|
COMMAND MacOS X SoftwareUpdate Hi-jacking SYSTEMS AFFECTED MacOS 10.1.X and possibly 10.0.X PROBLEM Russell Harding [hardingr@cunap.com] with the help of Spectre Phlux, KrazyC, Devon, and The Wench, posted : Mac OS X includes a software updating mechanism \"SoftwareUpdate\". Software update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well known techniques, such as DNS Spoofing, or DNS Cache Poisoning it is trivial to trick a user into installing a malicious program posing as an update from Apple. Apple frequently releases updates, which are all installed as root. Exploiting this vulnerability can lead to root compromise on affected systems. Exploit ======= Get it from : http://www.cunap.com/~hardingr/projects/osx/exploit.html The exploit for this vulnerability has been released to the public for testing purposes. It is distributed as a Mac OS X package which includes DNS and ARP spoofing software. Also, it includes the cgi scripts, and apache configuration files required to impersonate the Apple SoftwareUpdatesServer. SOLUTION Update (15 July 2002) ====== Patch is now availible from apple: http://download.info.apple.com/Mac_OS_X/061-0074.20020712/2z/SecurityUpdate7-12-02.dmg.bin