BOSTON -- Calling Apple's Mac OS X one of the easiest operating systems to crack, a security researcher on Wednesday demonstrated several methods to hack into a system and execute arbitrary code to take full control of a computer.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
Dino Dai Zovi, an independent security professional in the financial services industry and co-author of The Mac Hacker's Handbook, demonstrated to a packed room at the SOURCE Boston conference how to defeat Mac OS X by gaining access to its root memory. A few lines of arbitrary code will enable any attacker to take over a computer, establish a TCP connection and download additional malicious code. Dai Zovi illustrated his technique by hacking into an Apple iSight camera to take photos of himself.
"Steve Jobs' fairy dust only protects against the most naive attackers," Dai Zovi said. "Writing exploits for [Microsoft] Vista is hard work. Writing exploits for Mac is a lot of fun."
Mac OS X attacks:
Black Hat DC 2009: Mac OS attack method (Video) - Security researcher Vincenzo Iozzo explains how he found a way to inject malicious code directly into Mac OS X memory, leaving no trace for forensics investigation.
Dai Zovi may be best known for being part of a team that uncovered a QuickTime vulnerability, winning the MacBook hacking contest at CanSecWest in 2007. But, as a former researcher at @stake Inc. and Matasano Security, he's been studying attack methods for many years.
During his Wednesday presentation, Dai Zovi said the Mac OS X operating system lacks sufficient memory corruption defense features built into its internal coding. For years Macintosh users have remained shielded by attackers who targeted Microsoft Windows, in an attempt to steal passwords, account information or other sensitive data from its massive user base. But Apple's growing market share is gaining attention in the hacking community, Dai Zovi said. Today experts estimate about 9.6% of Web browsers run on Mac OS X.
Dai Zovi's methods target Mac OS X's heap memory, which is used to store memory allocated to applications running the operating system. It also uses Leopard's weak library randomization, which leaves the heap allocated memory executable. While Vista's heap memory is non-executable to prevent arbitrary code execution, heap memory in Mac OS X is still writable and executable, he said.
Mac OS X uses scalable zone heap security, which was written in 1999 and can be bypassed by hackers, Dai Zovi said. The techniques he demonstrated enable an attacker to execute 12 bytes of arbitrary code, which is enough to deliver a malicious payload and break into critical system files, Dai Zovi said.
"It's like going back in time," he said. "You can get a Mac and it is 1999 all over again."
Dai Zovi also criticized Apple for not equipping Mac OS X with the GNU Compiler Collection (GCC) stack protector, currently a standard feature in most operating systems that protects running applications from stack-based buffer overflows. Mac OS X supports GCC protection, but the current version doesn't use it, he said.
Despite these flaws, there is good news for Mac users. Version 10.6, due out later this year, is expected to be a security and stability update to Leopard. It contains a 64-bit kernel and many more 64-bit processes, making it more difficult for hackers to crack. Also, the Apple iPhone is immune to the methods demonstrated Wednesday. Dai Zovi said version 2.0 of the iPhone firmware is locked down and has "amazingly good" security.
Dai Zovi's presentation follows a similar demonstration last month at the Black Hat D.C. conference. Italian security researcher Vincenzo Iozzo presented a way to inject malicious code directly into Mac OS X memory, leaving no trace for forensics investigation. Iozzo said he and researcher Charles Miller plan to demonstrate the technique against the Apple iPhone at Black Hat Europe in April.