Déjà Vu: Uncovering Stolen Algorithms in Commercial Products

Transcript

1. Déjà Vu Uncovering Stolen Algorithms in Commercial Products

2. WHOIS PATRICK WARDLE (OBJECTIVE-SEE FOUNDATION) TOM MCGUIRE (JOHNS HOPKINS UNIVERSITY)

3. The Hunt OUTLINE The Victim Proving Equivalence Describe approaches to

   uncovering, confirming, and resolving, 
 the unauthorized use of "stolen" code in commercial products. Goals: Resolutions

4. The Victim OverSight

5. OVERSIGHT a mic & webcam monitor (macOS) Released @ Virus

   Bulletin 2016 Mic & webcam monitor Identify process Detect piggy-backing ...prior to any macOS protections :) "killer" feature free, but close-sourced 
 (open-sourced as of 2021)

6. OVERSIGHT vs. malware AVFMediaRecorderControl::setupSessionForCapture(void) proc 
 ... 
 call AVFCameraSession::state(void)

   
 call AVFAudioInputSelectorControl::createCaptureDevice(void) 
 lea rdx, "Could not connect the video recorder" 
 ... 
 call QMediaRecorderControl::error(int,QString const&) 01 02 03 04 05 06 07 malware: Mokes Mokes 
 Crisis 
 Eleanor 
 FruitFly 
 ... and many more! 
 Webcam "aware" (macOS) malware: OverSight vs. Mokes Webcam capture via AVFoundation

7. OVERSIGHT vs. 0days vulnerabilities "A [0day] vulnerability in the Mac

   Zoom Client allows any malicious website to enable your camera without your permission" bug credit: Jonathan Leitschuh "A zero-day [exploited by XCSSET malware] allows an attacker to bypass Apple’s TCC protections which safeguard privacy" analysis: Jamf OverSight vs. 0day OverSight vs. 0day

8. OVERSIGHT vs. legitimate apps "Forget the NSA, it's Shazam that's

   always listening!" 
 objective-see.org/blog/blog_0x13.html OverSight vs. Shazam Shazam, was always listening :/

9. PROCESS IDENTIFICATION a must! but the APIs aren't helpful CMIODeviceID

   cameraID = <id of built in camera>; 
 UInt32 isRunning = 0; 
 UInt32 propertySize = 0; 
 CMIOObjectPropertyAddress propertyStruct = {0}; 
 
 propertySize = sizeof(isRunning); 
 propertyStruct.mScope = kCMIOObjectPropertyScopeGlobal; 
 propertyStruct.mSelector = kAudioDevicePropertyDeviceIsRunningSomewhere; 
 
 CMIOObjectGetPropertyData(cameraID, &propertyStruct, 0, NULL, 
 sizeof(kAudioDevicePropertyDeviceIsRunningSomewhere), &propertySize, &isRunning); 01 02 03 04 05 06 07 08 09 10 11 code for: "is camera on" The system APIs do not tell us: 
 which process is accessing the webcam (or microphone) }

10. OVERSIGHT'S PROCESS IDENTIFICATION step one: enumerate mach messages (ports) Camera/mic

    daemon 
 (eg. VDCAssistant, 
 AppleCameraAssistant, etc.) mach msg # lsmp -p <camera assistant> ... 0x00009f1f 0xbf7f289d send-once -> 
 0x0000000000000000 0x0001f60b (34770) zoom.us lsmp /usr/bin/lsmp entitled: "com.apple.system-task-ports.read" 
 (allows the listing of mach ports) Listing mach ports 
 (via lsmp) Oversight Candidate processes

11. programmatically enumerating "mach senders" -(NSMutableDictionary*)enumMachSenders:(pid_t)targetProcess { 
 
 //exec 'lsmp'

    w/ pid of camera assistant to get mach ports 
 results = [[NSString alloc] initWithData:execTask(LSMP, 
 @[@"-p", @(targetProcess).stringValue], YES) encoding:NSUTF8StringEncoding]; 
 //parse results 
 // split on new line (then look for (<pid>) process name) 
 for(NSString* line in [results componentsSeparatedByCharactersInSet: 
 [NSCharacterSet characterSetWithCharactersInString:@"\n"]]) { 
 
 //skip blank lines 
 if(0 == line.length) continue; 
 
 //parse on '()' 
 subStrings = [line componentsSeparatedByCharactersInSet: 
 [NSCharacterSet characterSetWithCharactersInString:@"()"]]; 
 
 //sanity check 
 if(subStrings.count < 3) continue; 
 
