Negative Space (itch) (Mavryke) Mac OS

(This post is a joint work with @joystick, see also his blog here)
  1. Negative Space (itch) (mavryke) Mac Os Update
  2. Negative Space (itch) (mavryke) Mac Os Download
  3. Negative Space (itch) (mavryke) Mac Os Free
  4. Negative Space (itch) (mavryke) Mac Os Version

Nowadays, exploitation of user-level vulnerabilities is becoming more and more difficult, because of the widespread diffusion of several protection methods, including ASLR, NX, various heap protections, stack canaries, and sandboxed execution. As a natural consequence, instead of extricating themselves with such a plethora of defensive methods, attackers prefer to take the “easy” way and started to move at the kernel-level, where sophisticated protection techniques are still not very common (indeed, things like as KASLR and SMEP are implemented only in the latest versions of the most popular OSes). This trend is also confirmed by the rising number of kernel-level vulnerabilities reported in the last few months in Windows, Linux, and OS X.

This document is a Mac OS X manual page. Manual pages are a command-line technology for providing documentation. You can view these manual pages locally using the man(1) command. These manual pages come from many different sources, and thus, have a variety of writing styles. If you are running OS X 10.6 or earlier you will need to click the Apple menu About this Mac More Info and look for the Model Identifier. These older versions of the Mac. Weird Worlds: Return to Infinite Space is a hybrid 'roguelike' game of space exploration and starship combat set within a peculiar, as-yet-unvisited region of the galaxy known as the Purple Void. Each time it is played, a new and different 'sector prime' and its vast frontier are randomly generated.

Following this trend, we recently looked at few OS X drivers (“KEXT”s) and found a integer signedness bug affecting service IOBluetoothHCIController (implemented by the IOBluetoothFamily KEXT). This vulnerability can be exploited by a local attacker to gain root privileges. The issue is present on the latest versions of OS X Mavericks (tested on 10.9.4 and 10.9.5), but has been “silently” patched by Apple in OS X Yosemite.

Vulnerability overview

In a nutshell, the bug lies in the IOBluetoothHCIUserClient::SimpleDispatchWL() function. The function eventually takes a user-supplied 32-bit signed integer value and uses it to index a global array of structures containing a function pointer. The chosen function pointer is finally called. As the reader can easily imagine, SimpleDispatchWL() fails at properly sanitizing the user-supplied index, thus bad things may happen if a malicious user is able to control the chosen function pointer.
More in detail, the vulnerable part of the function is summarized in the pseudocode below. At line 14, the user-supplied 32-bit integer is casted to a 64-bit value. Then, the 'if' statement at line 16 returns an error if the casted (signed) value is greater than the number of methods available in the global _sRoutines array; obviously, due to the signed comparison, any negative value for the method_index variable will pass this test. At line 20 method_index is used to access the _sRoutines array, and the retrieved callback is finally called at line 23.

Exploitation details

Exploitation of this vulnerability is just a matter of supplying the proper negative integer value in order to make IOBluetoothFamily index the global _sRoutines structure out of its bounds, and to fetch an attacker-controlled structure. The supplied value must be negative to index outside the _sRoutines structure while still satisfying the check at line 16.
As a foreword, consider that for our 'proof-of-concept' we disabled both SMEP/SMAP and KASLR, so some additional voodoo tricks are required to get a fully weaponized exploit. Thus, our approach was actually very simple: we computed a value for the user-supplied parameter that allowed us to index a BluetoothMethod structure such that BluetoothMethod.function_ptr is a valid user-space address (where we placed our shellcode), while BluetoothMethod.num_arguments is an integer value less than 8 (to satisfy the check performed by SimpleDispatchWL() at line 22).
As shown in the C code fragment above, the user-supplied 32-bit value (user_param) is first casted to a 64-bit signed value, and then used as an index in _sRoutines. Each entry of the global _sRoutines array is 16-byte wide (two 8-byte values). These operations are implemented by the following assembly code:

