November 23rd, 2014

OSX update service MITM attack

It looks like there is a fairly serious security vulnerability/exploit/patch released for OSX. Among other things, arbitrary commands can be trivially run on any OSX client with a man in the middle attack to the update service. There is a patch, but exploit code is already publicly available for metasploit, so I’d suggest not patching over any insecure connections, ;)

The security update also contains fixes for about a dozen other things within OSX as well. I’m pretty surprised that the OSX update service doesn’t (didn’t?) use any type of certificate or other methods for server authentication. Several other projects (firefox, debian, etc) have had issues with this in the past, but have been subsequently fixed. It does appear that Apple responded very quickly to the the notice (initial notice was on 12/6), but this seems like one of those “by design” vulnerabilities, so I’d have to guess they’ve known about it for a while.

If I wasn’t stuck writing reports tonight instead of hacking, I’d try to put together a quick script for AirPwn. It looks like you just need to intercept/inject a couple of http connections to It makes a request to get a catalog file (“.sucatalog”), which is just an xml file that references a distribution xml that contains the packages (payload).

Leave a Response

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS