Subreption blog
Mon, 17 Dec 2007
Other weaknesses of the Mac OS X firewall
After taking a look over the Mac OS X firewall (which has been criticized by several people already), we've detected several weaknesses (which could be considered design flaws, although abusing them is technically feasible and uncomplicated):
- There's no protection against process-level threats: code injection and
subverting processes already trusted by the firewall are completely possible.
- There has been research in other platforms about the implications of
injecting code in the context of a trusted process to bypass the firewall
(see Advanced Windows Firewall Subversion, also Phrack 62: Using Process Infection to Bypass Windows Software Firewalls).
- Mac OS X has several interfaces allowing process interaction at low-level.
- Ability to load code dynamically is present for all processes in the system.
- Apparently, runtime code manipulation wasn't
contemplated by Apple as a potential security issue.
- No integrity checks done, signing a binary image is not enough if it can be tampered on memory later!
- There has been research in other platforms about the implications of
injecting code in the context of a trusted process to bypass the firewall
(see Advanced Windows Firewall Subversion, also Phrack 62: Using Process Infection to Bypass Windows Software Firewalls).
- It works on communication direction basis: inbound, outbound. No way to
control what happens in a fine-grained manner.
- The Ruby, Python or Perl interpreters bind a socket to listen for
connections, and you allow it through the firewall. What's wrong with that?
- Metasploit includes PHP payloads: remote access with the privileges of the user running the interpreter.
- Any script will be able to perform network operations within the limits
of the firewall configuration: by default, allow incoming connections.
- In other words, an attacker will be able to trivially bypass the firewall using a script interpreter like Ruby.
- The Ruby, Python or Perl interpreters bind a socket to listen for
connections, and you allow it through the firewall. What's wrong with that?
We are working towards developing a proof of concept demonstrating these issues (and other nice tricks) in technical detail; until that happens, stay tuned.
Navigation
Archives
- 2008 (9)
- September 2008 (2)
- July 2008 (2)
- April 2008 (1)
- March 2008 (2)
- January 2008 (2)
- 2007 (14)
- December 2007 (8)
- November 2007 (6)
Syndication
Links
Meta
License
Subreption blog by Subreption LLC is Licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 3.0
United States License.