Ex-NSA Researcher Claims That DLL-Style Attacks Work Just Fine On OS X 93
An anonymous reader writes Ex-NSA and NASA researcher Patrick Wardle claims to have developed a reliable technique of Shared Library replacement which renders Apple's OSX operating system just as vulnerable to exploitation as Windows has been (via its 'DLL' shared libraries) for years. Speaking at CanSecWest, Wardle explained that Apple's refusal to encrypt software downloads via its App Store allows an attacker on the same network to inject a malicious 'dylib' (shared library) without altering the hash of the legitimate-but-vulnerable software, thereby leaving the Developer ID signature intact. Wardle ran a crafted Python script on a typical Mac and discovered 150 dylib-dependent applications, including Apple's own Xcode developer environment — revealed last week by Edward Snowden to be a priority target for the NSA due to its ability to propagate compromised software.
Shouldn't that be sign? (Score:2)
don't the shared libs need to be signed.
Of course the problem is that when you make signing mandatory you make everyone pay for a cert.
Re: (Score:2)
Re:Shouldn't that be sign? (Score:5, Informative)
don't the shared libs need to be signed.
I was under the impression that as of MacOS/X 10.9.x, all distributed shared libraries in your .app directory needed to be signed as well, or Gatekeeper would treat the app as if it was unsigned. (See the "Code Signing Changes in OS X Mavericks" subsection at this link [apple.com])
Is the vulnerability described in the article applicable only to older versions of MacOS/X, or has the researcher found a way around that test?
Re:Shouldn't that be sign? (Score:5, Informative)
Is the vulnerability described in the article applicable only to older versions of MacOS/X, or has the researcher found a way around that test?
Quoting the article: "It’s not a point-and-click exploit – the attacker will need to get on the same network as the target Mac, either through a breach or by sharing the same public Wi-Fi access point, and then inject a vulnerable but legitimate application and make some purely cosmetic changes to the appearance of the .dmg (virtual installer disk) file when mounted."
Sounds pretty theoretical at this point. I don't see the "reliable technique of Shared Library replacement" that the summary declares.
Re: (Score:2)
There's a difference between "reliable technique for script kiddies and Anonymous" and a "reliable technique used by foreign intelligence services who, if they want something bad enough are going to get it one way or another". For them, the "cyber attack" aspect is only one method and if it becomes untenable they'll revert to HUMINT means. Human infiltration or malicious insiders can be used to gain the access necessary to propagate the dylib injection attack and gain a more long-lasting digital foothold.
Re: Shouldn't that be sign? (Score:1)
If the U.S. government had reliable HUMINT programs they might actually be able to catch terrorists, rather than relying on mass surveillance and a crap load of rockets.
Re: (Score:2)
They leave things a little technical and obfuscated to slow down the script kiddies. You don't want to ship an exploit, just distribute the information.
Re:Shouldn't that be sign? (Score:5, Insightful)
So, there are several avenues for attack. One, you could replace a
He claims to have gotten around the need for signing. How did he do that? In his demo, will he merely disable the setting that requires signing? It's hard to know if he doesn't release his proof of concept.
I've looked through the mach-o
The fact that the guy is talking more like a PR representative than a researcher makes him suspicious.
Re: (Score:3)
It has undergone a LOT of changes in the name of security, so it may be a lot "tighter" than when you last looked at it, just a FYI.
It's not. They added signing etc, but the quality of the code is still like this [dwheeler.com]. If anything, it's gotten worse in the past few years IMO, as a lot of their good programmers have left.
Re: (Score:1)
Re: (Score:2)
He noted the attack should also work on downloaded .zip files that contain applications.
That sounds like he's talking about unsigned applications. Which of course, if you replace a DLL with a different DLL, the different one will get executed. That's not really a vulnera
Re: (Score:1)
The NSA is an intelligence gathering agency and not an entity that produces software for sale or use outside of their own organization. Therefore the concept of it ever adding 'features' to software is nonsensical. That meme really only is applicable to companies that produce and sell products to consumers and screw up their own products.
