MacOS X SoftwareUpdate Vulnerability

|
Update:
This problem has been addressed in Security Update 7-18-02. Security Update 7-18-02 delivers a more secure Software Update service, as well as an updated Software Update command line tool, to verify that future updates originate from Apple.

|

|
Summary:
Mac OS X includes a software updating mechanism "SoftwareUpdate". Software update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well known techniques, such as DNS Spoofing, or DNS Cache Poisoning, it is trivial to trick a user into installing a malicious program posing as an update from Apple.

|

|
Impact:
Apple frequently releases updates, which are all installed as root. Exploiting this vulnerability can lead to root compromise on affected systems. These are known to include Mac OS 10.1.X and possibly 10.0.X systems.
Solution/Patch/Workaround:
There is currently no patch available. Hopefully the release of this information will convince apple they need, at the very least, some basic authentication in SoftwareUpdate(as simple as HTTPS even).
Exploit:
An exploit for this vulnerability has been released to the public for testing purposes. It is distributed as a Mac OS X package which includes some DNS and ARP spoofing software. Also, it includes the cgi scripts, and apache configuration required to impersonate the Apple SoftwareUpdatesServer.

|

|
Credits:
Author:     Russell Harding - hardingr-AT-cunap.com
Testing:     Spectre Phlux, KrazyC, Devon, and The Wench

|