Russell Harding MacOS X SoftwareUpdate Vulnerability Advisory Missing In Action in Bugtraq Archive

["Jason Coombs" <jasonc () science org>]

Dear Symantec,

As long as we're burning digital books to mitigate our civil liability, 
perhaps we could do a good job of it next time? Quietly disappearing 
Russell Harding's advisory from the BugTraq archive didn't resolve your 
potential liability for distributing links to material that violates the 
DMCA. Perhaps you have failed to notice the various other locations 
where you still publish this illicit material, including the exploit?

active page:
http://www.securityfocus.com/bid/5176

exploit hosted by Symantec:
http://www.securityfocus.com/data/vulnerabilities/exploits/PhantomUpdate-0.7.tgz.tar

disappeared:
http://www.securityfocus.com/archive/1/280964

archive.org:
http://web.archive.org/web/20030606200331/http://www.securityfocus.com/archive/1/280964

exploit home page:
http://www.cunap.com/~hardingr/projects/osx/exploit.html

apple disinformation:
http://docs.info.apple.com/article.html?artnum=75304
https://depot.info.apple.com/security7-18/


To: BugTraq
Subject: MacOS X SoftwareUpdate Vulnerability
Date: Jul 7 2002 4:21AM
Author: Russell Harding <hardingr () ucsub colorado edu>

----------------------------------------------------------------------------
                     MacOS X SoftwareUpdate Vulnerability.
----------------------------------------------------------------------------

Date:      July 6, 2002
Version:   MacOS 10.1.X and possibly 10.0.X
Problem:   MacOS X SoftwareUpdate connects to the SoftwareUpdate Server via
            HTTP with no authentication, leaving it vulnerable to attack.

----------------------------------------------------------------------------

          http://www.cunap.com/~hardingr/projects/osx/exploit.html

----------------------------------------------------------------------------

Summary:

Mac OS X includes a software updating mechanism "SoftwareUpdate". Software
update, when configured by default, checks weekly for new updates from
Apple.  HTTP is used with absolutely no authentication. Using well known
techniques, such as DNS Spoofing, or DNS Cache Poisoning it is trivial to
trick a user into installing a malicious program posing as an update from
Apple.


Impact:

Apple frequently releases updates, which are all installed as root.
Exploiting this vulnerability can lead to root compromise on affected
systems. These are known to include Mac OS 10.1.X and possibly 10.0.X.


Solution/Patch/Workaround:

There is currently no patch available. Hopefully the release of this
information will convince apple they need, at the very least, some basic
authentication in SoftwareUpdate.


Exploit:  http://www.cunap.com/~hardingr/projects/osx/exploit.html

An exploit for this vulnerability has been released to the public for
testing purposes.  It is distributed as a Mac OS X package which includes
DNS and ARP spoofing software. Also, it includes the cgi scripts, and
apache configuration files required to impersonate the Apple
SoftwareUpdatesServer.


Credits:

Author  -  Russell Harding - hardingr () cunap com
Testing -  Spectre Phlux, KrazyC, Devon, and The Wench


Want to link to this message? Use this URL: 
<http://www.securityfocus.com/archive/1/280964>


Sent from my Verizon Wireless BlackBerry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/