rootkits

General discussions about Little Snitch
spacewalk
Posts: 2
Joined: Fri Dec 15, 2006 4:59 pm

rootkits

Post by spacewalk » Fri Dec 15, 2006 5:13 pm

I've been researching Mac intrusions a bit, and I gather that a Mac OS rootkit is either very rare or non-existent to this date.

But if an intruder did succeed in gaining root and doing the usual invisibility routine that rootkits do, I assume it could stop Little Snitch from seeing its network activity. True?

WAHa.06x36

Post by WAHa.06x36 » Fri Dec 15, 2006 9:28 pm

You don't even need root access to hide traffic from Little Snitch, if you are a truly malicious piece of software. OS X has a number of code injections methods that can let you communicate from inside another app that is likely to have been whitelisted by Little Snitch, such as Safari.

On that subject, I am not entirely sure how practical it is, but Little Snitch really ought to do stack backtraces for the net access calls it protects, and find what exact code image the calling code lives in. It might come from, for instance, an InputManager running inside a "safe" app.

spacewalk
Posts: 2
Joined: Fri Dec 15, 2006 4:59 pm

Post by spacewalk » Fri Dec 15, 2006 11:23 pm

WAHa.06x36 wrote:You don't even need root access to hide traffic from Little Snitch, if you are a truly malicious piece of software. OS X has a number of code injections methods that can let you communicate from inside another app that is likely to have been whitelisted by Little Snitch, such as Safari.

On that subject, I am not entirely sure how practical it is, but Little Snitch really ought to do stack backtraces for the net access calls it protects, and find what exact code image the calling code lives in. It might come from, for instance, an InputManager running inside a "safe" app.


Thanks. It would be interesting to know "how practical it is" to do what you suggest, because sooner or later we will see the "truly malicious," I'm sure.

WAHa.06x36

Post by WAHa.06x36 » Sat Dec 16, 2006 1:34 am

It's really pretty trivial. A malicious app just need to put an InputManager bundle in ~/Library/InputManagers, and its code gets loaded into any app. Sneaking past Little Snitch isn't the only thing a malicious app can do this way - getting root access is also trivial. http://www.cocoadev.com/index.pl?SpywareAndCocoa contains some discussion and a proof-of-concept I put together in about an hour.

Fluffy
Rank 1
Rank 1
Posts: 23
Joined: Fri Nov 17, 2006 1:35 am

Post by Fluffy » Wed Dec 20, 2006 11:51 pm

WAHa.06x36 wrote:You don't even need root access to hide traffic from Little Snitch, if you are a truly malicious piece of software. OS X has a number of code injections methods that can let you communicate from inside another app that is likely to have been whitelisted by Little Snitch, such as Safari.


WAHa.06x36, LittleSnitch does alert the user about code injections. Are you saying that you have found a way to bypass that?

WAHa.06x36

Post by WAHa.06x36 » Tue Jan 09, 2007 3:15 am

LittleSnitch does alert the user about code injections.


I just tried - I wrote an InputManager that grabs a webpage through NSURL. Little Snitch popped up when I ran an app that I hadn't authorized to access the net, but there was no indication whatsoever that the call came from an InputManager and not the actual app. Furthermore, when I ran Safari, Little Snitch let the InputManager receive the webpage without any warning at all.

This was all using Little Snitch 1.2.3. Has anything changed since?

Fluffy
Rank 1
Rank 1
Posts: 23
Joined: Fri Nov 17, 2006 1:35 am

Post by Fluffy » Thu Jan 11, 2007 2:15 pm

InputManagers do have the potential to be a serious problem in terms of security for OS X...

WAHa.06x36, you seem quite talented in this regard.
Perhaps you would be willing to undertake some OS X security projects for the benefit of the Mac community...?

Something along the lines of developing easy to use tools to mitigate Mac security issues.

The first thing that comes to mind would be an 'InputManager Manager' to allow users to monitor for code injections.

