bbloke
Registered
I thought everyone should be informed that a potential security flaw has been found with the Software Update feature under OS X. I received a mail (from a security mailing list) which read as follows:
----------------------------------------------------------------------------
MacOS X SoftwareUpdate Vulnerability.
----------------------------------------------------------------------------
Date: July 6, 2002
Version: MacOS 10.1.X and possibly 10.0.X
Problem: MacOS X SoftwareUpdate connects to the SoftwareUpdate Server via
HTTP with no authentication, leaving it vulnerable to attack.
----------------------------------------------------------------------------
http://www.cunap.com/~hardingr/projects/osx/exploit.html
----------------------------------------------------------------------------
Summary:
Mac OS X includes a software updating mechanism "SoftwareUpdate". Software update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well known techniques, such as DNS Spoofing, or DNS Cache Poisoning it is trivial to trick a user into installing a malicious program posing as an update from Apple.
Impact:
Apple frequently releases updates, which are all installed as root. Exploiting this vulnerability can lead to root compromise on affected systems. These are known to include Mac OS 10.1.X and possibly 10.0.X.
Solution/Patch/Workaround:
There is currently no patch available. Hopefully the release of this information will convince apple they need, at the very least, some basic authentication in SoftwareUpdate.
Exploit: http://www.cunap.com/~hardingr/projects/osx/exploit.html
An exploit for this vulnerability has been released to the public for testing purposes. It is distributed as a Mac OS X package which includes DNS and ARP spoofing software. Also, it includes the cgi scripts, and apache configuration files required to impersonate the Apple SoftwareUpdatesServer.
Credits:
Author - Russell Harding - hardingr@cunap.com
Testing - Spectre Phlux, KrazyC, Devon, and The Wench
(end of mail)
I have informed Apple using the Mac OS X Feedback page, though I expect they would know of this issue already.
----------------------------------------------------------------------------
MacOS X SoftwareUpdate Vulnerability.
----------------------------------------------------------------------------
Date: July 6, 2002
Version: MacOS 10.1.X and possibly 10.0.X
Problem: MacOS X SoftwareUpdate connects to the SoftwareUpdate Server via
HTTP with no authentication, leaving it vulnerable to attack.
----------------------------------------------------------------------------
http://www.cunap.com/~hardingr/projects/osx/exploit.html
----------------------------------------------------------------------------
Summary:
Mac OS X includes a software updating mechanism "SoftwareUpdate". Software update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well known techniques, such as DNS Spoofing, or DNS Cache Poisoning it is trivial to trick a user into installing a malicious program posing as an update from Apple.
Impact:
Apple frequently releases updates, which are all installed as root. Exploiting this vulnerability can lead to root compromise on affected systems. These are known to include Mac OS 10.1.X and possibly 10.0.X.
Solution/Patch/Workaround:
There is currently no patch available. Hopefully the release of this information will convince apple they need, at the very least, some basic authentication in SoftwareUpdate.
Exploit: http://www.cunap.com/~hardingr/projects/osx/exploit.html
An exploit for this vulnerability has been released to the public for testing purposes. It is distributed as a Mac OS X package which includes DNS and ARP spoofing software. Also, it includes the cgi scripts, and apache configuration files required to impersonate the Apple SoftwareUpdatesServer.
Credits:
Author - Russell Harding - hardingr@cunap.com
Testing - Spectre Phlux, KrazyC, Devon, and The Wench
(end of mail)
I have informed Apple using the Mac OS X Feedback page, though I expect they would know of this issue already.