So you never heard about the NSA involvement in IPSEC or various other crypto standards, that in retrospect seem to be unnecessarily vunerable?
Re: (Score:1)
The NSA did SELinux and probably similar in OS X, which has strengthened the operating systems by a large margin... something running as root doesn't have full root access unless it has the right role.
IMHO, the NSA isn't all bad. I'd say they have done more in keeping the bad guys out overall.
Requires Almost Direct Access (Score:2)
...an attacker on the same network...
In most scenarios, unless you have an NSA mole in your home/business, Isn't that basically the same as requiring direct access to the machine? Or are we just talking about "on the same planet" type of access?
Re: (Score:2)
Given that they can have access to all the cellular networks....
Re: (Score:2)
Have you ever connected to a network that wasn't yours?
Re: (Score:2)
Have you ever connected to a network that wasn't yours?
Yes, but there is a limit to my mis-trust.
Re: (Score:2)
Have you ever connected to a network that wasn't yours?
Yes and whenever I do connect (to an untrusted network that isn't mine) from my laptop or from my Android-based Samsung Galaxy S5, I use the latest stable OpenVPN client to connect to a VPN server on my Rasberry Pi at home.
Re: (Score:2)
yayy you and 3 other guys that are protected maybe!! :)
chances are your other family members are probably not so secure and they may introduce devices to your network that are compromised.
the correct answer is give up
not give up security but just the internet... i hope this pigeon reaches /.
Re: (Score:2)
yayy looks like the redundant pigeon made it, lost one to MITM... poor Louis you will be missed.
Re: (Score:2)
Re: (Score:2)
I would need to question closed sourced software makers, are they intentionally leaving holes in their software for this very reason? I find it very odd how simple yet stupid, one could leave a wide open exploit like this unchecked.
Yeah, that's right. Now go put another layer on that tinfoil hat.
Re: (Score:2)
...an attacker on the same network...
In most scenarios, unless you have an NSA mole in your home/business, Isn't that basically the same as requiring direct access to the machine? Or are we just talking about "on the same planet" type of access?
No, it means someone has replaced your access point, impersonated it or you are connecting to a network that isn't yours.
And no an encrypted WiFI doesn't help, the AP still has access to the unencrypted data.
Re: (Score:2)
...an attacker on the same network...
I hate the language because its wildly in accurate. It should read an attacker on a network between yours and the servers, inclusive.
Anyone who can MITM the traffic in anyway can use most vulnerabilities that are written up that way. I don't care if its thru some source routing, arp poisoning, packet capture off router or switch interface you traffic will traverse, maybe manipulating related traffic like DNS replies so you address them and they proxy; whatever. There are literally tons of ways.
I think t
Re: (Score:2)
Re: (Score:2)
This is the bit that makes me wonder about the "Update Cache" functionality on Apple devices where you can have a server on your local network that ALL devices behind that IP get their updates redirected to as soon as it's turned on.
Basically, Apple Macs and iPads will do "WSUS-like" updates automatically from any local Mac server that appears to come from the same IP as the Mac/iPad in question. Without asking. Without the clients knowing. And with its own local cache of updates.
Re: (Score:2)
This is the bit that makes me wonder about the "Update Cache" functionality on Apple devices where you can have a server on your local network that ALL devices behind that IP get their updates redirected to as soon as it's turned on.
Basically, Apple Macs and iPads will do "WSUS-like" updates automatically from any local Mac server that appears to come from the same IP as the Mac/iPad in question. Without asking. Without the clients knowing. And with its own local cache of updates.
Then I guess most of us are safe; because there are virtually no "Apple Mac Servers" in use, anyway.
And are you talking about "Net Boot" stuff? Because that is even more rare.
And what do you mean by "comes from the same IP?" By definition, that is essentially impossible.
