Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'The Culprit' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
The Culprit
Authored by: googoo on Feb 22, '06 09:21:12AM
I think the real vulnerability is in BOMArchiveHelper.app. Read my detailed explanation in today's MacIntouch (2006-02-22).

-Mark



[ Reply to This | # ]
The Culprit
Authored by: hamarkus on Feb 22, '06 10:08:26AM

I agree with you, BOMArchiveHelper.app automatically opening files is the problem (there might be some useful cases but BOM should never be allowed to open a file which wants to be opened by Terminal.app).

If you have Stuffit installed you can also use RCD (both via extension and MIME type) to open .zip and any other compressed formats with it, with that you can still uncompress them in the Finder.
However, the next 'virus' might simply override this setting (as the sample Secunia.mov file does) and ask the OS to be openend by BOM, although Safari and Mail might prevent this.

I still do not understand by which mechanism the 'Open with' app in the 'Get Info' window is set. It is not the filename extension nor the Creator/Type nor the MIME type.



[ Reply to This | # ]
The Culprit
Authored by: bomolub on Feb 22, '06 01:58:29PM

It's done with a resource of type 'usro' in the resource fork.

http://mjtsai.com/blog/2004/01/27/bruce_horn_interview



[ Reply to This | # ]
The Culprit
Authored by: hamarkus on Feb 22, '06 05:09:26PM

Thanks for the info. So Apple 'simply' has to stop considering files which have ‘icns' and ‘usro' resources pointing to Terminal.app as 'safe' files.

Interestingly, the resource fork of secunia.mov contained the complete path to Terminal.app. Do the ‘icns' and ‘usro' resources always contain the complete path?



[ Reply to This | # ]
& Mail.app !?
Authored by: mayaahh on Feb 22, '06 10:26:46AM

I think there is a risk with mail too : if you receive a mail with a movie icon and that file's name is somethings.mov and the fake is credible (imagine a mac-related mailling-list sending a video about security on Mac !), you can't know it's a shell script unless you download it, then hit command+I, insted of just double-clic on it

I think the solution have to be a bash one : I'm looking for a bash enough competent guy to crak it in order to add a confirmation step before executing file script : Prompt should say "do you really want to execute the file filename.mov ?" No ! The only restriction is that crontab should not be affected



[ Reply to This | # ]
Resource Forks!!
Authored by: googoo on Feb 22, '06 01:58:23PM

It seems to me that there are several problems that all go back to one central issue: resource forks! Mac OS X uses the file extension to determine which app to use if a file does not have a resource fork. If a file has a resource fork, the application associated with the file can be different from the application associated with the extension. You set this in the Finder Get Info menu by changing the Open with option. Usually this is not an issue because files that arrive by download, E-mail, or other means come without resource forks. There are some exceptions, though. Resource forks can be included in ZIP archives, and BOMArchiveHelper.app reconstructs them for the extracted files. Mail.app can handle resource forks as well. I am sure there are others, too. This is a huge problem.

A compounding factor is that Terminal.app will run shell commands in a UNIX executable file. All you have to do is set Terminal.app as the application and double-click the file. Then Terminal.app opens a new shell, and executes the commands in the file.

Combine these two issues, and you get a mess. You can give a file a harmless sounding (and incorrect) extension and set its default application to Terminal.app. The result: double-clicking a seemingly harmless photo or movie opens Terminal.app and runs a shell script that deletes all your files (no administrative permission needed)! Then, Safari was set to open certain "safe" files for us. The problem is that "safe" files are determined by extension (or actually MIME type) instead of associated application.

And this is the "safe" OS!?

-Mark



[ Reply to This | # ]
Resource Forks!!
Authored by: john108 on Feb 22, '06 02:55:49PM

Exactly - anything else but changing from HFS to a proper POSIX compliant Unix file system (without resource forks) will be a short term fix till the next exploit comes along - this was only a POC - once it is realised how easy it is to exploit Macs the fun will begin. It's time to say goodbye to Classic and to take the OS that Next developed and match it to a proper secure Unix file system where this type of nonsense just wouldn't happen.



[ Reply to This | # ]
& Mail.app !?
Authored by: mibo on Feb 23, '06 04:05:11AM

Yeah, Mail.app is a much more secure hole than Safari:
http://www.heise.de/english/newsticker/news/69919
They have tested both 10.3.9 and 10.4 Mail. While Panther Mail asked what to do with the file Tiger Mail just starts the script without any asking. So mail attachments are a bigger risk to your system. Maybe somebody who uses Mail on Tiger could test the defaults write solution for Safari with Mail because Mail doesn´t seem to have a switch in it´s gui to bring up the dialog before executing scripts.



[ Reply to This | # ]