70: Unlocking from carrier 3G Requires
Page 71 and 72: Processes # ps aux USER PID %CPU %M
Page 73 and 74: Interesting files /private/var/mobi
Page 75 and 76: Exploits then... When iPhone was re
Page 77 and 78: Smaller attack surface Mostly like
Page 79 and 80: Port of RegEx exploit NOOP sled and
Page 81 and 82: Feng shei iPhone style (Output from
Page 83 and 84: http://appleguytom.blogspot.com/200

Hacking Mac OS X - Black Hat

Create successful ePaper yourself

Delete template?

Save as template?