oss-sec mailing list archives

Third Party Code Signing Vulnerability in Squirrel & Sparkle

From: Lets Secure <is3curi5 () gmail com>
Date: Wed, 13 Jun 2018 21:05:36 +0530

Based on the recent disclosure at
https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks/

The Squirrel
<https://github.com/Squirrel/Squirrel.Mac/blob/e9e2188cda3efb4bc08b1719bdef71880f9dc9b1/Squirrel/SQRLCodeSignature.m#L127>
&
Sparkle
<https://github.com/sparkle-project/Sparkle/blob/d19c98a8771e6a38766199bb96654de5d8c3efb2/Sparkle/SUCodeSigningVerifier.m#L98>
 framework also doesn't perform strict validation to check nested
architecture and revocations & validity of the signer cert and can
essentially result in bypassing the code sign validations.

*Squirrel*
SQRLCodeSignature.m#L127
result = SecStaticCodeCheckValidityWithErrors(staticCode,
kSecCSCheckAllArchitectures, (__bridge SecRequirementRef)self.requirement,
&validityError);

SecStaticCodeCheckValidityWithErros is called without flags -
kSecCSDefaultFlags
| kSecCSCheckNestedCode | kSecCSCheckAllArchitectures |
kSecCSEnforceRevocationChecks

Also, it lacks checks for chain of trust across nested binaries in Fat
file.
i.e. missing this code:
SecRequirementCreateWithString(CFSTR("anchor apple"), kSecCSDefaultFlags,
&requirementRef);

*Sparkle*
SUCodeSigningVerifier.m#L98
SecCSFlags flags = (SecCSFlags) (kSecCSDefaultFlags |
kSecCSCheckAllArchitectures);
result = SecStaticCodeCheckValidityWithErrors(staticCode, flags, NULL,
&cfError);

The flags should have been set with:
SecCSFlags flags = (SecCSFlags) (kSecCSDefaultFlags | kSecCSCheckNestedCode
| kSecCSCheckAllArchitectures | kSecCSEnforceRevocationChecks)

But, that's not the case with Sparkle.

Best Regards!

Current thread:

Third Party Code Signing Vulnerability in Squirrel & Sparkle Lets Secure (Jun 13)