Subreption blog

Mon, 17 Dec 2007

Other weaknesses of the Mac OS X firewall

After taking a look over the Mac OS X firewall (which has been criticized by several people already), we've detected several weaknesses (which could be considered design flaws, although abusing them is technically feasible and uncomplicated):

There's no protection against process-level threats: code injection and subverting processes already trusted by the firewall are completely possible.
1. There has been research in other platforms about the implications of injecting code in the context of a trusted process to bypass the firewall (see Advanced Windows Firewall Subversion, also Phrack 62: Using Process Infection to Bypass Windows Software Firewalls).
  1. Mac OS X has several interfaces allowing process interaction at low-level.
  2. Ability to load code dynamically is present for all processes in the system.
  3. Apparently, runtime code manipulation wasn't contemplated by Apple as a potential security issue.
    1. No integrity checks done, signing a binary image is not enough if it can be tampered on memory later!
It works on communication direction basis: inbound, outbound. No way to control what happens in a fine-grained manner.
1. The Ruby, Python or Perl interpreters bind a socket to listen for connections, and you allow it through the firewall. What's wrong with that?
  1. Metasploit includes PHP payloads: remote access with the privileges of the user running the interpreter.
  2. Any script will be able to perform network operations within the limits of the firewall configuration: by default, allow incoming connections.
    1. In other words, an attacker will be able to trivially bypass the firewall using a script interpreter like Ruby.

We are working towards developing a proof of concept demonstrating these issues (and other nice tricks) in technical detail; until that happens, stay tuned.

Published on: Mon, 17 Dec 2007. | Path: /security/apple | Permalink