-Fluffy

WAHa.06x36

Post by WAHa.06x36 » Thu Jan 11, 2007 8:28 pm

The idea has come up before, but I've got too many other projects as it is that take up all my free time. It's also much easier to break security than it is to provide it, so I'm not entirely sure I could make something good enough.

But this really would be a useful app, if somebody made it. For now, though, it would be nice if Little Snitch just had a way to do stack backtraces to find out where networking calls come from, and if they're from injected code or not.

Fluffy
Rank 1
Rank 1
Posts: 23
Joined: Fri Nov 17, 2006 1:35 am

Post by Fluffy » Fri Jan 12, 2007 12:48 pm

WAHa.06x36 wrote:The idea has come up before, but I've got too many other projects as it is that take up all my free time.


That's too bad.
We need more white hats involved in OS X security...
I hope that you are not putting your talents to inappropriate use.

WAHa.06x36

Post by WAHa.06x36 » Thu Jan 18, 2007 3:55 pm

Is this getting any attention at all from the developer? As it stands now, it's kind of a gaping hole in Little Snitch.

johannes
Objective Development
Objective Development
Posts: 815
Joined: Fri Nov 10, 2006 4:39 pm
Contact:

Post by johannes » Mon Jan 22, 2007 2:22 pm

The possibility to inject code into applications and thus act "on their behalf" is definitely a security problem in Mac OS X.

Unfortunately there are several possibilities to do this and only a few are subject to any security control at all.

We have added functionality to Little Snitch which promotes the security of the PowerPC version to the same level as the Intel version of Mac OS X, as far as code injection is concerned.

But as malicious code injected into some application can do far more than just communicate over the network, we do believe that a more general system level solution would be wise. We are still considering solutions within Little Snitch, but since they are non trivial, don't expect something too soon.

WAHa.06x36

Post by WAHa.06x36 » Mon Jan 22, 2007 11:15 pm

Agreed on all points.

Now, I have not looked into the practicalities of this at all, but my first plan of action if I was developing something like Little Snitch is to look into how hard it would be to do a stack backtrace, and identify which code images each call came from, in order to find out if a call came from a suspicious one.

Is there some obvious problem with doing this? As I said, I haven't looked into the details myself so I have no real clue.

nicodemus

Simple Security Enhancement

Post by nicodemus » Wed Mar 14, 2007 4:02 pm

Hi All
Let the user decide, add a button to display the content of what is being asked for. I'm thinking a text field displaying the contents of the request and possibly the response. maybe add a warning for binary content or some such.
think tcpdump.

regards

Aaron

Post by Aaron » Sat Sep 15, 2007 4:48 pm

&uotWhat's been described here and on the forum over cocoadev may have actually happened to me. Here's what I know:

I connect to my computer remotely from work, so I keep remote access via SSH on. I had setup a temporary account with a weak username/password which was compromised. After going through the logs, I discovered thousands of failed logon attempts via ssh. It appeared that a bot net was at work. Anyway, the temporary account that was compromised wasn't an admin account, and the only activity that I could identify in the logs was the use of sftp.

The next day Little Snitch reported that an application "master" at location "./master" was attempting to connect to various irc servers in Europe and Asia. Master is the posix daemon that is part of Mac OS X. I thought it a little strange that Little Snitch reported the path as ./master instead of it's true path, but nonetheless, I added a rule to block master from any connections and removed it from launchd.

I've since upgraded to Little Snitch 2B6. In the network monitor it's reporting that "Mac OS kernel" has made recent connections to IP address from Peru to China. When Little Snitch reports the ;Mac OS kernel" making a connection, is it referring to the kernel_task process or something else? Little Snitch didn't ask if I wanted to allow or deny these connections. I'm really at a lost when it comes to figuring out what's causing this.

Aaron

PS

Post by Aaron » Sat Sep 15, 2007 4:54 pm

One other tidbit for what it's worth, the following events are being recording in Little Snitch's log. I'm not sure what they mean.

2007-09-10 19:09:37.291 Little Snitch Network Monitor[302] m680ea5d1 3187328
2007-09-10 19:55:03.838 Little Snitch Network Monitor[302] ODTaskInfo did not return task for PID 3101

Post Reply