OSX update service MITM attack
aaron posted in osx, vulns on December 17th, 2007
It looks like there is a fairly serious security vulnerability/exploit/patch released for OSX. Among other things, arbitrary commands can be trivially run on any OSX client with a man in the middle attack to the update service. There is a patch, but exploit code is already publicly available for metasploit, so I’d suggest not patching over any insecure connections, 
The security update also contains fixes for about a dozen other things within OSX as well. I’m pretty surprised that the OSX update service doesn’t (didn’t?) use any type of certificate or other methods for server authentication. Several other projects (firefox, debian, etc) have had issues with this in the past, but have been subsequently fixed. It does appear that Apple responded very quickly to the the notice (initial notice was on 12/6), but this seems like one of those “by design” vulnerabilities, so I’d have to guess they’ve known about it for a while.
If I wasn’t stuck writing reports tonight instead of hacking, I’d try to put together a quick script for AirPwn. It looks like you just need to intercept/inject a couple of http connections to swscan.apple.com. It makes a request to get a catalog file (“.sucatalog”), which is just an xml file that references a distribution xml that contains the packages (payload).
January 31st, 2008 at 5:15 am
OSX update service MITM attack very good im update
thank you midnightresearch
December 18th, 2012 at 7:48 am
Hello, Neat post. There is an issue along with your site in internet explorer, might check this? IE nonetheless is the market chief and a huge component of other people will leave out your fantastic writing because of this problem.
January 16th, 2013 at 2:59 pm
There are some interesting cut-off dates in this article however I don’t know if I see all of them heart to heart. There’s some validity but I will take maintain opinion till I look into it further. Good article , thanks and we wish more! Added to FeedBurner as properly
February 8th, 2013 at 3:30 pm
Hi” i think which you should add captcha for your blog.
April 9th, 2013 at 9:11 pm
Hi there, simply become aware of your weblog via Google, and found that it is truly informative. I am gonna watch out for brussels. I’ll be grateful when you continue this in future. Numerous other folks will likely be benefited out of your writing. Cheers!
April 9th, 2013 at 9:27 pm
I’m shocked how good this blog is.
April 9th, 2013 at 9:27 pm
Hey would you mind sharing which blog platform you’re working with? I’m going to start my own blog soon but I’m having a hard time choosing between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your layout seems different then most blogs and I’m looking for something unique. P.S My apologies for getting off-topic but I had to ask!
April 14th, 2013 at 5:13 am
This is a excellent site to learn about Charley Harper posters.
April 18th, 2013 at 3:15 am
Hi there, just become aware of your weblog through Google, and found that it is really informative. I’m going to be careful for brussels. I will appreciate should you continue this in future. Lots of folks might be benefited from your writing. Cheers!