Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Patrick Wardle Profile picture
@patrickwardle
Jul 19 17 tweets 7 min read Read on X
I don't do Windows but here are some (initial) details about why the CrowdStrike's CSAgent.sys crashed

Faulting inst: mov r9d, [r8]
R8: unmapped address

...taken from an array of pointers (held in RAX), index RDX (0x14 * 0x8) holds the invalid memory address

@_JohnHammond
Image
Image
The other "drivers" (e.g. 'C-00000291-...32.sys') appear to be obfuscated data ...and are x-ref'd (perhaps ingested?) by CSAgent.sys

...so maybe invalid (config/signature) data triggered the fault in CSAgent.sys

This would be easier to tell/confirm via debugging 😅 Image
This is all surmised static analysis ...reversing CSAgent.sys (now on VT: )
and data from a single crash dump ...so take with a pinch of 🧂🫣

...and big mahalo to Tom! 🧠🙏🏽virustotal.com/gui/file/fc17c…
Sharing a .zip with:
▫️A few versions of CSAgent.sys (+idb)
▫️Various C-....sys files (including the latest that I believe contains the "fix"?)

I don't have any Windows systems/VMs, so hopefully ya'll can keep digging 🥰


#SharingIsCaringdrive.google.com/file/d/1OVIWLD…
A big outstanding questions to me is; what are the 'C-00000291-...xxx.sys' files?

As deleting them fixes the crash, this seems imply their contents matter (as its CSAgent.sys that has references to them, that is crashing).

But as their contents change between systems... 🤔
"The .sys files causing the issue are channel update files, they cause the top level CS driver to crash as they're invalidly formatted." -Kevin Beaumont

cyberplace.social/@GossiTheDog/1…
Note "channel updates ...bypassed client's staging controls and was rolled out to everyone regardless"

A few IT folks who had set the CS policy to ignore latest version confirmed this was, ya, bypassed, as this was "content" update (vs. a version update)resetera.com/threads/window…
An update from @CrowdStrike confirms our analysis:

Namely:
▫️ The C-...sys files aren't kernel drivers, but rather are "configuration files" dubbed "Channel Files"

▫️ C-00000291- "triggered a logic error that resulted in an OS crash" (via CSAgent.sys)crowdstrike.com/blog/technical…
@CrowdStrike

Image
Image
Image
Some surmised a blank (0x0, ...) Channel File was to blame.

@CrowdStrike debunked that stating the issue was "not related to null bytes contained in ...any... Channel File"

Also @MalwareUtkonos notes a check that shows files must start w/ "0xaaaaaaaa":
(Others may have mentioned this?) but we find many references "channel files" in @CrowdStrike's patents that provide more insight into their purpose, format, etc.

Search:
"channel file" assignee:(Crowdstrike, Inc.)

For example in US11822515B2 & US11645397B2:
Image
Image
(attempting) to explain this all to the general America public on @ABC's "Good Morning America" @GMA #TalkingNerdy 📺🇺🇸🍿🤓
Image
Image
Yes, @Apple should be lauded for deprecating 3rd-party kexts & supporting the move to user-mode System Extensions.

However this has been fraught w/ kernel panics (ha!), privilege escalations ...& worse unprivileged code/malware can still trivially unload macOS security tools! 🫣
@Apple macOS kernel code that facilities user-mode System Extensions was (is?) notorious buggy.

Ironically this resulted in security tools that had been migrated to user-mode, now inadvertently triggering wide-spread kernel panics (in core Apple kexts) 🤦🏻‍♂️ #YouHadOneJob Image
@Apple Other issues included new privilege escalations in core macOS System Extension framework(s) such as CVE-2019-8805

See "Endpoint Security and Insecurity" by @sdotknight (presented at #OBTS 🥰): objectivebythesea.org/v3/talks/OBTS_…
Image
Finally due to flaw in🍎's handling of System Extensions unpriv'd code/malware may trigger their unloading 😱

It's trivial to exploit this 0day, e.g. to nuke LuLu (a firewall that runs as a trusted System Extension) even on the latest version of macOS!

