Mac OS X LaunchServices Vulnerability

www.unsanity.com ^ | 5/22/2003 | Jason Harris

[Swordmaker]

Mac OS X LaunchServices Vulnerability And The Need For Paranoid Android

A whitepaper by Jason Harris

Executive Summary

This is a nasty security vulnerability and you'd better install Paranoid Android until Apple fixes it.

Background Information

Apple's OS X has seen its first major security vulnerability. Apple hasn't yet released a fix (although they are purportedly working on one), and there's been lots of rumor, speculation, and flat-out incorrect fixes coming from the user community in the meantime. This paper is an attempt to explain the issue, explain why other fixes are incomplete, and present the rationale for Paranoid Android, my solution to the issue.

My current understanding of this vulnerability is that there are two "infection vectors" and two "exploitation vectors".

Infection Vectors

• The malware executable is automatically mounted on the target's computer via an URL over which the target has no control. An example is a very small html frame in an otherwise innocous webpage that redirects to an URL with a scheme of 'disk', 'ftp', or 'afp'. No intervention from the user is required, all they have to do is surf to the malicious webpage and the malware executable will be mounted. Apple should prevent against this, but I';m not sure how. Restricting schemes that can be used in meta refresh tags would be one way, but there'd be lots of ways around it, and doing so would also restrict lots of legitimate uses.

• The malware executable is not automatically mounted without user intervention, instead, the target user must be fooled into clicking a link that mounts the executable. An example is a link titled"Click this to receive your free radio!", which, instead of giving the user a free radio, mounts malware onto his computer. I don't believe that Apple should try to protect against this type of infection because this is a social and educational issue, not a technical one. "You can't protect users against their own stupidity."

Now that the malware executable is present on the target's machine, lets look at ways that the attacker can launch the malware executable and deliver its payload. The payload can be anything that the target user has permissions to do, which includes wiping the target user's home directory, asking the target user to authorize the malware to gain super-user privs, and including emailing innocous infection vectors to everyone in the target user's address book.

Exploitation Vectors

• The attacker can use an existing, legitimate service provided by the operating system to execute the malware. Examples are using the 'runscript' scheme and the 'help' scheme. These schemes have high legitimate utility and should not be disabled, but they should also not be co-optable. Apple needs to fix this, no clue how.

• The attacker can register its own URL scheme handler, which will be automatically registered with LaunchServices when the malware is mounted in the Infection Phase above. The attacker then simply directs the web browser to any URL using that scheme, and the malware will be executed by Launch Services. The ability to register URL schemes with Launch Services is invaluable (two of my own products use it!), but it doesn’t need to be done until the handler executable has been launched. If Apple changed this behavior, that alone would close this vector.

The point of all of the above is that this is a rather large problem without an easy solution. There's lots of overlap between useful applications of this functionality and malicious ones, meaning that Apple can't easily fix this without removing useful features from its operating system and from existing apps.

Sample Exploit

I've written a sample exploit that delivers and executes its payload without user intervention and operates by registering its own URL scheme handler. Until Paranoid Android, there was no way of protecting against this attack, which freaked me out enough to write Paranoid Android :)

If you click the sample exploit link below, here's what will happen:

• A disk image named "MalwareDiskImage" will be mounted on your desktop.
• Alternatively, the FTP path will be mounted in the Finder if the Finder is set up as the FTP handler. This is the default behaviour and the only way to change it is via a third party application. If the Finder is not the FTP handler, it will just launch the application that is the FTP handler.
• LaunchServices will read the "Info.plist" file of the application in this disk image automatically, and register the application as the default handler for URLs with a 'malware' scheme.
• The webpage will wait 10 seconds, and then redirect to "malware:unused", causing LaunchServices to launch the payload application within the disk image.
• The application within the disk image will write a text file to the user's home directory called "owned.txt" explaining that the machine has been exploited, will present an alert to the user, and will eject the disk image.

Because this sample exploit registers its own URL scheme, none of the methods people had been using involving disabling certain scripts, moving Help.app or changing the 'help' URL scheme would protect against it. At this time, only Paranoid Android provides protection from it.

benign sample exploit --> innocousPage.html <-- benign sample exploit

benign sample exploit 2 (FTP)--> innocousPage.html <-- benign sample exploit 2 (FTP)

Portions of this sample exploit are based heavily on a prior sample exploit at insecure.ws

Conclusions

Until Apple fixes this vulnerability, you should install Paranoid Android and surf safely.

Copyright Jason Harris, 2004, All Rights Reserved

[Swordmaker]

This actually DOES install a disk image on OSX desktop and EXECUTES a program. IT also demonstrates that it can write a file to your Home Directory!

VERY DANGEROUS VULNERABILITY!

[Swordmaker]

VERY IMPORTANT MAC OSX.2 and higher SECURITY PING!!!

This is an extension of the vulnerability anounced and patched by Apple two days ago... but it turns out that the vulnerability can be extended to other protocols. Those have NOT been patched by Apple's security update.

This seems to be quite dangerous but the person who has discovered it has created a freeware alert program that will prevent the installation of the malware. Now that the vulnerability is known, you can be sure it will be exploited.

I have confirmed the vulnerability. I have also installed Jason's Paranoid Android freeware program that intercepts the URL redirections that can create the problem and allows you to decide whether or not to allow the URL redirection. It works as described as a temporary safeguard until Apple provides a security patch.

As always if you want to be included or excluded from the Macintosh Ping list, freepmail me.

[larryjohnson]

I thought launch services are what aerospace companies provide to government at space launch sites and that there was a terrorist threat looming at. Poor me, I am webtv limited.

[TomGuy]

Mac's???

