Ex-NSA Researcher Claims That DLL-Style Attacks Work Just Fine On OS X

An anonymous reader writes Ex-NSA and NASA researcher Patrick Wardle claims to have developed a reliable technique of Shared Library replacement which renders Apple's OSX operating system just as vulnerable to exploitation as Windows has been (via its 'DLL' shared libraries) for years. Speaking at CanSecWest, Wardle explained that Apple's refusal to encrypt software downloads via its App Store allows an attacker on the same network to inject a malicious 'dylib' (shared library) without altering the hash of the legitimate-but-vulnerable software, thereby leaving the Developer ID signature intact. Wardle ran a crafted Python script on a typical Mac and discovered 150 dylib-dependent applications, including Apple's own Xcode developer environment — revealed last week by Edward Snowden to be a priority target for the NSA due to its ability to propagate compromised software.

HTTPS?

I tend to agree with Apple on this one; there shouldn't be any need for HTTPS as the contents of the packages aren't meant to be secret. If this researcher was successful in his attempts to replace the shared libraries in a dmg package the problem is that the installer isn't checking for the signature on the dmg, or individual signatures of files within.

tldr; so long as proper signatures are in place and handling is observed traffic interception is not a problem as it will be caught and the hijacked package discarded.

Note that proper signatures are more secure than HTTPS, as the trusted Root CA list is necessary for HTTPS to work, and who really thinks that Verisign or the like would turn down a request from the US Government?

Re:HTTPS?

[jeremyp]

Not even that. You can't do generalised virtual hosting with SSL.

The host header is just a header like any other so the server can't figure out which certificate to use to set up the encryption layer. It is possible to do it in a restricted set of circumstances with a wild card certificate that matches all of the virtual hosts.

Re:HTTPS?

[Cramer]

Newer SSL standards include a host hint in the client-hello. So, yes, virtual hosts do work with https. (and have for MANY years now.)

Re:Shouldn't that be sign?

[Jeremi]

don't the shared libs need to be signed.

I was under the impression that as of MacOS/X 10.9.x, all distributed shared libraries in your .app directory needed to be signed as well, or Gatekeeper would treat the app as if it was unsigned. (See the "Code Signing Changes in OS X Mavericks" subsection at this link)

Is the vulnerability described in the article applicable only to older versions of MacOS/X, or has the researcher found a way around that test?

Re:Shouldn't that be sign?

[Princeofcups]

Is the vulnerability described in the article applicable only to older versions of MacOS/X, or has the researcher found a way around that test?

Quoting the article: "It’s not a point-and-click exploit – the attacker will need to get on the same network as the target Mac, either through a breach or by sharing the same public Wi-Fi access point, and then inject a vulnerable but legitimate application and make some purely cosmetic changes to the appearance of the .dmg (virtual installer disk) file when mounted."

Sounds pretty theoretical at this point. I don't see the "reliable technique of Shared Library replacement" that the summary declares.

Paranoia intensifies

[MacDork]

XCode is pwned. Android Developer Tools are unsigned. The Android SDK and tools are unsigned. That makes me sad because I work with these tools. I can assume my systems are all pwned at this point and act accordingly...

Re:Shouldn't that be sign?

[phantomfive]

It's complicated. On iOS, the libs all need to be signed and encrypted (the executable portions are encrypted, the metadata is not; so you'd need more than just correct hashing). On OSX, they need to be signed if you enable that in your settings (I haven't checked if the executables from iTunes are encrypted). The researcher is not being very clear. Note for example that the article says, "Wardle is also expected to release following his talk source code for a scanner that discovers apps that are vulnerable to his attack." Note that he didn't say he would release his proof of concept. Any of us can write a Python script that searches for .dylibs.

So, there are several avenues for attack. One, you could replace a .dylib with one of your own. Secondly, you could append your own code to a .dylib. It's an old technique explained here. You can actually re-sign this and iOS will accept it and run it. Is this what the researcher is doing? He didn't explain.

He claims to have gotten around the need for signing. How did he do that? In his demo, will he merely disable the setting that requires signing? It's hard to know if he doesn't release his proof of concept.

I've looked through the mach-o .dylib loader code before, and it didn't feel tight at all. There is plenty of potential for an exploit, so I could believe he found one, but once again it's tough to believe this guy if he doesn't release his proof of concept.

The fact that the guy is talking more like a PR representative than a researcher makes him suspicious.

Re:Shouldn't that be sign?

[phantomfive]

It has undergone a LOT of changes in the name of security, so it may be a lot "tighter" than when you last looked at it, just a FYI.

It's not. They added signing etc, but the quality of the code is still like this. If anything, it's gotten worse in the past few years IMO, as a lot of their good programmers have left.