July 18th, 2007

Mac worm rumors swirl; Dai Zovi ships unofficial Mac OS X patch

Posted by Ryan Naraine @ 3:11 pm

Categories: Apple, Botnets, Browsers, Data theft, Exploit code, Firefox, Google, Metasploit, Microsoft, Open source, Passwords, Patch Watch, Pen testing, Punditocracy, Rootkits, Spam and Phishing, Spyware and Adware, Vulnerability research, Wi-Fi security, Zero-day attacks

Tags: Apple Mac OS, Apple Macintosh, Vulnerability, Apple Mac OS X, Worm, Patch, Ryan Naraine

Amidst unconfirmed rumors that anonymous hackers have created a worm that exploits an unpatched code execution flaw in Mac OS X (Intel), a team of researchers have come up with a way to completely disable a buggy portion of the Mac code base.

Led by Mac security guru Dino Dai Zovi (of CanSecWest MacBook hijack fame), the researchers have created a third-party patch that removes the uPNP code from within mDNSResponder, the Bonjour system service that implements Multicast DNS Service Discovery for discovery of services on the local network.

Davi Zovi worked with his former employers at Matasano Security on the patch after looking at the worm claim and the recent mDNSResponder patch (and Bonjour exploit) affecting that portion of the Mac OS X code.

[ SEE: Ten questions for MacBook hacker Dina Dai Zovi ]

“If I were to guess about the vulnerability linked to the worm claim, I’d say it’s in uPNP. I won’t be surprised if there are others looking hard at that piece of code to find holes,” Dai Zovi said in a telephone interview.

The patch, which is buyer-beware (and unsupported), does not fix a specific vulnerability. Instead, it removes the LegacyNATTraversal code from mDNSResponder. Hackers consider mDNSResponder the primary client -> server attack surface on Mac OS X.

Matasano president Dave Goldsmith, a former @Stake researcher who has found/reported numerous Mac OS X vulnerabilities over the years, said that portion of the code contains lots of unbounded memory copies and a history of overflows and memory smashing bugs.

“This patch will hopefully prevent a certain code path from getting executed. No one knows for sure if there’s a vulnerability there but we think this (patch) could potentially stop some bad code from getting called,” Goldsmith said by telephone.

“The LegacyNATTraversal code is 1994-style C code,” Goldsmith said. “[There are known bad programming practices lurking in that particular file.”

On Matasano’s blog, Goldsmith warns that the patch is buyer-beware.

Standard disclaimers about this patch apply (including: may do nothing, may protection you form current/future vulns, may cause mDNSresponder to not work, may break support contracts). Also, this patch is unsupported, which is why I didn’t give step by step instructions on how to apply it.

In any event, Dai Zovi said the patch isn’t for non-technical Mac users. “There’s an opportunity for someone to make it more user-friendly but, right now, it’s not something the average user can use,” he said.

His advice to Apple: Rewrite the entire uPNP code base.

“It’s a feature that’s there for a reason but that entire bit of code needs to be rewritten. There are too many (potential) dangers there,” he added.