[ZeroNights / Syscan360 2016] Abusing the Mac Recovery & OS Update Process

Cc23340e1d811f083fb8d2dd1213c42b?s=47 patrick wardle
November 17, 2016

[ZeroNights / Syscan360 2016] Abusing the Mac Recovery & OS Update Process

Did you know that Macs contain a secondary OS that sits hidden besides OS X? This talk will initially dive into technical details of the Recovery OS, before showing that while on (newer) native hardware Apple verifies this OS, in virtualized environments this may not be the case. Due to this 'flaw' we'll describe how an attacker can infect a virtualized OS X instance with malware that is able to survive a full OS X restore. Though limited to virtual instances, such malware can also abuse this process install itself into SIP'd locations making disinfection far more difficult. It's also worth noting that this attack likely would succeed on older versions of non-virtualized OS X as well.

As a large portion of the logic within the Recovery OS that deals with restoring OS X is logically equivalent to the OS X upgrade process, the talk will pivot to this. For unknown reasons, it appears as Apple does not fully verify such updates (or 'OS installs'), allowing a local attacker (or malware) on native hardware, to inject code into the OS upgrade/installer application. This provide a means of ensuring the malware can control or even be propagated into the upgraded OS.

Moreover, this provides a new (0day!) way to bypass SIP. We’ll discuss exactly how :)

During this talk, we'll also cover various OS X infection and injection strategies, such as the creation of malicious 'proxy' libraries. While this technique has been abused on Windows by nationstate actors, it has yet to be seen or discussed on OS X.

Finally we'll conclude by discussing some general OS X hardening methodologies that may generically thwart, or at least complicate such attacks.


patrick wardle

November 17, 2016