Potential security risk with Software Update

bbloke

bbloke

Registered
I thought everyone should be informed that a potential security flaw has been found with the Software Update feature under OS X. I received a mail (from a security mailing list) which read as follows:



----------------------------------------------------------------------------
MacOS X SoftwareUpdate Vulnerability.
----------------------------------------------------------------------------

Date: July 6, 2002
Version: MacOS 10.1.X and possibly 10.0.X
Problem: MacOS X SoftwareUpdate connects to the SoftwareUpdate Server via
HTTP with no authentication, leaving it vulnerable to attack.

----------------------------------------------------------------------------

http://www.cunap.com/~hardingr/projects/osx/exploit.html

----------------------------------------------------------------------------

Summary:

Mac OS X includes a software updating mechanism "SoftwareUpdate". Software update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well known techniques, such as DNS Spoofing, or DNS Cache Poisoning it is trivial to trick a user into installing a malicious program posing as an update from Apple.


Impact:

Apple frequently releases updates, which are all installed as root. Exploiting this vulnerability can lead to root compromise on affected systems. These are known to include Mac OS 10.1.X and possibly 10.0.X.


Solution/Patch/Workaround:

There is currently no patch available. Hopefully the release of this information will convince apple they need, at the very least, some basic authentication in SoftwareUpdate.


Exploit: http://www.cunap.com/~hardingr/projects/osx/exploit.html

An exploit for this vulnerability has been released to the public for testing purposes. It is distributed as a Mac OS X package which includes DNS and ARP spoofing software. Also, it includes the cgi scripts, and apache configuration files required to impersonate the Apple SoftwareUpdatesServer.


Credits:

Author - Russell Harding - hardingr@cunap.com
Testing - Spectre Phlux, KrazyC, Devon, and The Wench



(end of mail)

I have informed Apple using the Mac OS X Feedback page, though I expect they would know of this issue already.
 
I was half expecting something like this, and there it is...

Really Apple ought to authenticate both the connection, and the packages that are downloaded. They could just sign the packages with a pgp key or something, it would be so much safer.
 
A subsequent E-Mail from the mailing list suggested the following:

1) the painfully obvious selection of manual checks via Software Update and then never actually selecting "Update Now" (i.e. never using Software Update... )

2) looking for updates on http://www.info.apple.com/support/downloads.html instead of using Software Update



I've also been in touch with Macintosh security sites (http://www.securemac.com and http://www.macintoshsecurity.com).

Apple is certainly aware of the problem; a MacCentral article claimed an Apple spokesman said:

"Apple takes all security notifications seriously and is actively investigating this report."

http://maccentral.macworld.com/news/0207/08.update.php
 
Just to let everyone know both securemac.com and macintoshsecurity.com have published my comments (essentially the same as I posted on this site), so it might be worthwhile monitoring these sites to see if there are further developments regarding this issue. Securemac.com stated:

"SecureMac's View
This has been a known issue for quite some time, we received many emails notifing us of the method Apple uses for software updates. This is something Apple needs to address to verify the software which is being installed is from their server. Checksums would work fine for this method. Keep your computer physically secure, disable remote access and this will not be a issue for you."


It's a good idea, IMHO, to monitor security sites anyway. I get the impression OS X is fairly secure in its default configuration, so users shouldn't panic too much. However, users can always exercise additional caution by: not enabling remote access or file sharing, setting up the built-in firewall ("man ipfw" in the Terminal for more details and/or download and use "Brickhouse" or "Firewalk X" or something similar), and using encryption (such as ssh rather than telnet, scp or sftp rather than ftp, SSL for mail, and so on...).
 
Great. Jerks that did not think about this before, now know about it. Kinda similar to terrorists and the media. On the news, they talk about what areas of our defense weak. And I thinking to myself, "you idiots, you just told them where to hit us." Just ranting, sorry. :)
 
You know what's really funny about this "security issue"? It also applies to any other HTTP download operation you might perform. It's not like Software Update is the only application of the HTTP protocol that can be spoofed. I was, like, "yes, and?" when they reported this. Of course, things could be better, but it's not like this will suddenly cause every package you see in the Software Update listing be trojans.
 
Thanks for the compliment, Gregita. :)


Nummi_G4, I too had wondered about the possibility of actually exposing risks to others who might then take advantage. I discussed this with colleagues before posting, and we basicaly agreed that those people who are knowledgeable enough to try this sort of thing would probably know about it already! Furthermore, once a bug report has been made public (as it had been through other security sites and mailing lists before I mailed this group), any potential hackers will basically now know about the issue. Therefore, circulating the information quickly is the best way to protect the public, as those with malicious intent will already be one step ahead, rather than waiting for a random bug report to make its way to a general forum they might happen to read occasionally. If these security issues were kept quiet, I strongly feel hackers would actually be in a stronger position!

nichrome, I agree with you that other http downloads could be under threat and that it is also unlikely that Software Update is going to suddenly start downloading and installing trojans all over the place. However, the big difference between normal downloads and using Software Update is the trust involved. Instead of simply downloading a file, we are telling Software Update to look for new files, download them, and then install them on our behalves (as root if necessary). That is, a hacker could get Software Update to perform a potentially malicious operation malicious as root, which very different from only downloading a file and not going any further with it.
 
bbloke,
i agree, interesting read. although i don't know all there is to know about dns spoofing, i'm pretty sure that this technique would only work on an internal network (as arpspoofing does). (this does however leave college students, etc in a bad position)

arpspoofing, for those who don't know what it is, is a method of forging ARP (Address Resolution Protocol) replies on an internal network. every computer on a network keeps an ARP Table that contains an ip address and the corresponding MAC address. This is used for routing packets. Whenever a packet is sent (say from a router to the client) the client's ip address is translated into it's ethernet MAC address. (a unique MAC Addresse is built into every ethernet card) The router uses it's arp table to do the translation.

(without turning this explanation into a paper) arpspoofing is a way of corrupting a computer/router's arp table and fooling it into thinking that computer a is computer b. This effectively allows an attacker to sit in the middle of two client's connections and manipulate, or sniff the "conversation". (this is known as a Man in the Middle attack)

Example Illustration:
-----------------------------------------
Client >>> Attaker >>> Client
A <<< Comp <<< B
------------------------------------------

in the case of the software update vulnerability, i'm assuming the attacker would just pretend to be the apple software update server (by using dnsspoof to fool the client into thinking XXX.XXX.XXX.XXX is the ip address of the apple software update server.

i don't think that attack can be used on everyday home users. (i didn't read the exploit link yet so i could be wrong...) anyway, hope this at least provided some info on what arpspoofing and the arp protocol are...
 
arkon24, you may well be right. Thanks for the additional information too, which I read with interest. I read a similar comment about the comparative risks for home users and users who are part of a larger network on (I think!) MacFixit (http://www.macfixit.com) the other day but the link has now disappeared from the front page. On a large internal network such as that at a university or a business, this issue would pose a problem. Additionally, I'm assuming that hacking another machine and then initiating spoofing may well cause a threat to home users too; I get the impression the more capable hackers prefer to work unnoticed, rather than wanting to do something dramatic.

In my opinion, we do not need to be utterly paranoid but security is something we should all take seriously, regardless of the OS. We live in a world where computers are increasingly less isolated and allowing greater access to one's computer opens up greater possibilities for abuse. With regards to this specific topic, I would just advise not using Software Update until Apple have tightened security, though the risks at this stage do seem minimal.
 
You must log in or register to reply here.
Back
Top