Re: (Score:2)
Er... never heard of NAT? Or IP spoofing?
And, no, it's not related to the Net Boot things.
Update Cache basically is a way to deploy a Mac server on your network and stop all the iPads/iMacs on site trying to update from Apple directly.
The server advertises itself to Apple, who then redirect ANY machine that seems to have the same IP to update from the specified update server. For OS X updates, iOS updates, even apps. Basically, one "Apple Server" (or something that advertises itself as such) on your loca
Re: (Score:2)
Sure, there's probably encryption and hashing and verifying and all that supposedly going on,
So, IOW, you have no idea as to what the security measures are that Apple has put into place, and you are simply speculating that it would be insecure is ridiculous.
Re: (Score:2)
Re: (Score:2)
if we're now at the point that content caching is anathema, then we'd better all just unplug from our ISPs and start sneaker netting everything. Or something.
Exactly.
Re: (Score:2)
Except that if you are using the Software Update Service that is part of OS X Server, you either have to MITM DNS and re-point swscan.apple.com to your box, or you have to enroll all the Macs you want to redirect to the Profile Manager service on the same server (or another MDM profile you've created with something) that tells it to get it's software updates from that location. Or, if you want to go old school, you'd need to edit the /Library/Preferences/com.apple.SoftwareUpdate.plist file and add a Catalo
Re: (Score:2)
Isn't Update Cache similar to WSUS? This makes sense since LAN bandwidth is almost always a lot more plentiful than having every box pull their updates via the Internet.
AFIAK, Apple's updates are signed, so if someone does tamper with the update cache server, it will be detected.
HTTPS? (Score:3, Insightful)
I tend to agree with Apple on this one; there shouldn't be any need for HTTPS as the contents of the packages aren't meant to be secret. If this researcher was successful in his attempts to replace the shared libraries in a dmg package the problem is that the installer isn't checking for the signature on the dmg, or individual signatures of files within.
tldr; so long as proper signatures are in place and handling is observed traffic interception is not a problem as it will be caught and the hijacked package discarded.
Note that proper signatures are more secure than HTTPS, as the trusted Root CA list is necessary for HTTPS to work, and who really thinks that Verisign or the like would turn down a request from the US Government?
Re: (Score:1)
Re: (Score:1)
Good point, but afaik https "get" request isn't going to be encrypted, only the result of the request.
Re: (Score:3)
Not even that. You can't do generalised virtual hosting with SSL.
The host header is just a header like any other so the server can't figure out which certificate to use to set up the encryption layer. It is possible to do it in a restricted set of circumstances with a wild card certificate that matches all of the virtual hosts [apache.org].
Re: (Score:2)
Newer SSL standards include a host hint in the client-hello. So, yes, virtual hosts do work with https. (and have for MANY years now.)
Re: (Score:2)
How do you obtain the expected signatures to match against the package if not by HTTPS or similar?
As you point out, if Verisign is happy to oblige, then the signatures can be altered in-transit as easily as the packages here, and there'd be no warning.
It only takes one Apple-signed developer package in the hands of someone with this kind of access to fake the origin and authenticity of the package signature AND package if the connection itself isn't secure.
Re: (Score:2)
The packages are signed by Apple using a key provid
Re: (Score:2)
Re: (Score:2)
Depends on filesystem and device. One SAN vendor (forgot name, but sells all SSD units) purports to be able to dedupe code even if it doesn't align at the same boundaries. It does a block level dedup on a write, then has a background process which does the file level deduplication after the data is on the disks.
If this could be done in software (and hopefully not sacrificing performance or reliability), having every executable on the system static would simplify things on that level.
The advantage of movin
Re: (Score:1)
Re: (Score:1)
If they don't want to sign the dll's, then at least they should be able to provide the MD5 checksums for them so folks can check if their machine has been compromised.
MD5's? Do you work for the NSA or something?
http://www.hotforsecurity.com/blog/md5-hash-broken-via-collision-attack-of-less-than-1-10775.html [hotforsecurity.com]
Re: (Score:2)
I think he probably meant SHA512 hash, but didn't know he meant it.
Re: (Score:2)
Two hashes are better because if one algorithm fails, you have a backup. However, with CPU and I/O time so precious in most cases, two hashes are not really feasible.
Were I going with an algo, I'd be using SHA3 or Skein, something that is as secure as one can get presently.
what about Linux (Score:2)
arent those the equivalent of dll files? or close to it?
Re: (Score:2)
Yes, .so are exact equivalents of .dll, but as all major distributions sign packages as whole, this attack can't be used.
Re: (Score:2)
I'm not sure what you mean by "sign packages as a whole" since that wording is somewhat ambiguous, but apt, at least, doesn't sign individual packages [debian.org]. The only signature in place for secure apt is the one placed on the package file listing in the repository. That signed file contains the list of checksums (MD5, SHA1, and SHA256) for each package archive in the repository.
Re: (Score:2)
Yes, .so are exact equivalents of .dll, but as all major distributions sign packages as whole, this attack can't be used.
The problem still remains that after the package has been installed, a file in it can just be replaced with a malicious version either on disk or in memory.
Re: (Score:2)
Re: (Score:2)
The problem still remains that after the package has been installed, a file in it can just be replaced with a malicious version either on disk or in memory.
To do that, you need to be root. If you're root, you can do anything you want.
Laugh (Score:1, Insightful)
renders Apple's OSX operating system just as vulnerable to exploitation as Windows has been
Another arrow for my quiver, and I get to say I told you so.
Shit has always been insecure, remember? It relied on the fact almost no one used Apple "security through obscurity".
https://pbs.twimg.com/profile_... [twimg.com]
Paranoia intensifies (Score:4, Interesting)
Re: (Score:2)
However, both Apple and Google are compromised by the NSA, so even if they were signed, it wouldn't matter.
Re: (Score:2)
Re: (Score:1)
I would suggest switching to a Yubikey NEO for OpenSSH. https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
That way your key isn't recoverable by anybody, including yourself. Assuming the Yubikey hardware isn't flawed. The downside is that because you literally cannot back up the key, you really should purchase two of them, cross-sign them for revocation, add both keys to all your authorized_keys files, and keep one in storage in case you lose your primary/
While it's plugged in it could still be u
Re: (Score:2)
Yubikey looks interesting, but I've used eTokens in the past (generated a key on a computer with FDE, imported the key into three tokens, then physically destroyed the HDD that had the key on it since it was giving SMART errors anyway), as a way to have physical security of keys (if I have the three tokens, I know the key isn't going anywhere.)
eTokens served me well, although it is impossible to find PKCS drivers for them for newer Windows and OS X versions these days.
They also serve as great ways to counte
Re: (Score:2)
Yes write any messages on paper, covert to a one time pad and then enter that into the compromised hardware, software, OS, crypto and network.
Consider future hardware and software buying re tame brands and their help with the world wide wiretap.
Too Much Spying (Score:2)
Re: (Score:2)
The purpose of the September 11th attacks was not to kill or destroy, but to cause the US to betray what few of its principles it still had and to pursue military misadventures that would create more enemies that they would eliminate. It was one of the most successful operations in all of human history.
The purpose of the response to the September 11th attacks was to expand the surveillance powers of the US government, further the careers of second-rate politicians, and funnel public money to defence contra
Re: (Score:2)
It would be nice to see some improvements in OS X security though just to keep ahead of the bad guys:
1: A TPM chip that can be used with FileVault 2 for additional protection (so a Mac can be set to ask for a boot password which can be a log longer than the user password.) The TPM chip would also combat brute force attacks. Since all Windows 8.1 certified machines have to have a TPM 2.0 chip, and Apple uses x86 hardware, might as well use this functionality, as it is pretty much built into all new PCs.
2: