Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Leopard's firewall damages Skype and WoW

From: Juergen Schmidt <ju () ct heise de>
Date: Mon, 5 Nov 2007 20:36:51 +0100 (CET)
Hi,

some further research on the firewall of Mac OS X Leopard proved, that the 
firewall is altering binaries on the disc -- in some cases they refuse to 
work after that.

In contrast to Tiger, the firewall in Leopard no longer operates at the 
packet level but rather it works with applications, to which it permits 
or denies specific network activities. 
In order to unambiguously identify applications, Apple uses code 
signatures. Certain applications signed by Apple are automatically permitted 
to communicate with the network past the firewall without showing that in 
the user interface -- even if the firewall is set to "Block all incoming 
connections". (see: http://www.heise-security.co.uk/articles/98120).

By contrast, if an application which does not have a valid signature opens 
a network port, the firewall swings into action.
In restricted mode, simply trying to start a service brings up a window 
asking the user for permission. The system records this choice and enters 
it into the firewall's  exceptions list. Hitherto Apple furnishes unsigned 
programs with a digital signature in the process.
If changes are made to the program subsequently, the permission is withdrawn.

Code signing becomes a problem when an application performs its own 
self-integrity check and determines that the file on the hard disk has 
been changed. The firewall's code signature changes the checksum of 
Skype's binary on the disc:

MD5 (Skype) = 9d7fa7f77b8dc2a3c2ae61737a373c11
MD5 (Skype-org) = 4245cb201a94c76ddcb54b1cc1e58cfa

after which, if the user attempts to start Skype from the command line it 
displays the following message:

Main starting
Check 1 failed. Can't run Skype

Similar behaviour has been observed by World of Warcraft users.

For more see:

http://www.heise-security.co.uk/news/98492

Code Signing is documented in:

http://developer.apple.com/releasenotes/Security/RN-CodeSigning/
http://developer.apple.com/documentation/Security/Conceptual/CodeSigningGuide/Introduction/chapter_1_section_1.html

bye, ju

--
Juergen Schmidt, editor-in-chief heise Security www.heise-security.co.uk
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: