Mac 3 6 0“MacKeeper”exposure arbitrary code execution vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201562257
Type myhack58
Reporter 佚名
Modified 2015-05-11T00:00:00


Believe Mac users must have seen Mackeeper ads--this is a Mac OS system optimization software, set anti-virus, encryption, data backup, system clean-up and software uninstall the All in one, can be considered to be Mac under 3 6 to 0. 5 December 7, Mackeeper is found that there is a serious security vulnerability in its handling of URL code in the presence of a remote code execution vulnerability when users visit a maliciously constructed web page to trigger a high-risk vulnerability. Vulnerability description Security researchers Braden Thomas discovered this vulnerability, when a user accesses a maliciously constructed web site, you hardly need to do anything interactive, you can at the highest system permission to Root to execute arbitrary code, he also published a POC(vulnerability validation program to demonstrate the user using Safari to access the maliciously constructed web site can execute arbitrary code, in the POC code that executes is the uninstall MacKeeper on. The vulnerability of the reason is MacKeeper use custom URL structure to execute the command when there is no input data to do the security check. If MacKeeper in normal operation when the user is prompted to enter a password, then as root user execute arbitrary code when the user is not prompted to enter a password. If the user is not previously authenticated, then MacKeeper will prompt the user to enter the account password, however, the exploit it is these character input by the user, so the user may feel the exploit in the process. Apple allows OSX and the iOS platform to the app on a custom URL structure, the URL can register system events, and to off from the system on the other APP processing the current URL, under normal circumstances, this function is used to customize some Protocol to perform the specified operation(for example, on iOS Tap on a phone number link, the system will ask the user whether to make a call, click on a mail address, the system will start the mail APP) Apple built-in APP in the code to explicitly tell the developer needs to input the custom URL to do a security check, to prevent the processing of the URL when an exception occurs. In addition, Apple is also in the official documents indicated in the input data do security checks of importance. The scope of the impact Due to this 0day in latest MacKeeper(MacKeeper 3.4, but also exists, so many users are affected, before the one reported in the display, there are 2 million users are affected. MacKeeper at the Mac community is a controversial application, users complain about its Frequent pop-UPS frequently push advertising. Today the vulnerabilities of the POC is already disclosed, so the MacKeeper users it is easy to attack. POC: the import sys,base64 from Foundation import * RUN_CMD = "rm-rf /Applications/MacKeeper. app;pkill -9-a MacKeeper" d = NSMutableData. data() a = NSArchiver. alloc(). initForWritingWithMutableData_(d) a. encodeValueOfObjCType_at_("@",NSString. stringWithString_("NSTask")) a. encodeValueOfObjCType_at_("@",NSDictionary. dictionaryWithObjectsAndKeys_(NSString. stringWithString_("/bin/sh"),"LAUNCH_PATH",NSArray. arrayWithObjects_(NSString. stringWithString_("-c"),NSString. stringWithString_(RUN_CMD),None),"ARGUMENTS",NSString. stringWithString_("Your computer has malware that needs to be removed.")," PROMPT",None)) print "com-zeobit-command:///i/ZBAppController/performActionWithHelperTask:arguments:/"+base64. b64encode(d) Safety recommendations MacKeeper users should immediately update to the latest version. By default, MacKeeper will automatically check for updates, when the MacKeeper pop-up upgrade prompt, click ok you can install the update. Of course, the user can through some way to avoid the attack. In OS X, click Safari in a custom link, the system calls the specified application program to process the corresponding URL in the other browser, such as chrome browser, it will prompt the user whether to agree to open the own Protocol of the link. For technical noob, try to use Mozilla other than the browser, so that, in the execution of arbitrary code, The system will pop up prompt. Technical pick can in MacKeeper Info. plist file to remove the action URL associated code.