I caught up with security researcher Dino Dai Zovi to discuss his successful hijack of a MacBook Pro machine at last week's CanSecWest conference in Vancouver, Canada.
We talk about the specific vulnerability, the motivation for the attack, Apple's response and his plans around Mac OS X research:
RN: What's your OS of choice?
DDZ: On my primary machine, I'm running Mac OS X.
What was the motivation for this attack?
The interest for me was the challenge. I remembered it was happening but I wasn't at the conference so I didn't give it much thought. I got a call on Thursday night from a friend [Shane Macaulay] saying that the machines survived the first day and maybe we should give it a shot, try to win it. He said they had added a $10,000 prize so I said, OK, cool, let me sit down and take a look and see what I can find. I figured I'd stay up and write an exploit if I found something interesting.
How did you find it?
I do manual code inspection, that's my primary research tactic. I look at feature sets. I look at the entire attack surface, look in areas of functionality where there were vulnerabilities in the past. I look at the entire attack surface, see what looks dangerous, what looks sketchy. In this case, there was blood in the water so I started looking at something specific and found this one. Then I worked up the exploit from there.
What was Macaulay's role?
Deploying the exploit required someone on the ground at the conference. The exploit launched a shell so we needed someone to connect to the shell and follow the instructions to claim victory. Shane ran the actual attack and he also helped to test the exploit ahead of time.
Which machine did you run it against?
It was the 15-inch MacBook. We used a remote browser exploit to get user-level access. We didn't attempt an attack against the 17-inch, which required root access.
What can you divulge about this specific vulnerability?
I have to be careful because this is still unpatched and ZDI [Tipping Point's Zero Day Initiative] owns the exclusive rights to all the information. The most I can say is that running Web browsers in hardened configuration would prevent this vulnerability from being exploited.
There was very little user action involved. Once the browser opened to a Web page that the attacker controlled, it was game over.
[ UPDATE: April 24, 2007 -- See more details on the vulnerability here ]
What took longer? Finding the vulnerability or writing the exploit?
That's a good question. I think it was about the same. I remember calling Shane around 3:00 a.m. Eastern, saying that I have something that might be exploitable. That took about five hours. It took another four hours or so to write a reliable exploit that would work on a default Mac OS X installation. I got really lucky in this case. Sometimes, you'll find something within an hour and sometimes, you can spend several days or several weeks looking and find nothing.
Has the vulnerability been officially verified?
The guys at ZDI have verified it and they're handling all the coordination with the vendor. It's out of my hands once ZDI paid for the exclusive rights to the information.
Apple has been criticized in the past for not responding appropriately to third-party findings. What has been your experience working with them?
On my site, I list several vulnerabilities I've found and reported to Apple and I've found them to be very responsive and upfront about verifying things and giving credit. Some things are fixed quicker than others and maybe you can say they take too long on some things but when there are interdependencies on components being fixed, it can be a month of two before you see a patch.
They do tend to be a little quiet when dealing with researchers. They'll communicate on an as-needed basis and if you don't provide adequate information, maybe they'll follow up and ask for more. When I report bugs to Apple, I send full details including an exploit. They've been very good about pinpointing the issue and providing a fix.
I had an issue once where their engineers had trouble reproducing a vulnerability and I had to send more information and an actual exploit. After that, they found it and fixed it. I've always received appropriate credit.
Are you still poking at the Mac OS X?
Right now, vulnerability research is more of a hobby. If I do look at the Mac, it'll be for the intellectual challenge, to make it a more secure platform. It's not the only place I'm looking.