High Sierra’s ‘Secure Kernel Extension Loading’ is Broken Synack Blog buy cc numbers, cc card buy

Aloha it’s Patrick, Chief Security Researcher at Synack. In my free time, I also run a small OS X security website objective-see.com, where I share my personal OS X security tools and blog about OS X security and coding topics. Below is one such post originally published on my site…Read and enjoy!
With each new release of macOS, Apple introduces new ‘built-in’ security enhancements…and macOS High Sierra (10.13) is no exception.
In this blog post we’ll take a brief look at High Sierra’s somewhat controversial “Secure Kernel Extension Loading” (SKEL) feature. Unfortunately while wrapped in good intentions, in it’s current implementation, SKEL merely hampers the efforts of the ‘good guys’ (i.e. 3rd-party macOS developers such as those that design security products). Due to flaws in its implementation, the bad guys (hackers/malware) will likely remain unaffected. While many respected security researchers, system administrators, and macOS developers have voiced this concern, here we’ll prove this by demonstrating a 0day vulnerability in SKEL’s implementation that decisively bypasses it fully:
Index Refs Size   Wired    Name
1     90   0x9e30 0x9e30   com.apple.kpi.bsd
2     8    0x3960 0x3960   com.apple.kpi.dsep

130   0    0x4b00 0x4b000  com.un.approved.kext
Documented in Apple’s Technical Note TN2459 , Secure Kernel Extension Loading, is “a new feature that requires user approval before loading new third-party kernel extensions.” Other good overviews of SKEL include:
While we might initially assume that that the main attack vector SKEL attempts to thwart is the (direct) loading of malicious kernel extensions (i.e. rootkits), I believe this is not the case. First, observe that (AFAIK), we have yet to see any signed kernel-mode macOS malware! Since OS X Yosemite, any kexts have to be signed with a kernel code-signing certificate. And unlike user-mode Developer IDs, Apple is incredibly ‘protective’ of such kernel code-signing certificates – only giving out a handful to legitimate 3rd-party companies that have justifiable reasons to create kernel code. As security features are often costly to implement, they are generally introduced to reactively address widespread issues. (Unless they are introduced as a control mechanism, under the guise of a ‘security feature’ (*cough cough*)).
Instead the main (security) goal of SKEL is to block the loading of legitimate but (known) vulnerable kexts. Until Apple blacklists these kexts via the OSKextExcludeList dictionary (in AppleKextExcludeList.kext/Contents/Info.plist), attackers can simply load such kexts, then exploit them to gain arbitrary code execution within the context of the kernel. Note that such blacklisting is often is delayed as it can badly break legitimate functionality until the user has upgraded to a non-blacklisted version of the kext.
About a year ago I discussed this attack vector in my DefCon talk, I got 99 Problems, but Little Snitch ain’t one!” (note: this is a well known attack vector to bypass kernel code-signing requirements on both Windows and macOS):
While at this time I cannot release technical details of the vulnerability, here’s a demo of a full SKEL bypass. As can be seen below in the iTerm window below, after dumping the version of the system (High Sierra, beta 9) and showing that SIP is enabled and that kernel extension we aiming to load (LittleSnitch.kext) is not loaded, nor is in the ‘kext policy’ database, something magic happens. In short, we exploit an implementation vulnerability in SKEL that allows us to load a new unapproved kext, fully programmatically, without any user interaction:
buy cc numbers cc card buy