MAAS History
Archives

Entries by Sean OConnell Public (50)

Tuesday
Oct112011

Apple Releases iTunes 10.5 with iCloud

Apple will be rolling out iCloud over the next couple of days. Apple has released iTunes 10.5 as a first step today. 

What's new in iTunes 10.5 (From Software Update.)

 

  • iTunes in the Cloud. iTunes now stores your music and TV purchases in iCloud and makes them available on your devices anywhere, any time, at no additional cost.

    • Automatic Downloads. Purchase music from any device or computer and automatically download a copy to your Mac and iOS devices.

    • Download Previous Purchases. Download your past music, TV, app, and book purchases again, at no additional cost. Previous purchases may be unavailable if they are no longer on the iTunes Store.

  • Sync with your iPhone, iPad, or iPod touch with iOS 5.

  • Wi-Fi Syncing. Automatically sync your iPhone, iPad, or iPod touch with iTunes any time they're both on the same Wi-Fi network.

 

Wednesday
Sep282011

Strengthening JAVA in MAC OSX

Reuse of code in crimeware kits and tools targeting Windows infrastructure via Java has been building momentum. Java is a cross platform environment which can allow criminals to take advantage of systems regardless of operating system. For example, much of the crime ware kit call BlackHole RAT is still written in Java and Real Basic. We still consider this kit Low Risk.

It is our thinking that in the case of JAVA, due to the cross OS nature and Apple's custom update cycle, it continues to be the attack vector platform of choice.

Ways to Eliminate any Threat from malicious JAVA Applets

If you do not need or use Java than disable it in Safari.

  1. In Safari goto Safari>Preferences>Security and disable Java.
  2. In Chrome visit Chrome://plugins and disable Java.
  3. In Firefox Tools>Add-ons and disable Firefox.

Suggested Setting in the Java Preferences.app to Protect Your Mac

  • In /Applications/Utilities/Java Preferences.app disable "Allow User to grant permissions to content from an untrusted authority."
  • In /Applications/Utilities/Java Preferences.app disable "Use certificates and keys in browser keystore"
  • In /Applications/Utilities/Java Preferences.app disable "Use personal certificate automatically if only one matches server request."
  • In /Applications/Utilities/Java Preferences.app enable "Enable blacklist revocation check."
  • In /Applications/Utilities/Java Preferences.app enable "Check certificates for revocation using CRL"
  • In /Applications/Utilities/Java Preferences.app enable "Enable online certificate validation"
  • In /Applications/Utilities/Java Preferences.app enable Verify mix security code. "Enable-don't run untrusted code, no warning." **This should be reviewed based on business needs.
  • Review Trusted Publishers in Security pane.
Java Preferences.app also allows the user control over the cache and storage space used. 

Consider each option based on your specific business needs. For example, if you are developing jar/applets internally consider reviewing of the signing process to insure that all internal app/jar used for production systems and properly signed by your organization. You may also want to disable Java or create a custom seat-belt file. 

Sunday
Sep252011

Reported PDF Decoy Malicious Installer LOW RISK

Recently F-Secure has reported they may have come across a Mac Trojan. The operative word being "may" from their original post which was not picked up by additional press accounts. (F-Secure is a five start organization, not that they cannot make errors but they are a gold standard when it comes to accurate disclosure.)

This PDF Decoy Malicious Installer is actually an attempt to use tactics found on the Windows platform by sending rouge documents that an unsuspecting user will open up. The taxidermy of the Windows attack attempts to execute a malicious application, open a malicious site or exploit a vulnerability in the Adobe Product line or Microsoft's Product line. In this particular case targeting Mac OSX there are very important key differences.

This is not a TROJAN running from a PDF taking advantage of an exploit or vulnerability. It is NOT EXPLOITING ANY KNOW FLAW at all, it is however using a host of deceptive tactics. It is a rouge Package Installer that installs and opens a PDF DECOY to cover up the installation of an additional services (Apache) without getting the user suspicious. In it's current form it is the technical equivalent of putting a square peg into a round hole. 

How it Works

The PDF Decoy Rouge Installer PACKAGE runs additional scripts after the decoy is installed and opened up on screen. Using combinations of Preinstall scripts, Post Install scripts and/or Actions within the Package the scripts will attempt to install and/or download additional services. (We have encountered a version which installs apache.) The developer of this malicious package has attempted to use an application which cleans itself up, similar to the one used in latter version of MacDefender, AVRunner. (Class Diagram)  The good news is that a properly configured Mac will mitigate this PDF Decoy Installer. This represent a LOW RISK threat in its current form.

Reports of Changing Extensions to Execute PKG Files are WRONG!

If you change the extension of a file in Mac OSX to one that it is not compatible with it will not execute or open. For example, a DMG, MPKG or PKG file that has had its  extension changed to .PDF it WILL NOT open or execute. What will happen is that an error will be generated.

Fig. 1.1 Firefox DMG file extension changed to .PDF

Primary Mitigation

Currently XProtect has been updated and will recognize this installer. In Apple Menu>System Preferences>Security & Privacy Make sure to have "Automatically update safe downloads list" Enabled for automatic updates of XProtect. (If you toggle this option it will update but make sure to do a "Show All" to save your settings. Advanced users can update XProtect manually** by doing the following:

  • Open /Applications/Utilities/Terminal.app
  • Type sudo /usr/libexec/XProtectUpdater
  • Enter the Adminstrator Password
  • Quit out of Terminal.app

It is important to realize that a developer can bypass the need for the user to enter the Administrator Password when creating an installer Package. The best defense is not to perform general computing as an administrator. This will limit what and where files can be installed. The administrator account type in Mac OSX is the equivalent of root and has full rights to install and write to a host of directories. You must use a standard user account for all your computing. 

Fig. 2.1 Installer Failing Standard User Account

In larger deployments of Mac OSX systems protect the administrator account as you would root using layered administrative permissions and sudo to execute system altering commands. (Administrator's should never have full access to root privileges and all activities should be audited.)

Mac OSX System

  • In Apple Menu>System Preferences>Security & Privacy Make sure to have "Automatically update safe downloads list" Enabled thus setting up automatic updates of XProtect.

Safari

  • Do not install any program from an installer opened directly from the Web.
  • Make sure "Open Safe Files" is de-selected in Safari Preferences.
  • Download files only to the Download folder that is in each users home directory.
  • Set Remove Downloads to "When Safari Quits." Manually clear this folder for other Browsers.
  • Make sure that "Block Pop-Up Windows" is on.
  • Never do Web Surfing as the Administrator, carry out daily task as a user that does not have administrator privileges.

For Chrome

  • Select "Clear Auto-Opening" settings in chrome://settings/advanced.
  • Never do Web Surfing as the Administrator, carry out daily task as a user that does not have administrator privileges.

Secondary Mitigation

 

  • We also recommend that you only install Applications that come from trusted sources or from the Mac App Store. These are digitally signed so their is trace back to the developer. 
  • Consider installing an Anti-Virus product. We love F-Secure and Intego. 

 

RISK

The RISK related to this PDF Decoy Malicious Installer is LOW. 

We continue to monitor how this evolves since the tactics are similar to larger scale Phishing attacks designed to create a beach front into an sensitive internal systems of high profile organizations. Due to recent system updgrades at previously targeted companies of users in certain departments and groups to Mac OSX systems, these actors are attempting to discover how to use their old tactics to create new jump off points to internal compromises.

 

**Apple does not recommend doing this from the command line and users should consider the risk. For the general user setting the system preferences should suffice. This solution is ideal in larger managed environments. 

Tuesday
Sep202011

dscl allows the authenticated user to change their password without confirmation

Directory Services Command Line (dscl) allows authenticated users to change various settings including their password. We wanted to provide some clarity to the RISK and avoid headlines, little detail or poor analysis. Below we provide all the facts along with mitigation technics to limit the effectiveness of a this type of physical access attack. It is our desire to clear up misconceptions so that users and administrators have a clear understanding of the Risk and mitigation methods to take.

Background

This issue reported by the blog Defence in Depth and than picked up by various news outlets states exactly what dscl does. (See man dscl) We think that this issue was reported without proper quantification of risk. dscl allows users to alter their setting in directory nodes they are authenticated to. (See man dscl) If you are a root user or administrator you can alter every user. 

Facts

-A user authenticated in Mac OSX Lion can from the terminal use the Directory Service Command Line Utility to set various options to the directory node the user is authenticated to.

-Using the dsl command with the -passwd option a user that is already authenticated can change their password without having to provide the old password. 

Last login: Tue Sep 20 07:18:30 on console
Box23Lion:~ joeuser$ dscl localhost -passwd /Search/Users/joeuser
New Password: 

-This is clearly stated in the man page for dscl -passwd option: 

 passwd 

Usage: passwd user_path [new_pasword | old_password new_pasword]

Changes a password for a user. The user must be specified by full path, not just a username.  If you are authenticated to the node (either by specifying the -u and -P flags or by using the auth command when in interactive node) then you can simply specify a new password.  If you are not authenticated then the user's old password must be specified.  If passwords are not specified while in interactive mode, you will be prompted for them.  Passing these passwords on the command line is inher-ently insecure and can cause password exposure.  For better security do not provide the password as part of the command and you will be securely prompted.

