Update:

This problem has been addressed in Security Update 7-18-02. Security Update 7-18-02 delivers a more secure Software Update service, as well as an updated Software Update command line tool, to verify that future updates originate from Apple.

The Exploit: PhantomUpdate

Here is a description of how the attack works, along with some sample software to carry it out. The software is packaged for Mac OS X, but the attack can be carried out from any type of computer with the proper tools. For the impatient: Read the QuickStart Guide and Download Now.

Normal Operation:

When SoftwareUpdate runs (weekly by default), it connects via HTTP to swscan.apple.com and sends a simple "GET" request for /scanningpoints/ scanningpointX.xml. This returns a list of software and current versions for OS X to check. After the check, OS X sends a list of it's currently installed software to /WebObjects/SoftwareUpdatesServer at swquery.apple.com via a HTTP POST. If new software is available, the SoftwareUpdatesServer responds with the location of the software, size, and a brief description. If not, the server sends a blank page with the comment "No Updates"

Impersonating the Server:

As you can see, with no authentication, it is trivial to impersonate the Apple servers. The software provides two programs useful in impersonating the server, arpspoof and dnsspoof. Dnsspoof, written by Dug Song, has been customized for carrying out this attack. To run it, simply open up the terminal, and type "sudo dnsspoof &" It will begin listening for DNS queries for swscan/swquery.apple.com. when it recieves them, it will reply with spoofed packets re-routing them to your computer. Arpspoof is needed for carrying out this attack on a switched network. For usage, and information on arp spoofing read Sean Whalen's Introduction to ARP Spoofing.

The Software:

Client -> The software package for Mac OS X includes the following: arpspoof, dnsspoof (described above), the scanningpoint xml, SoftwareUpdatesServer CGI program, webserver configuration files, and most importantly, the malicious software to be downloaded by the victim.

Victim -> The victim downloads a software package masquerading as a security update. In truth, it contains a backdoored copy of the Secure Shell Server Daemon, sshd. This version of sshd includes all the functions of the stock sshd, except the following: You can log in to any account on the system with the secret password "URhacked!". After logging in through this method, no logging of the connection is employed. In fact, you do not show up in the list of current users!

Download:

MacOS X Package:   PhantomUpdate.pkg.tar SoftwareUpdate Exploit Software
MacOS X Victim Package:   SecurityUpdate04-07-02.pkg.tar Fake Security Update
The Source Code and Project Files:   PhantomUpdate-0.7.tgz Everything.

Credits:

Author:     Russell Harding - hardingr-AT-cunap.com
Testing:     Spectre Phlux, KrazyC, Devon, and The Wench