 //extract process id (insides '()', so will be second substring) 
 processID = @([[subStrings objectAtIndex:0x1] integerValue]); 
 
 //add/inc to dictionary 
 senders[processID] = @([senders[processID] unsignedIntegerValue] + 1); 01 02 03 04 05 06 07 08 
 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 OVERSIGHT'S PROCESS IDENTIFICATION Executing lsmp (-p pid) & parsing its output parse output }

12. step 2: query I/O registry (IOUserClientCreators) # ioreg -l ...

    | | +-o RootDomainUserClient 
 <class RootDomainUserClient, id 0x10000099a ... > | | | { | | | "IOUserClientCreator" = "pid 34770, zoom.us" | | | } Listing "user clients" 
 (via ioreg) Candidate 
 processes OVERSIGHT'S PROCESS IDENTIFICATION I/O registry

13. -(NSMutableDictionary*)enumDomainUserClients { 
 
 //get IOPMrootDomain obj 
 matchingService =

    IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPMrootDomain")); 
 ... 
 
 //get iterator 
 IORegistryEntryGetChildIterator(matchingService, kIOServicePlane, &iterator)); 
 
 //iterator over all children (looking for 'IOUserClientCreator') 
 while((child = IOIteratorNext(iterator))) { 
 
 //get 'IOUserClientCreator' 
 creator = IORegistryEntryCreateCFProperty(child, CFSTR("IOUserClientCreator"), kCFAllocatorDefault, 0); 
 
 //parse 
 components = [creator componentsSeparatedByCharactersInSet: 
 [NSCharacterSet characterSetWithCharactersInString:@" ,"]]; 
 
 //extract pid and save 
 processID = [NSNumber numberWithShort:[components[0x1] intValue]]; 
 
 //add/inc to dictionary 
 clients[processID] = @([clients[processID] unsignedIntegerValue] + 1); 01 02 03 04 05 06 07 08 
 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 programmatically querying the I/O registry OVERSIGHT'S PROCESS IDENTIFICATION Querying the I/O registry 
 ("IOPMrootDomain/IOService/IOUserClientCreator") parse results }

14. #define SAMPLE @"/usr/bin/sample" 
 
 //invoke 'sample' to confirm candidates

    are using CMIO/video/av inputs 
 // note: audio/video invoke 'CMIOGraph::DoWork' (will be in call stack) 
 -(NSMutableArray*)sampleCandidates:(NSArray*)currentSenders { 
 
 ... 
 
 //exec 'sample' to get stack trace of process 
 results = [[NSString alloc] initWithData:execTask(SAMPLE, 
 @[processID.stringValue, @"1"], YES) ...]; 
 
 //check for 'CMIOGraph::DoWork' 
 // note: both audio/video invoke this 
 if(YES != [results containsString:@"CMIOGraph::DoWork"]) { 
 
 //save process 
 } 01 02 03 04 05 06 07 08 
 09 10 11 12 13 14 15 16 17 18 step 3: sample process and examine stack trace CMIOGraph::DoWork mic/webcam API's 
 in stack trace? /usr/bin/sample: entitled with "task_for_pid-allow" 
 (which allows it to read (sample) other processes' memory) OVERSIGHT'S PROCESS IDENTIFICATION Executing sample (w/ pid) to obtain stack trace

15. RELIABLE PROCESS IDENTIFICATION ...for both the mic & webcam ...and

    popularity!

16. The Hunt OverSight ...in other products !?

17. HOW WOULD THIS EVEN BE POSSIBLE? ...by reverse-engineering the OverSight

    application -(NSMutableDictionary*)enumMachSenders:(pid_t)targetProcess { 
 ... 
 NSArray* arguments = @[@"-p", @(targetProcess).stringValue]; 
 NSMutableDictionary* results = [NSMutableDictionary dictionary]; 
 
 NSData* results = execTask(@"/usr/bin/lsmp", arguments, YES); 
 01 02 03 04 05 06 Reconstructed code Free! 
 (OverSight) Commercial 
 (...not OverSight) Technically trivial, ...ethically & legally; questionable! OverSight's disassembly

18. OVERSIGHT'S ALGORITHM IS QUITE UNIQUE ...and is a bit janky

    (+ as we'll see, broke) Approach is a bit "janky" 
 (what, no regex?) Approach is very unique: No Google results 
 (for "CMIOGraph::DoWork") No "great matches" 
 (for I/O registry keys)

19. HOW IT ALL BEGAN (2018) ...via malware analysis Flagged binary

    
 (on VirusTotal) "Riskware" / "PUP" 
 (potential unwanted program) method "enumMachSendersForProcess:" which execs /usr/bin/lsmp !? ...just like OverSight !? Familiar code?

