Note that the T2 chip was released in 2018. On the other hand, for hardware that does not utilize the T2 chip for bootloader protection, the precise version of the OS does not matter, provided the attacker can gain filesystem access to the /System directory, as mentioned above. Hence, a modified bootloader attack such as BootBandit will not succeed against hardware that is protected by the T2 security chip. Our attack applies generically to relevant hardware that is not protected by the T2 chip. The attack discussed in this paper was tested on OS X 10.11.6. Moreover, again, we demonstrate use of UEFI to bypass any runtime defenses and to communicate from the boot level to the OS level using UEFI facilities. 1 Such exploits do not always provide indefinite or sustained root access, so an attack like BootBandit, although obviously not the only option, can be used to gain credentials to escalate privileges and continue lateral movement. Vulnerabilities like this have been discovered in the past. In the attack chain, we assume that prior exploitation allows filesystem access to the protected /System directory but not root privileges. Because user passwords on macOS systems typically double as disk encryption passwords (and triple as administrator passwords), theft of the password was the ideal target to showcase such an attack. Our goal is to demonstrate the possibility of using the UEFI space to communicate an attack to user space. However, unlike a traditional evil maid attack, our attack is not intended to be a physical one. We note that the primary goal of this research is to abuse the bootloader and Apple's “password forwarding” technology, as demonstrated by stealing a user's credentials. BootBandit includes a bootloader infection for credential theft, an implant for macOS for exfiltration, and a command and control server for an attacker to collect credentials from victims. Because the same password is used in two different places, theft of the FDE password in the vulnerable preoperating system environment also means theft of the login credentials, which, on a personal computer, is often also sufficient for gaining root or administrator-level access on the system. In macOS, the FDE protection employs users' login credentials for disk encryption. In this paper, we explore an attack that we call BootBandit, which is a bootkit credential harvester that attacks Apple-branded In either case, the password for FDE is, in most systems, used only for disk encryption. This generally assumes that physical access will be used again once the password is stolen to exfiltrate sensitive data or that the disk drive was copied at the same time the malware was planted on the system. The goal of an evil maid attack is to obtain a full disk encryption (FDE) password to be able to decrypt a disk drive. That is, the attacker must be able to acquire the physical system to install the malware on it. The typical evil maid attack requires physical access of the target system. In this preboot environment, there is no antivirus scanning, no kernel-level process scheduling or management, and no true virtual memory segmentation. Such an attack takes advantage of the vulnerable state of a computer system before it boots into its operating system environment. The next time the computer is used, the malware steals the encryption password. The “evil maid” attack gets its name from a hypothetical situation in which, say, a high-ranking company official is out of his hotel room and a maid is paid by an adversary to go into the room and plant malware on an encrypted computer system. On a macOS system, this attack has additional implications due to “password forwarding” technology, in which a user's account password also serves as the FileVault password, enabling an additional attack surface through privilege escalation. We explore the ability to create a communication channel between the bootloader and the operating system to remotely steal the password for a disk protected by FileVault 2. We assume exploitation can be used to infect a bootloader on a system running macOS remotely to install code to steal the user's password. In this paper, we discuss an attack that borrows concepts from the evil maid. The password then must be stored and retrieved again through physical access. ![]() Examples of attacks against bootloaders include so-called “evil maid” attacks, in which an intruder physically obtains a boot disk to install malicious software for obtaining the password used to encrypt a disk. Because traditional antivirus software runs within the operating system, the boot environment is difficult to protect from malware. Historically, the boot phase on personal computers left systems in a relatively vulnerable state.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |