Goodbye Windows security problems – Hello to Mac vulnerabilities

Introduction

Cartoon hacker with laptopAfter years of Microsoft Windows operating system vulnerabilities, we find that the new place which has moved to discovering sloppy programming in Java, Abode Flash, and Adobe Reader, and now Linux – with a common denominator typically focused around the C++ programming language. The issues around the Linux environment, causes Apple users problems, as Mac OS X has built its environment based on an underlying Linux environment.

In the days when Apple struggled to compete against Microsoft and Intel, and where the company nearly crashed, they made two major choices which completely changed their fortunes:

  • Move their architecture from Motorola/IBM (which was build on 68xxx processors) to the x86 architecture used by Intel. This was a smart move as it allowed them to keep up-to-date on hardware against the other PC manufacturers. From a software point-of-view, their programs changed from running Motorola codes to Intel ones, and they changed radically from “Big Endian” programs (where data is stored with the most significant byte first in memory location), to “Little Endian”, where the least significant byte is stored first.
  • Move their operating system to Linux. This allow them to reduce their development of their core operating system and focus on the user experience, but still use the reliability of the Linux operating system.

Thus the “special one” is basically just a customized Linux workstation (/server) using standard PC hardware, with a nice user interface on top.  Unfortunately the move to Linux might be coming back with anger on Apple, as serious flaws are now being found in the core infrastructure. Many bugs, which have gone unnoticed for many users, are being found, and these are often due to a lack of code review and testing. With OpenSSL, for example, and which caused Heartbleed, we still see C++ code developed Eric Young (“eay” lib) in 1998.

The other major rise at the current time is in pirated apps for the Mac, such as for Microsoft Office and Adobe Photoshop. When installed these apps provide admin access to the system, and can thus add a whole load of extra things and even reconfigure the computer to be part of a botnet.

iWorm

Last week, Dr. Web (a Russian security company) outlined a new worm for OS X: “Mac.BackDoor.iWorm“, and which allows hackers to take control of the computer, and using it as part of a Botnet, such as for sending spam emails or performing Denial of Service attacks against web sites. Apple, on detecting over 17,000 users with the worm then was quick to respond, and added the signature of iWorm to its malware detector (Xprotect – and which is installed on every Mac computer). A key factor for users is that there Mac needs to be up-to-date with system updates, otherwise they can be open to the spread of the worm. The Xprotect signature defined is:

This worm has been used to search Reddit for a fake discussion forum related to Minecraft and also integrated links to hacker controlled command servers. Reddit then closed the hacker accounts that were used in order to share links to the commands servers, and banned the fake Minecraft subreddit – which stopped the worm from receiving orders from the hackers.

Pirate Apps + Admin Privilege = Problems

It is though that the worm itself was spread though pirated software, such as for Microsoft Office, Adobe Photoshop and Parallels (the virtualisation package used to run other operating systems on the Mac) and downloaded from The Pirate Bay. The problem with installing pirated apps on the Mac, is that they run with Admin privilege, which, just like using an administrator account on a Linux system, they can install a range of other software packages, and also have rights to modify the configuation of the system. It is thus not too difficult from the pirated software to setup backdoors on the machine, just by enabling a network port to be open for connection.

While it is named “iWorm” it is technically a trojan, as it infects the system by users being tricked into downloading malicious software from software which looks valid. To find out if you are protected, on your Mac, open up a command line console, and navigate to:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources

and there is a file there named XProtect.plist. Use ls -l to look at the date. The update is likely to have a timestamp of 5 October 2014 and the contents should show the signatures, such as:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
    <dict>
        <key>Description</key>
        <string>OSX.iWorm.A</string>
        <key>LaunchServices</key>
        <dict>
            <key>LSItemContentType</key>
            <string>com.apple.application-bundle</string>
        </dict>
        <key>Matches</key>
        <array>
            <dict>
                <key>Identity</key>
                <data>
                wIAM1QlbKNpLbKAUaKJ5+1vmkho=
                </data>
                <key>MatchFile</key>
                <dict>
                    <key>NSURLNameKey</key>
                    <string>Install</string>
                </dict>
                <key>MatchType</key>
                <string>Match</string>
            </dict>
        </array>
    </dict>

Shell Shock

With Shell Shock the target was again Linux servers using Bash (GNU Bourne Again Shell), which is the command line interpreter used in many Linux based systems, including Apple OS X. Bash interprets the commands that users enter or are run from scripts, and then makes calls to the operating system, such as for running programs, listing the contents of a directory, or in deleting files. The discovered flaw allows intruders to remotely run arbitrary code on systems such as Linux servers including for web servers, routers, and many embedded systems. It was discovered by Stephane Chazelas of Akamai, who found that code at the end of a function of an exported variable is run whenever an environment variable is used within the Bash environment. Many Linux programs use environmental variables to pass parameters between programs, and the flaw thus allows for code to be inserted into a program whenever these environmental variables are called.

Shellshock focuses on CGI scripts, which are old-fashioned scripts that allow commands to be processed using a scripted language. While popular in the past, it has been largely replaced by PHP and other high-level scripting programs. In most cases CGI scripts reside in the /cgi-bin folder. For GNU Bash through 4.3, trailing strings after a function are processed in the definitions of environment variables. This allows intruders to execute arbitrary cod. For example, we have a function named mybugtest:

billbuchanan@Bills-MacBook-Pro:/tmp$ export mybugtest='() { :;}; echo I AM BUGGY'
billbuchanan@Bills-MacBook-Pro:/tmp$ bash -c "echo Hello"
 I AM BUGGY
 Hello

Shell Shock can comprise a system by injecting a payload of code into the environment variables of a running process. When the process is started, the code is injected into the running program, in the same way as a user typing in some user input.

The code which can appear at the end of the Bash function can be fairly complex, and allow an intruder to inject code into the shell (and thus into running programs). In this example we copy some text into a text file (named newfile) and then copy the file to a new file (newfile2):

$ export mybugtest='() { :;}; echo "This is my new file..." > newfile; cp newfile newfile2'
$ bash -c ""
Segmentation fault: 11
$ ls myf*
myfile   myfile2
$ cat myfile2
This is a test

In this case we could move files around, but we couldn’t move a file to a privileged folder, as that would need administrator rights. In a well secured environment, the damage that Shellshock can cause should be minimal, as most of the important operations require a higher-level privilege. It is this attribute of Shellshock that highlights that this is not another Heartbleed, as Heartbleed allowed anyone to access the privilege area of memory on the server, without any restrictions. While Web servers may be safe, with a limited usage of cgi-bin scripts (which allow privileged access to the system), there may be risks with poorly secured embedded systems, which can often use scripts to setup their services.

Buffer overflows and underruns

The flaw within Bash, shows how sloppy software developers have been in the past, and it is a flaw which has existed for over 25 years without being discovered. Many of the problems being under covered have been caused by poor software coding in the C++ programming language, which often allows programs to act incorrectly when the input data is not formatted as expected. Once common method of exploiting a C++ program is a buffer overflow, where a certain amount of memory is allocated to variables, and where the user enters data which is more than the allocated memory, and which causes other parts of the memory to be overwritten, and cause the program to act incorrectly.

In the case of Heartbleed it was a buffer underrun which caused the problem, where an area of memory was read and which did not actually contain the required amount of data to fill it. If you are interested in Heartbleed, and its cause (OpenSSL):

Conclusions

So after years of Microsoft Windows being the target, hackers are turning the skills onto the Linux operating system, and Mac OS is a target of choice for the end user. The flaws found in iWorm and Shell Shock show that Linux is perhaps not as rock-solid from a security point of view as many thought. With its C++ code infastructure, and lots of code which are now over a decade old, we are likely to see increasing threats on Linux, and thus to Apple devices.

To their credit, Apple have been fast to detect, and patch, but there is a danger in users not paching their systems on a regular basis. This often happened on Microsoft Windows, were users often disabled the auto-updates, typically when it caused problems on their computer. So, Apple must make sure that their users keep their systems up-to-date, otherwise Apple users may be more of a risk than Windows ones.

Apple have been stung a little with the recent security threats, but have come out fighting, and show some guts to take security seriously. One key area will be for them to find their own vulnerabilities, and not leave it solely to the community, and where there is a race to between then exploiters and the patchers. The lack of a lock-out on the “Find My iPhone” service shows that they need to take penetration testing seriously for all the products.

Apple has also been fairly immune from pirated apps, but these will increasingly become a target, as they can used as a trojan to download a whole lot of threats to the computer, including reconfiguring the system to pose threats to users. It must be remembered that much of the core of a Mac is a powerful Linux server that can be configured in the same way as any other server.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s