At a higher-level, the address of the BluetoothMethod structure fetched when processing an index value 'user_param' is computed by the following formula:
struct_addr = (ext(user_param & 0xffffffff) * 16) + _sRoutine
Where ext() is the sign-extension operation (implemented by the movsxd instruction in the assembly code snipped above).
By solving this formula for user_param and searching inside the kernel address space, we found several candidate addresses that matched our criteria (i.e., a valid user-space pointer followed by an integer value < 8). The rest of the exploit is just a matter of mmap()'ing the shellcode at the proper user-space address, connecting to the IOBluetoothHCIController service and invoking the vulnerable method.
The source code for a (very rough) proof-of-concept implementation of the aforementioned exploit is available here, while the following figure shows the exploit 'in action'.
Execution of our 'proof-of-concept' exploit

Patching

We verified the security issue both on OS X Mavericks 10.9.4 and 10.9.5 (MD5 hash values for the IOBluetoothFamily KEXT bundle on these two OS versions are 2a55b7dac51e3b546455113505b25e75 and b7411f9d80bfeab47f3eaff3c36e128f, respectively). After the release of OS X Yosemite (10.10), we noticed the vulnerability has been silently patched by Apple, with no mention about it in the security change log.
A side-by-side comparison between versions 10.9.x and 10.10 of IOBluetoothFamily confirms Apple has patched the device driver by rejecting negative values for the user-supplied index. In the figure below, the user-supplied index value is compared against _sRoutineCount (orange basic block). Yosemite adds an additional check to ensure the (signed) index value is non-negative (green basic block, on the right).
Comparison of the vulnerable OS X driver (Mavericks, on the left) and patched version (Yosemite, on the right)
(mavryke)

Conclusions

We contacted Apple on October 20th, 2014, asking for their intention to back-port the security fix to OS X Mavericks. Unfortunately, we got no reply, so we decided to publicly disclose the details of this vulnerability: Yosemite has now been released since a while and is available for free for Apple customers; thus, we don’t think the public disclosure of this bug could endanger end-users.

Update (31/10/2014)

Yesterday evening, few hours after the publication of our blog post, we received a reply from Apple Product Security. They confirmed the bug has been fixed in Yosemite, and they are stillevaluating whether the issue should be addressed in the previous OS versions as well.
(itch)

You must be 18+ to view this content

Rainswept may contain content you must be 18+ to view.

Negative Space (itch) (mavryke) Mac Os Update

Are you 18 years of age or older?

Hello!

So for the past 10 days, as promised, I've been working on fixing and improving the demo based on your feedback. I've also released a Mac OS build for the demo.

Slotland promo code. Here are some of the changes in this new build: What is a slot tournament.

  • Speech bubbles - Speech bubbles are now colored! Many people found it confusing to identify the speaker of some dialogues, especially when characters stood close to each other. This is still a temporary solution, just for the demo (as the speech system will be overhauled for the full release) but it should do the job for now.


  • Dialogue skipping - You can now skip dialogues by pressing Space/ LB! This is only applicable for those dialogues that the player has already heard at least once before. This will make the market section easier, in case you mistakenly end up asking an NPC the same question you'd already asked before.
  • Fixed some collision bugs - Preventing the player from walking off the scene, and from pushing other NPCs around.
  • Made the investigation scene in the kitchen a little less cramped up.
  • Fixed the main menu - and gave it some new, fancy effects! The camera now moves down when loading the options, or when starting the game. Cool, huh? ;)
  • Loading/ Saving - Added manual saving/loading and save slots.
  • Slightly more fleshed out negative dialogue choices when conversing with the local cops.

There were a couple more improvements that were planned for the demo update, but they'll require more time and work than had been anticipated. They will be carried over to the full release.

Hope you enjoy the demo! Keep an eye out for weekly updates, and don't forget to wishlist the game on Steam!

Negative Space (itch) (mavryke) Mac Os Download

-Armaan
Lock it link.

Files

Jan 14, 2018
Jan 14, 2018

Negative Space (itch) (mavryke) Mac Os Free

Jan 14, 2018

Negative Space (itch) (mavryke) Mac Os Version

Get Rainswept

Log in with itch.io to leave a comment.

itch.io·View all by Frostwood Interactive·Report