Results 1 to 5 of 5

Thread: Apple Software Update - Security Hole

  1. #1
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Default

    Mac OS X Security Hole "The Exploit: PhantomUpdate

    Here is a description of how the attack works, along with some sample software to carry it out. The software is packaged for Mac OS X, but the attack can be carried out from any type of computer with the proper tools. For the impatient: Read the QuickStart Guide and Download Now."

    This showed up on www.MacIntouch.com and worth repeating.
    quote:
    When SoftwareUpdate runs (weekly by default), it connects via HTTP to swscan.apple.com and sends a simple "GET" request for /scanningpoints/ scanningpointX.xml. This returns a list of software and current versions for OS X to check. After the check, OS X sends a list of it's currently installed software to /WebObjects/SoftwareUpdatesServer at swquery.apple.com via a HTTP POST. If new software is available, the SoftwareUpdatesServer responds with the location of the software, size, and a brief description. If not, the server sends a blank page with the comment "No Updates"
    ? As you can see, with no authentication, it is trivial to impersonate the Apple servers. The software provides two programs useful in impersonating the server, arpspoof and dnsspoof. Dnsspoof, written by Dug Song, has been customized for carrying out this attack. To run it, simply open up the terminal, and type "sudo dnsspoof &" It will begin listening for DNS queries for swscan/swquery.apple.com. when it recieves them, it will reply with spoofed packets re-routing them to your computer. [...]
    ? The victim downloads a software package masquerading as a security update. In truth, it contains a backdoored copy of the Secure Shell Server Daemon, sshd. This version of sshd includes all the functions of the stock sshd, except the following: You can log in to any account on the system with the secret password "URhacked!". After logging in through this method, no logging of the connection is employed. In fact, you do not show up in the list of current users!


    What is also bothering is that there is now a 'sample' exploit set of client-server code and apps to exploit this vulnerability.

    Gregory

  2. #2
    Join Date
    Jan 2002
    Location
    NW Montana
    Posts
    8,197

    Default

    What exactly does this download do?

    I should download it right?

    Randy

  3. #3
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Default

    Randy,

    A little knowledge is *dangerous* ! NO, don't download anything.

    The 'download' is a demo of how to do this. A rogue server, a fake 'security update' that leaves anyone vulnerable. It installs a zombie, a trojan horse, a backdoor, and at some future date your box could be used for say a DoS attack or other exploit.

    At the least, it allows someone to logon to your system and not even show up that they have or are. And as 'root' of course.

    I never liked having to 'authenticate' on every install. Worried it installed a virus or trojan horse or WORM or such. Or would send 'back' password, CC# data, whatever.

    I trusted and understood OS 6/7/8/9. I knew that *nix had a lot more potential - good and dark.

    I am bothered that so much info was made public, maybe without giving Apple and CERT and others a chance to look at fixing it FIRST.

    Gregory

  4. #4
    Join Date
    Jan 2002
    Location
    NW Montana
    Posts
    8,197

    Default

    Exactly what I was thinking - don't do it. Just double checking.

    Thanks for all your input on all the forums - invaluable info you have.

    Thanks
    Randy

  5. #5
    Join Date
    Feb 2001
    Location
    Carlisle, MA USA
    Posts
    174

    Default

    Thanks Gregory, another good reason to avoid Software Update and get the updaters the old-fashioned way....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •