MacOS X SoftwareUpdate Vulnerability

[Russell Harding <hardingr () ucsub colorado edu>]

----------------------------------------------------------------------------
                    MacOS X SoftwareUpdate Vulnerability.
----------------------------------------------------------------------------

Date:      July 6, 2002
Version:   MacOS 10.1.X and possibly 10.0.X
Problem:   MacOS X SoftwareUpdate connects to the SoftwareUpdate Server via
           HTTP with no authentication, leaving it vulnerable to attack.

----------------------------------------------------------------------------

         http://www.cunap.com/~hardingr/projects/osx/exploit.html

----------------------------------------------------------------------------

Summary:

Mac OS X includes a software updating mechanism "SoftwareUpdate". Software
update, when configured by default, checks weekly for new updates from
Apple.  HTTP is used with absolutely no authentication. Using well known
techniques, such as DNS Spoofing, or DNS Cache Poisoning it is trivial to
trick a user into installing a malicious program posing as an update from
Apple.


Impact:

Apple frequently releases updates, which are all installed as root.
Exploiting this vulnerability can lead to root compromise on affected
systems. These are known to include Mac OS 10.1.X and possibly 10.0.X.


Solution/Patch/Workaround:

There is currently no patch available. Hopefully the release of this
information will convince apple they need, at the very least, some basic
authentication in SoftwareUpdate.


Exploit:  http://www.cunap.com/~hardingr/projects/osx/exploit.html

An exploit for this vulnerability has been released to the public for
testing purposes.  It is distributed as a Mac OS X package which includes
DNS and ARP spoofing software. Also, it includes the cgi scripts, and
apache configuration files required to impersonate the Apple
SoftwareUpdatesServer.


Credits:

Author  -  Russell Harding - hardingr () cunap com
Testing -  Spectre Phlux, KrazyC, Devon, and The Wench