Ex-NSA Researcher Claims That DLL-Style Attacks Work Just Fine On OS X

An anonymous reader writes Ex-NSA and NASA researcher Patrick Wardle claims to have developed a reliable technique of Shared Library replacement which renders Apple's OSX operating system just as vulnerable to exploitation as Windows has been (via its 'DLL' shared libraries) for years. Speaking at CanSecWest, Wardle explained that Apple's refusal to encrypt software downloads via its App Store allows an attacker on the same network to inject a malicious 'dylib' (shared library) without altering the hash of the legitimate-but-vulnerable software, thereby leaving the Developer ID signature intact. Wardle ran a crafted Python script on a typical Mac and discovered 150 dylib-dependent applications, including Apple's own Xcode developer environment — revealed last week by Edward Snowden to be a priority target for the NSA due to its ability to propagate compromised software.

HTTPS?

I tend to agree with Apple on this one; there shouldn't be any need for HTTPS as the contents of the packages aren't meant to be secret. If this researcher was successful in his attempts to replace the shared libraries in a dmg package the problem is that the installer isn't checking for the signature on the dmg, or individual signatures of files within.

tldr; so long as proper signatures are in place and handling is observed traffic interception is not a problem as it will be caught and the hijacked package discarded.

Note that proper signatures are more secure than HTTPS, as the trusted Root CA list is necessary for HTTPS to work, and who really thinks that Verisign or the like would turn down a request from the US Government?

Laugh

[koan]

renders Apple's OSX operating system just as vulnerable to exploitation as Windows has been

Another arrow for my quiver, and I get to say I told you so.

Shit has always been insecure, remember? It relied on the fact almost no one used Apple "security through obscurity".
https://pbs.twimg.com/profile_...

Re:Shouldn't that be sign?

[phantomfive]

It's complicated. On iOS, the libs all need to be signed and encrypted (the executable portions are encrypted, the metadata is not; so you'd need more than just correct hashing). On OSX, they need to be signed if you enable that in your settings (I haven't checked if the executables from iTunes are encrypted). The researcher is not being very clear. Note for example that the article says, "Wardle is also expected to release following his talk source code for a scanner that discovers apps that are vulnerable to his attack." Note that he didn't say he would release his proof of concept. Any of us can write a Python script that searches for .dylibs.

So, there are several avenues for attack. One, you could replace a .dylib with one of your own. Secondly, you could append your own code to a .dylib. It's an old technique explained here. You can actually re-sign this and iOS will accept it and run it. Is this what the researcher is doing? He didn't explain.

He claims to have gotten around the need for signing. How did he do that? In his demo, will he merely disable the setting that requires signing? It's hard to know if he doesn't release his proof of concept.

I've looked through the mach-o .dylib loader code before, and it didn't feel tight at all. There is plenty of potential for an exploit, so I could believe he found one, but once again it's tough to believe this guy if he doesn't release his proof of concept.

The fact that the guy is talking more like a PR representative than a researcher makes him suspicious.