-As an account with Mac OSX Administrator or as root privileges you will be able to change any user's password. This is why you should never do general computing as the root user. 

-The original Key Chain cannot be accessed without the old password, thus your saved passwords are protected.

-The File Vault Recovery Key and Password will continue to work.

Myths

Myth-You can change any users password and lock them out of the system. 

If the malicious actor has physical access to a logged in account with Administrative privileges they can make it difficult for a user to gain access. Any password change will not affect the users keychain which stores saved passwords and developer certificates, the old password is required to access that key chain. They will not have access to chainging FileVault Settings.

Using an Administrator account for computing is extremely bad idea, MacOSX is Unix thus privileges come with responsibilities. Create a general account that for doing your daily computing task. If the Administrator password is changed resetting it is an easy task.

Myth-A general user can change any password they want.

One hundred percent false, as a non-administrative user cannot change the password of any user other than themselves. Read the man page above. 

Box23Lion:~ joeuser$ dscl localhost -passwd /Search/Users/aliceuser
New Password: 
Permission denied. Please enter user's old password:
passwd: DS error: eDSAuthFailed
<dscl_cmd> DS Error: -14090 (eDSAuthFailed)

Myth-I can be locked out of my system.

If a malicious actor gains physical access to a command prompt with root or Administrative privileges and changes the user or root account all is not lost. You can use your Lion Emergency Disk or Lion Recovery Disk Assistant. 

Primary Mitigation

Never do computing as the Administrator, set up an Administrator account and a user account. Do all your computing as the user. Mac OSX has various layers of protection, use them. Shame on any organization or user who continues to operate in this manner or falsely confuse users instead of educate.

Secondary Mitigation

In System Prefences>Security & Privacy ensure that "Require Password immediately after sleep.." is selected. 

In System Prefences>Security & Privacy ensure that "Log out after 2 minutes of inactivity" is selected. 

For organizations with multiple administrators, never give your administrators the keys to the castle. Have specific administrative accounts that are logged and audited. 

Make sure to setup File Vault and to store your recovery key in a safe place.

RISK

The risk of this type of attack is LOW due to the need for the attacker to have physical access and administrative privileges.

We believe that already poorly configure MacOSX machines will be vulnerable to this and a host of physical attacks. 

Disappointment

We are disappointed that there continues to be an issue with dscl, which has been reported to Apple in the past. The user should be prompted again to enter their password even if they are already authenticate to the node. At that same time there is no weakness or true flaw, just bad implementation. We also think that the combined layers of protections in Mac OSX mitigate this risk, similar to all physical threats. So the real Risk we rate as LOW.

There is nothing to discover or new here except that someone read the man page for dscl who may have not done before. Due to the limited understanding about how best to secure  MacOSX a LOW RISK flaw has become poorly reported on and explained. 

We expect better and have done so here. 

 

Thursday
May262011

MacGuard Has New Twist on Install

There have been inaccurate reports that the MacGuard installer bypasses the administrator account. This is false, what it does is take advantage of users who are doing general computing task such as Web Surfing, Email and Word Processing as the Administrator account. On MacOSX, this account has access to write to the application folder. MacGuard is taking advantage of poor deployment, not a complex circumvention of the Administrator Privileges.

The Facts

Fact- YOU MUST BE THE ADMINISTRATOR ACCOUNT ON THE MAC TO INSTALL MACGUARD.
Fact- If you are not the administrator account or an account that is in the administrative group the installer WILL NOT INSTALL MacGUARD.

Trying to install MacGuard not as the Administrator

Fact-When you visit a page hosting MacGuard, the new variant of MacDefender, after the common fake scan in the browser window the user is promoted to download MacProtector.mpkg.zip
Fact-The Zip file contains avSetup.pkg which installs /Applications/avRunner.app.
Fact- avSetup.pkg has two postinstall scripts called postinstall and avSetup.post_install which run /Applications/avRunner.app
Fact-acRunner.app connects to a nginx server as the User Agent: avRunner/1 CFNetwork/454.11.12 Darwin/10.7.0 (0000) DDDDDDDDDDDDDD
Fact-acRunner.app downloads MacGuard.app.zip
Fact-acRunner.app unzips the file, removes the zip and places MacGuard.app into Applications.
Fact-This can only happen if you are the Administrator or an account with Administrative Privileges.
Fact-MacGuard can be removed using the manual method and our script.