Description: Vincenzo Lozzo gave a talk titled "Let your Mach-O Fly" in Blackhat DC 2009, detailing an attack using which it could be possible for a hacker to make digital forensics on a compromised OS X machine very difficult. The attack which relies on an in-memory injection technique allows unauthorized software to be installed on a Mac without leaving traces of the attack code or other tell-tale signs that the machine has been compromised. However, the pre-requitiste for this attack is that the attacker must first have a reliable exploit in common applications such as Safari, iTunes etc. In his paper, Vincenzo writes that even though OS X's address space layer randomization was designed with the intention of thwarting in-memory injection attacks, an attacker can still bypass this protection by tracing the "dynamic linker" on the platform. Interestingly, as the dynamic linker always has the same loading address, it can be used to figure our the offsets where the other libraries needed for a given attack are loaded.
The detailed white paper about the entire attack is available here. The video below shows Vincenzo do a demo of the attack.
Tags: basics ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.