[26079] in bugtraq

home help back first fref pref prev next nref lref last post

MacOS X SoftwareUpdate Vulnerability

daemon@ATHENA.MIT.EDU (Russell Harding)
Sun Jul 7 19:29:53 2002

Date: Sat, 6 Jul 2002 22:21:24 -0600 (MDT)
From: Russell Harding <hardingr@ucsub.colorado.edu>
To: bugtraq@securityfocus.com
Message-ID: <Pine.GSO.4.40.0207062216280.15196-100000@ucsub.colorado.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

----------------------------------------------------------------------------
                    MacOS X SoftwareUpdate Vulnerability.
----------------------------------------------------------------------------

Date:      July 6, 2002
Version:   MacOS 10.1.X and possibly 10.0.X
Problem:   MacOS X SoftwareUpdate connects to the SoftwareUpdate Server via
           HTTP with no authentication, leaving it vulnerable to attack.

----------------------------------------------------------------------------

         http://www.cunap.com/~hardingr/projects/osx/exploit.html

----------------------------------------------------------------------------

Summary:

Mac OS X includes a software updating mechanism "SoftwareUpdate". Software
update, when configured by default, checks weekly for new updates from
Apple.  HTTP is used with absolutely no authentication. Using well known
techniques, such as DNS Spoofing, or DNS Cache Poisoning it is trivial to
trick a user into installing a malicious program posing as an update from
Apple.


Impact:

Apple frequently releases updates, which are all installed as root.
Exploiting this vulnerability can lead to root compromise on affected
systems. These are known to include Mac OS 10.1.X and possibly 10.0.X.


Solution/Patch/Workaround:

There is currently no patch available. Hopefully the release of this
information will convince apple they need, at the very least, some basic
authentication in SoftwareUpdate.


Exploit:  http://www.cunap.com/~hardingr/projects/osx/exploit.html

An exploit for this vulnerability has been released to the public for
testing purposes.  It is distributed as a Mac OS X package which includes
DNS and ARP spoofing software. Also, it includes the cgi scripts, and
apache configuration files required to impersonate the Apple
SoftwareUpdatesServer.


Credits:

Author  -  Russell Harding - hardingr@cunap.com
Testing -  Spectre Phlux, KrazyC, Devon, and The Wench
home help back first fref pref prev next nref lref last post