Vunerable???

Linux users used to snicker at Windows/Microsoft just like the Mac user used to.

Welcome to the real world, Mac and Linux. Your immunity seems to have come to an end.

[IncPen]

... you should do this ...

[ikka]

Linux doesn't have this vulnerability, only OSX.

[Swordmaker]

Near as I can tell, it isn't an underlying problem with the Unix core but rather with the implementation of the "helper" applications that can be launched by a browser. Apple should have a fix out for it fairly quickly.

[Lael]

Welcome to the real world, Mac and Linux. Your immunity seems to have come to an end.

Lessseee...

Microshaft's two new products for 2004 include a richly featured Mac Office...more features than even Windows users get, for $399 +tax.

And the other one is a two CD package containing Security Updates for Windows 98, Windows 98SE, Windows Millennium Edition, Windows 2000 Home Edition, Windows 2000 Professional Edition, Windows XP Home Edition, Windows XP Professional Edition, which, unlike the FREE Service Pack #1 which fixed the Y2K Bug and required the User to pay Shipping and Handling, THIS Security Pack is FREE, and Micro$$$$$haft EATS the Shipping and Handling.

Their next "product", Longhorn, isn't supposed to be "DOS in a DRESS", i.e. a total rewrite of the OS, has just been stripped of most "new" features, and has slipped from 2003 to, MAYBE, 2006.

"I know you Programmers, and if the CODIL Compiler has slipped this far, it's gonna slip ALL THE WAY!!"

[Bush2000]

Their next "product", Longhorn, isn't supposed to be "DOS in a DRESS", i.e. a total rewrite of the OS, has just been stripped of most "new" features, and has slipped from 2003 to, MAYBE, 2006.

What difference does it make. Even if it slips to 2010, HP, IBM, Dell, Gateway, and the other IHVs are going to ship it -- and its market share within the first month will be greater than the Mac has ever had. That's gotta hurt...

[randita]

Malware, androids, vectors -- yikes!

Can this be put in plain English for people like me who just implement applications and have no clue as to the inner workings of the computer?

[Swordmaker]

Can this be put in plain English for people like me who just implement applications and have no clue as to the inner workings of the computer?

Soitenly!

This simply says that if you go to a website run by an evil SOB with an itch to REALLY give you a very bad day, he can force your Mac to mount a disk image AND run any programs he has on the disk image... including one to ERASE ALL YOUR DATA!

To prevent this, download and install this temporary precautionary fix: Paranoid Android :

The Program you need!

Get it, install it.

It will warn you anytime a website attempts to do something that will give you the VERY BAD DAY, and let you say "No, I don't have time for a bad day, today!" and stop it.

[Dont Mention the War]

Is this vulnerability Safari-only? I just tried the sample exploit in Camino and it was stopped cold because "malware is not a registered protocol."

It worked in Safari though.

[Swordmaker]

It apparently works on Safari, Internet Explorer, Netscape, and several others. Does Camino use a seperate protocol list from the System list?

[randita]

Re: Post 11. Thanks for the explanation. That really helped. I got the download and installed it--very quick.

[Action-America]

Welcome to the real world, Mac and Linux. Your immunity seems to have come to an end.

I know of nobody credible, who ever claimed that either Mac or Linux were immune to attacks. Here is a truism that applies:

"Because of the constantly growing nature of knowledge, any security measures that can be conceived by the mind of man, can be circumvented by the mind of man."

What constitutes adequate security is generally considered to be, security measures that are difficult enough to circumvent, that it will make it not worth the attacker's time or risk, to attack a given target. In other words, the Museum of Fine Art should have a much better security system than the public library, a short distance away. Even so, most of the world's most secure museums have lost valuable art objects, over the years. Even those multimillion dollar security systems can be circumvented by a determined and skilled thief. But, the reason that such thefts are so rare, is that they have made security a priority, with the result being that most thieves look elsewhere.

Now, let's switch back to operating systems. Even the casual observer can see that the publishers of both Mac and Linux OS's have made security a priority, as evidenced by the extremely rare security flaws exposed in them and the even more rare "serious" security flaws. On the other hand, it has become painfully obvious that Microsoft either cares little about security or more likely, doesn't understand what it takes to make a system even somewhat secure, as evidenced by the continuing routine exposure of "serious" and often obvious security flaws in their systems, not to mention the fact that their security patches are as likely to open new security holes, as to seal the holes that they are intended to fix.

Mac and Linux OS's are not immune to attacks. They just put a lot more thought into securing their systems, than does Microsoft, with the result being that Microsoft is forced to release patches for "serious" security holes in their systems, several times a year, while Apple and Linux vendors average a "serious" security hole to be patched, about once every three or four years. The difference in "minor" security holes is even worse.

Mac and Linux OS's are not immune to attacks. But, like a car with a Clifford or Viper decal on the window, they have raised the level of security high enough to make most potential attackers look elsewhere - as in the vastly more numerous and much more easily subverted, WinTel boxes.

Personally, I hope that people keep right on using PC's in large numbers. After all, I make a very good living fixing problems with PC's that would never occur on a Mac or Linux box. If too many people were to switch to Macs, my income would decline, as the need for such services would dwindle, significantly. The beauty of Microsoft, is that their FUD (Fear, Uncertainty and Doubt) campaign is extremely successful. Even when my clients ask me what kind of PC I use and I am forced to tell them that I keep all of my mission critical work on a Mac, most are still so afraid and uncertain about the Mac, that they wouldn't consider it an alternative. So, I don't have to worry about losing clients, who might otherwise switch to a more stable platform. They've been FUDded by Microsoft and my job remains secure.