« No More Spam | Main | Macworld New York 2002 Not the Keynote »

created 8 July 2002

Software Update Exploit for Mac OS X...our very first, Mac OS X - specific security hole!

Kind of makes you feel warm and fuzzy inside, doesn't it? No? Good, it should be making you dive for your software update control panel and turning off automatic updates. Go do that now, I'll wait...

Finished? Excellent. So, let us take a look at what the problem is, how the exploit works, and possible ways it could be avoided, both now, and in the future.

The Problem

Software Update is designed to be a convenience. Simply run Software Update on a schedule, or manually, and any updates that apply to your particular system are downloaded automatically or at your request, and installed. This is not an inherent problem. The problem occurs because of the security in this process. More precisely, the lack of security. It seems that the software update process is an unencrypted HTTP stream from port 80 on your machine to Apple's software update servers. That means that anyone can use a packet sniffer like EtherPeek, (commercial tool) or Sniffles, (freeware tool, but the download site appears to be down.), and track exactly what is going on during a Software Update request session.

The Exploit

But you don't have to do this on your own, (although I did with Sniffles, took about five minutes.) as the person who discovered the exploit has done a quite thorough job of documenting it, and showing you exactly how it could be exploited. Russell Harding discovered and documented the problem on his site at http://www.cunap.com/~hardingr/projects/osx/exploit.html, and I encourage everyone who is reading this article to go to the site and read Russell's work, it's a well - done bit of hacking.

For anyone who still has their system set to auto-update, you should have changed that setting the first time you started Mac OS X. That is the first thing I disable on any system I run. In fact, on any platform, the first thing I kill is auto update. It's a complete mine field from a security point of view, and I've always been a little disappointed that Apple sets it that way by default. I hope that will change soon.

Oh, and for all you Mac OS 9 users who are about to feel all smug and "I told you so" about this, you have nothing to be smug about. I ran Software Update in 9, got the same unencrypted, unauthorized data stream as in Mac OS X. Even worse for Mac OS 9, since it doesn't have any concept of authorization with physical access, if you can run Software Update, you can get just as hosed as Mac OS X. All it takes is a little know-how and some AppleScript, and your system is a brick.

So now, we know what the problem is, but how can you exploit it for good or evil? I mean, only Apple can be the Software Update server, right? Wrong. SInce there is no authentication for accessing the Software Update server, you can easily spoof the DNS name of the server, and now any queries going to the server, go to your box. If you want to hijack Software Update requests on a switched network, you would need to do some Address Resolution Protocol, (ARP) spoofing. Sean Whalen has a good introduction to this in his PDF, "An Introduction to ARP Spoofing". While it isn't a subject that will make you warm all over, it is something that you should be aware of, as forewarned is forearmed.

With these techniques running, all you do is fake up a nice little exploit, give it the correct name, which is easily done off of Versiontracker or Macintouch, MacCentral, MacMinute, etc., as they all give you current names of software updates. Make the read me look good, perhaps fake a nice license agreement, and the clueless user is now giving you their system.

For Mac OS X, Russell has an example of the kind of back door that can be installed, as a cracked version of sshd, the Secure Shell Daemon that allows for remote command line access to your Mac. In his example, anyone who can locate your Mac on the Internet can root your machine with the not-so-secret password, "URhacked!". However, you could also install a cron job that erased your boot and any secondary drives on your system. Or a job could be installed that waited until you had a fast internet connection active, and then would slowly ftp your documents folder to someone else, preferences, email, etc. On Mac OS 9, it could be a small faceless background application, ala the Control Strip extension that would do the same thing on a given date, or even a random date. It could also find out which antivirus software you were running, and fake the preferences so it could disable it without you being warned, although considering the ignorance that Mac OS 9 users display towards security and viral issues, this wouldn't really be that necessary.

However, this can be used for good as well as for evil. If you run a corporate network, you can use this data with a proxy server to redirect all Software Update calls to your own internal server(s), and take control of this process for your network. So there's at least one good thing about this exploit, although I'd be far more sanguine if it was because it's designed to work that way, not because it's so easily hackable.

Solutions

So now the question is, what to do about it. Well first of all, turn off auto update and auto checking in Software Update. There are plenty of ways to find out when Apple releases an update, including from Apple's support site, that you don't need to be pinging their servers once a week, and hoping you really get their servers.

But that's a short term solution, and not really a solution as well, because if you get hijacked by someone clever, you could still get cracked, if the hijacked update looked good. Unless you are watching the raw ip addresses that your machine is connecting to, and know what they should be, then you're still vulnerable, only now you have to do it manually.

So there's only real way to fix this, and that is to use proper authentication and encryption with Software Update. Now, the quick and dirty way would be to just require you to use a user name and password when you connect to the Software Update server. There's a few problems with this. First of all, the identity of the client, (you), aren't the problem. It's the identity of the server. So proving you're a Mac user to the server does no good. All you need is a cracked server that allows anyone to connect, essentially ignoring the password. You're just as hosed. What needs to be done is to have the server prove it's legitimacy to you.

Luckily, there's a couple of ways to do this. The first, and probably the best, is already built into Mac OS X, and is even set up to be an authentication scheme for Mac OS X. This scheme is called, Kerberos, and was developed at MIT. It's designed to provide security in an insecure world, not just to people outside your network, but to people inside your network as well. Basically, Kerberos is a way to have a person or machine prove their identity to another person or machine, without exchanging passwords over the internet, and on a time - limited basis. (I'm drastically oversimplifying this, but there is an excellent tutorial on it available.) Since Kerberos is a part of Mac OS X, the basics are already there. Apple would have to do some work to get the server to authenticate to the client, but Kerberos support makes this easier. THere is also a version of Kerberos available for Mac OS 8 & 9, albeit not as full - featured as the Mac OS X version.

Another option would be to use SSL certificates. Since like Kerberos, SSL support is built into Mac OS X, Apple could set itself up as a Certificate Authority, (CA) and when you get a mac.com account, you would install that CA into Mac OS X. That way, the only way for a server to send anything through Software Update is to use the right certificate, and SSL encryption for the data stream. (again, I'm really oversimplifying things, but there's not a lot of space for an article on SSL here. For more information on SSL, check out the OpenSSL web site.) Unfortunately, SSL support for this on Mac OS 9 would be a lot more work than on Mac OS X, so I'm not sure how good an option this is on that platform.

So there are ways to fix this, and they are ways that will keep this secure both now, and into the future. The big problem is why wasn't this done earlier? The fact is, Mac users were extraordinarily lucky that this exploit hasn't been used yet, and for once, not being the popular kid is a good thing. But security by unpopularity isn't really security. In a sense, Mac OS X is no longer the innocent OS in a cruel world. This is a good thing, as the earlier reality sets in, the better you can handle it.

This is Apple's first real test of how they react to something like this. How it reacts will determine the tone that Mac OS X will take for security issues for a long time to come. I'm hoping, and betting, like most Mac users, that Apple will react the correct way, and quickly release a patch that fixes this problem, and gets Software Update working the right way, all in one fell swoop. The only other option is for them to react like Microsoft does to Windows exploits, but I'm thinking/hoping they won't. They're far too smart for that...

(Note: This is a very quick look at the problem. As more details come out, I'll get an update out to you.)

Comments

Warning for Notes users: The commenting system uses HTML.
I know this will be scary for some of you, especially Notes fans. However, open standards, rah-rah.
If you want to use less-than or greater-than signs, or other similar characters that HTML reserves,
you'll simply have to learn to do it the HTML way. Luckily, HTML is kind of popular, no matter what
your re-educators have told you, and you can easily find help on the intertubes.