ℹ️ bug not LuLu-specific!
I'm stoked to talking more about crash reports (which provided both the means to gain insight into @CrowdStrike's crash as well as revealed this and other macOS 0days) at @BlackHatEvents! 🖤🥰

Talk: "The Hidden Treasure of Crash Reports?" blackhat.com/us-24/briefing…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Patrick Wardle

Patrick Wardle Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @patrickwardle

Patrick Wardle Profile picture
Apr 16, 2023
New Blog Post:
"The LockBit ransomware (kinda) comes for macOS": objective-see.org/blog/blog_0x75… 🍎🔐

Includes full technical analysis of LockBit's macOS arm64 variant ("locker_Apple_M1_64") + sample for download + heuristic methods of detection 🔥

H/T @malwrhunterteam @vxunderground
First, (can't stress this enough), this variant though *compiled* for macOS is not specifically designed for macOS.

It's buggy (crashes), has an invalid signature, nor takes into account as of macOS's file-system security mechanisms.

So, impact to macOS users (for now): 0 Image
Still as noted by others, the fact that a large ransomware gang (LockBit) has apparently set its sights on macOS, should give us all pause for concern.

So, wise to dig into this (test?) sample & gain a throughout understanding of its capabilities and approaches 👾🔬👩🏼‍🏫
Read 5 tweets
Patrick Wardle Profile picture
Mar 30, 2023
RE: The 3CX VOIP supply chain attack, vendors have stated that macOS was also targeted - but I couldn't find any specific technical details (yet) 🍎🐛☠️

One vendor stated, "we cannot confirm that the Mac installer is similarly trojanized"

...let's dive in! 1/n 🧵
We'll start with 3CXDesktopApp-18.12.416.dmg
(SHA 1: 3DC840D32CE86CEBF657B17CEF62814646BA8E98)

It contains a *notarized* app ("3CX Desktop App.app") ...meaning Apple checked it for malware "and none was detected" 😜☠️ 2/n
This app is massive - 381mb 🤯
...let's focus on libffmpeg.dylib
found in the App's /Contents/Frameworks/Electron\ Framework.framework/Versions/A/Libraries directory

(SHA 1: 769383fc65d1386dd141c960c9970114547da0c2)

It was submitted to VT today:
virustotal.com/gui/file/a64fa… 3/n
Read 33 tweets
Patrick Wardle Profile picture
Mar 29, 2023
Ever wondered what it's like writing security tools for macOS? 🤔

As Apple provides no official way to detect what app is using the webcam/mic, OverSight simply monitored the system log.

This was (independently) reported to Apple, who decided to assign it a CVE/patch it 🥲🤦🏻‍♂️


Image
Image
Image
Image
Unfortunately this means OverSight is now broken on macOS 13.3

Apple still doesn't provide a method for security tools to determine what app is accessing the mic/camera, even after years of requesting (begging) for this capability 😭
There are other log msgs that can still be used (even on macOS 13.3+) to determine what App is using the mic/camera

...but I'm reluctant to update OverSight if they will just be reported and given CVEs 😑
Read 5 tweets
Patrick Wardle Profile picture
Oct 10, 2022
I've just posted slides from my #OBTS v5 talk: "Making oRAT, Go" 🍎🐀

speakerdeck.com/patrickwardle/…

After creating a custom C&C server, we can uncover the malware’s full capabilities - simply by asking (tasking) the right questions! 🤭
1️⃣ First, we must understand how the malware figures out how to find its C&C server - so we can coerce it to talk to our C&C instead!

As this (encrypted) info is embedded within the malware, we can write a simple decryptor/encryptor to (re)configure the malware 👾🔓✍🏼🔒 → 🖥✅
2️⃣ Second, we need to understand its protocol, so we can task the malware to reveal its capabilities.

A brief triage of the malware's binary shows us it sets up a local server and registers various "routes" - taskable via requests from a remote C&C server.
Read 7 tweets
Patrick Wardle Profile picture
Sep 21, 2021
⚠️ Latest macOS 0day (credit: Park Minchan)
...bypasses File Quarantine, Gatekeeper, etc.

Advisory:
📝 "macOS Finder RCE" ssd-disclosure.com/ssd-advisory-m…

😅 Confirmed Big Sur & Monterey are vulnerable

🧮 I've posted Park's PoC (pops Calc) if you'd like to play: objective-see.com/downloads/PoCs…
The PoC once downloaded still has to be manually executed by the user.

macOS should, via File Quarantine/Gatekeeper, alert/warn/block as this is an 'executable' item from the Internet.

Apple attempted to patch (blocking file:// prefix), but File:// or fIle:// still work 🤣🤣🤣 Image
ℹ️ The initial patch, will as noted, block items that attempt to abuse the "file://" prefix: (but not "File://" etc.): Image
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(