Software Update Vulnerability

redmoss writes "I just saw this exploit for Software Update on Bugtraq. Quoting the discoverer Russell Harding: 'Mac OS X includes a software updating mechanism 'Software Update.' Software Update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well-known techniques, such as DNS Spoofing, or DNS Cache Poisoning, it is trivial to trick a user into installing a malicious program posing as an update from Apple.' Looks like people using Software Update need to be careful, as there is currently no workaround." Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.

It's not a bug, it's a feature!

[tristan-b]

Software Update is convinent, but it only allows you to update Apple software (and the occasional IE bug fix). This bug could just as easily be exploited to allow for a Mac computer lab to auto-update third party software, reducing the hassle of network-wide installs, and potentialy making the lab more secure by fixing bugs in other softare. Apple should provide this option, IMHO.

Re:It's not a bug, it's a feature!

[medcalf]

It would be nice if SU did provide a feature so that third parties could register their software with SU, and it could then be kept up to date transparently. Of course, this would only be a feature if the user got to pick the non-Apple software to be updated. Having a method where some client I install sets up SU to automatically keep spyware updated, and not telling me about it, would be most unpleasant.

Re:It's not a bug, it's a feature!

[foobar104]

Rather than going through the agony of installing sshd on each and every client computer....

Not to be pedantic, but each and every client computer already has sshd on it. It's a part of OS X.

Re:It's not a bug, it's a feature!

[AllInOne]

VersionTracker Pro provides essentially this feature already...

I haven't used it since it went out of free beta but it is a pretty neat tool for folks who are truly addicted to having the latest version of any software.

Re:Wouldn't work on me, or most net-savvy Mac user

[tristan-b]

Or would it? All you'd have to do is wait for a legitimate update to be released and mask your software as that update (same filename/size/desc). The end user would have no idea they weren't updating to OS 10.1.6, but rather installing a trojan. Software Update is a trusted source for most users.

Not Sharing a LAN?

[Jeremiah+Cornelius]

I guess Pudge's "Not sharing a LAN with someone who'd do that was meant to be enclosed in tags!

<sarcasm>

Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.

</sarcasm>

These exploit techniques could be used by a good blackhat to affect everyone on, let's say Rogers Cable, in a specific geographic region. Face, it: since this became a one-protocol world with fat pipes, we all trust upstream.

Are you big enough for your home DNS to point only at root?

Re:True Of All Updaters

what are you talking about? red carpet verifies the gpg signatures on rpms before installing them. i suspect windows update does something similar.

"Easy" solution

[bnenning]

Apple should sign all updates and Software Update should verify what it downloads against Apple's public key. An attacker would then have to modify the copy of Apple's public key on the victim's machine, or modify Software Update to disable the check, both of which would presumably require root privileges. Still not perfect, but an improvement.

Re:True Of All Updaters

[phyxeld]

The only real work around is to know what you're installing. Download from what you believe to be the correct source, always look for a public verification key and then install it.

1. I believe swscan.apple.com to be the correct source. The point is, that could be made to resolve to a different, hostile, IP address.

2. A public verification key? From apple? See, thats the problem. They don't do that currently. When they start to, they'll probably build it into the software update system, like they should have in the first place.

An interesting sidenote: I've been sniffing some SU traffic after reading all this, and noticed some interesting HTTP headers:

Accept-Ranges: bytes
Date: Mon, 08 Jul 2002 07:01:41 GMT
Content-Length: 7286
Content-Type: text/plain
Server: Netscape-Enterprise/3.6 SP3
Etag: "ea810-1c76-3d20f5eb"
Last-modified: Tue, 02 Jul 2002 00:38:03 GMT
Via: 1.1 netcache04 (NetCache NetApp/5.2R1D8)

Looks like Apple doesn't practice what they preach in terms of server software. :)
And wtf is that NetApp cache bullshit? Does everyone see that, or am I being transparently proxied somewhere?! OK, just checked some other stuff, the NetApp cache header is only present on my SoftwareUpdate connections. Something on apple's end? Does everybody see this?

(fwiw i'm using the incredibly simple tcpflow to watch my tcp traffic. ethereal is cooler, and lets me see non-tcp traffic too, but the current mac (fink) version has a very high suck factor. Sometimes ICMP packets don't show up, streams can almost never be reconstructed entirely, etc etc. Moving capture files off the mac over to a linux or bsd box for analysis is the only way I can seem to use ethereal for much of anything.)

Looks bad. How rapid a response?

[feldsteins]

Apple appears to have blundered, although I am still watching for further news on how bad. The key will be to watch how quckly (or how slowly!) they respond with an appropriate fix. If it takes two weeks, that's bad. If it takes 3 days I'm not going to complain about that. We'll see what happens. Until then, no SW update for me.

Meanwhile I actually sent Apple an email describing the problem and asking for a public advisory and a fix ASAP. Just doing my part.

No workaround my @$$

[red5]

There is a very simple workaround. Just add the following line to your /etc/hosts

204.179.120.93 swquery.apple.com

Now if somebody tries the DNS attack it won't work as we hardcoded swquery.apple.com -> 204.179.120.93 You will of course have to activate your /etc/hosts file but, I'm pretty sure that you people (/.ers) know how to do this already.

The NetInfo method

[Slur]

MacOS X doesn't use the hosts file except in single-user mode, but once you've changed the /etc/hosts file you can update the NetInfo database like so:

sudo niload hosts / /etc/hosts

Re:The NetInfo method

[red5]

Okay looks like I assumed wrong (you don't all know). You can activate your /etc/hosts file by setting /locations/lookupd/hosts/LookupOrder -> ( CacheAgent, FFAgent, NIAgent, YPAgent, DNSAgent, NILAgent ) in netinfo.

Simply copy this file to lookupd.txt. Then type:
niload -r /locations/lookupd / < lookupd.txt

Yes, I "stole" all of this from this page. Except mine is modifyed to activate the /etc/hosts file also.

Re:What's wrong with Netscape-Enterprise server?

[batobin]

Are you serious? Doesn't Apple advertise that Xserve is the perfect server for mission critical purposes? You must be either kidding (which i hope is the case), or smoking crack, man.

Why did Apple add hotswap drives, advanced monitoring tools, and 24/7 technical support? For shits and giggles? Why did they add REDUNDANT disk arrays? To impress the ladies? Why do they advertise this box to hardcore sys admins? Because they want sys admints to buy it. Do sys admins rely on boxes to handle mission critical operations? Yes. Is that not PREACHING?

Why, yes, it is.