Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'SnitchCTL - Command line tool and security holes' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
SnitchCTL - Command line tool and security holes
Authored by: xSmurf on Oct 04, '05 08:57:39AM
This was originaly posted as a hint a few days ago but never got published so I'm putting it up here. I believe it is important that the LittleSnitch users be warned about this.

I decided my original technic was not enough and came up with a php shell script to manage the LittleSnitch daemon via the terminal. This is how SnitchCTL was born. It allows to start, stop and restart the daemon as well as use the UI Script to allow or deny a connection. It also allows to add basic allow/deny all rules to the configuration. The script is available here. I have also set up a page for the script. The source is available from the site.

Disclaimer :
This script has been tested with Mac OS 10.4.2 and LittleSnitch builds 212 (1.2b3), 218 (1.2b5), 226 (1.2). Tests have shown that running this script under 10.3.9 is bad idea! Running this script poses a potential security risk! This script is provided "as is", I am not responsible of any damages that could occur from using it. If you use it, you assume what you do it with and what ever happens to you!


SnitchCTL build 006: A CLI interface to LittleSnitch.
    This script must be run as root or using sudo!
    Usage: ./snitchctl [option1] [[option2] [option3]] {delay}
-------------------------------------------------------------
Options:
    start       Starts LittleSnitch daemon
    stop        Stops LittleSnitch daemon
    restart     Restarts LittleSnitch daemon
    status      Shows LittleSnitch's status
    addrule     Allows to add a rule to the LittleSnitch configuration
                    This only works to allow or deny all connections
                    usage: ./snitchctl addrule [deny/allow] [path to application]
    allow       Allow via the GUI until the application quits on same port
    allowa      Allow via the GUI until the application quits for any connection
    deny        Denies via the GUI until the application quits on any connection
    delay       Used only with the three options above, allows to set a delay, in seconds, 
                before the LittleSnitch alert window is dismissed (see below for usage)
                delay is optional
-------------------------------------------------------------
There are two methods for using the allow, allowa and deny options:
First is to use a second terminal window or ssh session, the second is by doing something like
  $ curl apple.com & ./snitchctl allow 5

While creating this script I discovered that LittleSnitch was really not as secured as it should/appears to be. Fracai has posted a great warning call on the LittleSnitch mailinglist. Here's a snippet:

LittleSnitch is not currently secure. "killall LittleSnitchDaemon" will allow any app to "phone home" without being detected by LittleSnitch Properly securing LittleSnitch would involve running the daemon and all LittleSnitch components as the root user or as an independent LittleSnitch user. [...] The main point to take away from this is that as it is currently implemented, LittleSnitch is not secure. A malicious app need not sneak new rules in to the configuration when the communication block is not effective.

The mailinglist post is available here.

Yes you've read that properly. The LittleSnitch daemon runs in user space! This means any malicious application can stop the daemon, sent the data and then start the daemon back up with very little change that the user ever knows about it! LittleSnitch doesn't output to the system/console log so there is no logs of what's been going on.

I suggest you read the site I've put up and the mailing list post by Fracai if you want to know more about this issue. I have also created a thread in the forums if you have any questions or comments.

---
SnitchCTL : Flawed security makes it fun! http://snitchctl.smurfturf.net/

PM G4 DP 800 / 1.25gb / 120Gb+80Gb / CD/DVD±RW/RAM/DL
- The only APP Smurf

[ Reply to This | # ]

Extra Extra: the threat is real! A virus takes avantage of this security hole!
Authored by: xSmurf on Oct 05, '05 10:59:38AM

*** The security hole in LittleSnitch is not pure speculation. A virus already has taken advantage of it! ***

I was looking to see what the web had to say about LittleSnitch's security (googling with the terms "LittleSnitch Security") and something very interesting came up from Symantec's virus description page (http://securityresponse.symantec.com/avcenter/venc/data/sh.renepo.b.html)

"SH.Renepo.B is a data-collecting script virus that only runs on Mac OS X systems.
[...] When the virus is executed, it does the following: [...]
15. Looks for LittleSnitch software (a shareware Firewall program with application control) and tries to terminate the process, when LittleSnitch attempts to perform network access."

So I decided to search around a bit more to see what I could find. These are my findings. They are not exactly structured, but a lot of information can be found on these sites.

This information is well documented on many sites such as:

*** Objective Development has been aware of this for over a year but seamed to have decided not to act! ***
http://www.mail-archive.com/littlesnitch-talk@obdev.at/msg00132.html
(Note that they never mention in the mailinglist post that the opener kills the LittleSnitch daemon!)

The opener was featured on: More information about the SH.Renepo.B virus : Current Aliases used for this Virus:
  • SH.Renepo (CA)
  • SH.Renepo.B (Symantec)
  • SH/Renepo-A (Sophos)
  • SH/Renepo.A (Panda)
  • Worm.MacOS.Opener.a (Kaspersky)
  • MacOS.Renepo.A
  • MacOS.Renepo.B
  • MAC_RENEPO.B
  • Unix/Opener.worm
I have posted this information on LittleSnitch's mailing list. You can view this post here

---
SnitchCTL : Flawed security makes it fun! http://snitchctl.smurfturf.net/

PM G4 DP 800 / 1.25gb / 120Gb+80Gb / CD/DVD±RW/RAM/DL
- The only APP Smurf

[ Reply to This | # ]