20. HUNTING VIA GOOGLE bug(s) in OverSight ...in others too!? Same

    bug(s)!? 
 ...but these aren't OverSight! Various changes in macOS triggered issues in other (non-Objective-See) programs too !? Bugs in OverSight

21. HUNTING VIA YARA RULES ...and running across corpuses of binaries

    private rule Macho { 
 condition: 
 uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe ... 
 } 
 
 rule lsmp { 
 
 strings: 
 $a = "lsmp" 
 condition: 
 Macho and $a 
 } A match, with method named 
 "getVDCDictionaryWithPid:" 
 (that invokes lsmp)

22. Confirming Equivalency ...the code doesn't lie !

23. PRODUCT #1 use of lsmp & parsing } method: "enumMachSenders:"

    method: "enumMachSendersForProcess:" not OverSight } Invoke lsmp (-p <pid>) Same: Ignore if less than 3 substrings Check for "-" character Split line "()" OverSight

24. PRODUCT #1 I/O registry query & parsing method: "enumDomainUserClients:" method:

    "enumDomainUserClients:" not OverSight } } Query: 
 "IOPMrootDomain/IOService/IOUserClientCreator" Same: Split on " ," OverSight

25. PRODUCT #1 sample process & string matching not OverSight Sample

    (candidate) process Same: Look for "CMIOGraph::DoWork" Delete sample's output file OverSight

26. PRODUCT #2 use of lsmp & parsing Split (lsmp) output

    on newlines ("\n") Leave if no lines (count = 0) Split line "()" Ignore if less than 3 substrings not OverSight Same: OverSight

27. PRODUCT #2 I/O registry query & parsing Matching Service: "IOPMrootDomain"

    Get Child Iterator: "IOService" Parse result, by splitting on " ," "IOUserClientCreator" not OverSight Same: OverSight Get Property Value: "IOUserClientCreator"

28. PRODUCT #3 use of lsmp & parsing Invoke lsmp (-p

    <pid>) Split on new lines ("\n") Same: not OverSight OverSight

29. PRODUCT #3 I/O registry query & parsing Matching Service: "IOPMrootDomain"

    Get Child Iterator: "IOService" Get Property Value: "IOUserClientCreator" not OverSight Same: OverSight

30. PRODUCT #3 Invoke sample Look for "CMIOGraph::DoWork" (in output from

    sample) sample process & string matching Same: not OverSight OverSight

31. Resolutions and now what?

32. APPROACH to resolve the matter Define your goals } Create

    Proof Reach out directly Professionally + your proof + goals for resolution Consult a lawyer eff.org optional, but recommended ! Money? Talks? Fixes?

33. REASONABLE RESOLUTIONS ...what corporations (generally) want A license agreement An

    amicable resolution The majority of cases, the infringement is the work of a 
 single (naive?) developer vs. malice of the entire corporation. Non-disparagement ...and will pay! covering them legally "optics"

34. WIN-WIN RESOLUTION ack'd + code removal & financial compensation Acknowledgement

    Code Removal Retroactive license (w/ compensation)

35. ANOTHER WIN-WIN RESOLUTION ack'd + code removal & financial compensation

    Acknowledgement Code Removal Financial compensation

36. Conclusions +takeaways

37. FOR DEVELOPERS Assume your code will be stolen 
 (regardless

    if it's closed or open source). Hunt, confirm, approach 
 ...and resolve (+recover reparations)

38. FOR CORPORATIONS Educate your employees (developers) tl;dr don't steal other

    ppl algorithms for commercial gain Implement internal procedures (scans, etc.) 
 ("Is this original code? Or where did you get it from?") If approached, work to amicably resolve any issues legal issues "optics"

39. MORE ON PROGRAM ANALYSIS ...topics of reversing, debugging, & malware

    Free: taomm.org 
 For sale: amazon, etc...

40. MAHALO! "Friends of Objective-See" Guardian Mobile Firewall SmugMug iVerify Halo

    Privacy

41. RESOURCES: Déjà Vu "Zoom Zero Day: 4+ Million Webcams &

    maybe an RCE?" 
 https://infosecwriteups.com/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website- ac75c83f4ef5 
 
 "OverSight: Exposing Spies on macOS" 
 https://speakerdeck.com/patrickwardle/hack-in-the-box-2017-oversight-exposing-spies-on-macos 
 
 "Zero-Day TCC bypass discovered in XCSSET malware" 
 https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/ 
 
 Electronic Frontier Foundation 
 https://eff.org Uncovering Stolen Algorithms in Commercial Products