About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Industry Watch

MOAB Drop Zero Day on Stunned Fanboy World

Everyone expected the Month of Apple Bugs to turn up some pretty nasty things but few expected show stoppers like this.


When you build your operating system on the 'rock solid foundation of Unix' you have to make sure you don't move the rocks around too much. And that's not always easy, especially if you're trying desperately to return the system to its former glory when all computers were standalone, manufactured in beige coloured materials, and said 'hello'.

Security researchers Kevin Finisterre and LMH were sent a 'zero day exploit' by an anonymous contributor that shows just how dangerous this can be.

The exploit - currently being used in the wild to compromise unsuspecting OS X machines - takes advantage of an Apple 'add-on' to Unix which involves performing the old Apple fanboy cure for everything from the common cold to dyslexia: 'repairing permissions'.

A malicious user could create a BOM declaring new permissions for specific filesystem locations (eg binaries, cron and log directories). Once 'diskutil' runs a permission repair operation the rogue permissions would be set, allowing to plant a backdoor, overwrite resources or simply gain root privileges.

The system code used to 'repair permissions' must have its SUID bit set so it runs as root, but it performs no security or sanity checks on what it finds in /Library/Receipts - it just assumes all is 'hunky-dory' in Beigeland.

Permissions available in BOM files aren't validated, and no sanity testing is performed, in order to prevent potentially harmful attributes to be set on the filesystem.

This zero day exploit, called 'meow' and sent to the MOAB team by an anonymous contributor, is being actively exploited in the wild.

Batten the Hatches

There are a few things users can do until Apple put sanity (checks) into their system code.

  • Take the fangs out of the disk management code.

    sudo chmod -s /System/Library/PrivateFrameworks/DiskManagement.framework/Resources/DiskManagementTool

  • Check everything in /Library/Receipts with a message digest tool. [ACP users of course use MD.] Compare your results with another system you know has not been compromised.

    The MOAB team recommend checking the following BOM files. It's a long list.

    /Library/Receipts/AdditionalAsianFonts.pkg/Contents/Archive.bom
    /Library/Receipts/AdditionalEssentials.pkg/Contents/Archive.bom
    /Library/Receipts/AdditionalFonts.pkg/Contents/Archive.bom
    /Library/Receipts/AddressBook.pkg/Contents/Archive.bom
    /Library/Receipts/ApplicationsServer.pkg/Contents/Archive.bom
    /Library/Receipts/Automator.pkg/Contents/Archive.bom
    /Library/Receipts/BaseSystem.pkg/Contents/Archive.bom
    /Library/Receipts/BrotherPrinterDrivers.pkg/Contents/Archive.bom
    /Library/Receipts/BSD.pkg/Contents/Archive.bom
    /Library/Receipts/BSDSDK.pkg/Contents/Archive.bom
    /Library/Receipts/CanonPrinterDrivers.pkg/Contents/Archive.bom
    /Library/Receipts/CommonAccessCard.pkg/Contents/Archive.bom
    /Library/Receipts/CommonCriteriaTools.pkg/Contents/Archive.bom
    /Library/Receipts/DevDocumentation.pkg/Contents/Archive.bom
    /Library/Receipts/DeveloperTools.pkg/Contents/Archive.bom
    /Library/Receipts/DevExamples.pkg/Contents/Archive.bom
    /Library/Receipts/DevFatLibraries.pkg/Contents/Archive.bom
    /Library/Receipts/DevInternal.pkg/Contents/Archive.bom
    /Library/Receipts/DevSDK.pkg/Contents/Archive.bom
    /Library/Receipts/ElectronicsForImagingPrinterDrivers.pkg/Contents/Archive.bom
    /Library/Receipts/EpsonPrinterDrivers.pkg/Contents/Archive.bom
    /Library/Receipts/Essentials.pkg/Contents/Archive.bom
    /Library/Receipts/FatLibraries.pkg/Contents/Archive.bom
    /Library/Receipts/GimpPrintPrinterDrivers.pkg/Contents/Archive.bom
    /Library/Receipts/HewlettPackardPrinterDrivers.pkg/Contents/Archive.bom
    /Library/Receipts/iCal.pkg/Contents/Archive.bom
    /Library/Receipts/iChat.pkg/Contents/Archive.bom
    /Library/Receipts/Internal.pkg/Contents/Archive.bom
    /Library/Receipts/iTunes.pkg/Contents/Archive.bom
    /Library/Receipts/Java.pkg/Contents/Archive.bom
    /Library/Receipts/LexmarkPrinterDrivers.pkg/Contents/Archive.bom
    /Library/Receipts/Mail.pkg/Contents/Archive.bom
    /Library/Receipts/MicrosoftIE.pkg/Contents/Archive.bom
    /Library/Receipts/MigrationAssistant.pkg/Contents/Archive.bom
    /Library/Receipts/OxfordDictionaries.pkg/Contents/Archive.bom
    /Library/Receipts/QuickTimeStreamingServer.pkg/Contents/Archive.bom
    /Library/Receipts/RicohPrinterDrivers.pkg/Contents/Archive.bom
    /Library/Receipts/Safari.pkg/Contents/Archive.bom
    /Library/Receipts/ServerAdminTools.pkg/Contents/Archive.bom
    /Library/Receipts/ServerEssentials.pkg/Contents/Archive.bom
    /Library/Receipts/ServerFatLibraries.pkg/Contents/Archive.bom
    /Library/Receipts/ServerInternal.pkg/Contents/Archive.bom
    /Library/Receipts/ServerSetup.pkg/Contents/Archive.bom
    /Library/Receipts/X11SDK.pkg/Contents/Archive.bom
    /Library/Receipts/X11User.pkg/Contents/Archive.bom
    /Library/Receipts/XeroxPrinterDrivers.pkg/Contents/Archive.bom

Alternately, be bold: just delete everything in /Library/Receipts, lock it down, and remember to keep an eye on things.

[Note: the framework 'DaringFireballBlows' as previously listed here was found to be of insignificant relevance and has been removed.]


Don't let its elegant and easy-to-use interface fool you. