mac os x security – 2006-001 update helpful but not complete.

***WARNING***
Extremely Nerdy Mac Security Stuff Follows – it is however important to read if you are a Mac user.

I’ve playing around with the proof of concept security scares – mainly the safari executing shell scripts thing and the Inqtana Bluetooth thing.

First the Safari “__MACOSX” ZIP Archive Remote Code Execution Exploit:
Synopisis
There is still a viable attack vector for malware on OS X. Attachments or downloads can launch arbitrary code on your machine when you open them. User intervention is required to launch the disguised file but the admin password is not required unless the malware contains code that requires admin privileges.

Good Info [here](http://isc.sans.org/diary.php?storyid=1138&rss), [here](http://www.heise.de/english/newsticker/news/69862), and how this also affects Apple Mail [here](http://www.heise.de/english/newsticker/news/69919)

You can download a working demo to test with [here](http://www.heise.de/security/dienste/browsercheck/demos/safari/Heise.jpg.zip)
You can also get a demo emailed to you for testing Apple Mail [(in German!)](http://www.heise.de/security/dienste/emailcheck/demos/go.shtml?mail=apple)

The demo attempts to open a Terminal window to display the contents of a folder. If you are running Mac OS X in its standard configuration and have Safari opening “safe” files, the window will open without waiting for a prompt. The script could just as well delete all files accessible to the current user.
If Safari is set to not open safe files but you unzip the file and then double click on the resulting jpeg – then the exploit still works and a shell script is executed. This is bad. This demo attack only lists files in a folder but even if you are not an admin user the script could do things like delete all your files.

OK just going to do the same test after running Apple Security Update 2006-001 – this update (which “came out” tonight) fixes 15 security holes and should be run on all 10.3.9 and 10.4.5 systems, including OS X Server.
I installed the update, turned on “Open safe files” in Safari preferences and downloaded the above demo once more..
I got a warning this time: “The safety of this file cannot be determined. Are you sure you want to download Ã¬Heise.jpgÃ®?” Clicked on Download button, file downloaded and the zip file decompressed leaving a file called Heise.jpg. Double clicking on this file causes Terminal to launch and the contents of my home folder to be displayed.

So – the good news is that the shell script did not launch even with Open safe files selected. I also got a warning (that most users will ignore).
The bad news is that a file that looks like a JPEG picture launchs a shell script when opened -In my opinion this is still a viable attack vector for delivering a destructive payload.

If you turn off “Open safe files” and manually unzip the file using terminal you see this:
adam% unzip Heise.jpg.zip
Archive: Heise.jpg.zip
inflating: Heise.jpg
creating: __MACOSX/
inflating: __MACOSX/._Heise.jpg

The Hiese.jpg file is a shell script and the ._Heise.jpg file in the newly created __MACOSX folder is a binary metadata file (aka Resource fork) that tells OS X to use Terminal to open the Heise.jpg file. Because of the .jpg extension however, the finder displays this file as a picture that will be opened by Quicktime.

This is the crux of the problem – the attacker gets to choose what application opens the file while the user thinks that it will be opened by another application based on the icon displayed.

Email attack vector.
If the disguised script is sent as an attachment encoded in the AppleDouble format then double clicking on the file in Apple Mail will launch the shell script. Most (all) OS X email clients send attachments in this format and it handily allows for resource forks to be sent with files. Apple Mail automatically analyses these resource forks and will honour them. Again the icon displayed is based on the .jpg extension but Apple Mail will open the file in terminal because the resource fork metadata tells it to.
NOTE that after installing the Apple 2006-001 Security patch Apple Mail now displays a warning dialogue when you try to open the file saying that it contains an application and is may not be trusted – this is a step forward.

Summation.
To be sure of what you’re running when you open a file – copy any attachments to a folder and then unzip them in the Terminal to see what you are unzipping.
Check what application will launch when you open a file by clicking once on the file and getting info (Get Info under the file menu) if it says “Open With: Terminal” – don’t open it.
You can also drag the file onto TextWrangler, TextEdit etc to see if the file you’ve downloaded is a shell script or not.

Code for the Apple Mac OS X / Safari “__MACOSX” ZIP Archive Remote Code Execution Exploit is [here](http://www.frsirt.com/exploits/20060222.safari_safefiles_exec.pm.php)

More info on todays Apple security patch [here](http://docs.info.apple.com/article.html?artnum=303382) and [here](http://www.frsirt.com/english/advisories/2006/0791)

Secondly, the Inqtana Bluetooth Worm.
Synopsis
Fixed with a few of last years Apple security updates.

OSX/Inqtana-A is a worm for Mac OS X that spreads by copying itself to other computers via a bluetooth connection. The worm copies 3 files; w0rm-support.tgz, com.openbundle.plist and com.pwned.plist
When the worm is run it will create folders named Users/de and Users/javax containing a number of JAVA library files

Summation
RUN Software Update you goose!

This entry was posted on March 22, 2006, 12:52 am and is filed under News, Work. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

waffle

a small crisp batter cake

mac os x security – 2006-001 update helpful but not complete.

No comments yet.

Archives

Meta