Memory Injection Attack Proven Possible in Mac OS X

Vincenzo Iozzo, a security researcher and student at Politchnico di Milano University (Italy), used a new form of attack against Mac OS X computers that allows hackers to inject malicious code into another program’s memory space. Because the attack is done in the system's RAM, any possible traces that the attacker might have left are immediately erased once the computer is turned off.

At the Politecnico di Milano, Vincenzo Iozzo does research regarding malware and IDS, among other things. He is involved in a number of open source projects, including FreeBSD due to Google Summer of Code. He also works as a security consultant for Secure Network, an Italian company, and as a reverse engineer for Zynamics.

Vincenzo Iozzo's presentation of how to inject malicious code into a Mac OS X system without leaving a trace went smooth, reports suggest. Admittedly, the attack did require piggybacking on a reliable exploit for an unpatched OS X vulnerability, said Vincenzo. However, the new exploit method actually helps solve the issue of how to avoid detection while running binaries which may not be installed on the attacked system's hard drive.

Mr. Iozzo describes the method best, saying, "My technique partially solves [these issues].  In fact, the whole attack is performed in-memory, which means that when the machine is powered off it isn't possible to understand what happened because the attack leaves no traces on the machine. My technique allows an attacker to inject and execute binaries which are not present on the victim's machine, so also the second problem is solved.  Finally, when one wants to execute a binary into the victim's machine it is necessary to execute a syscall, execve(). This might raise some alarms of IDS [intrusion detection system] systems or other types of security countermeasures and therefore detect the attacker."

Vincenzo also points out that “Mac OS X is starting to spread among users,” therefore “new exploitation techniques have to be discovered. Even if a lot of interesting ways of exploitation on OSX [sic] were presented in the past, the lack of anti-forensics techniques is clear. The talk is focused on an in memory injection technique,” he told those at Black Hat.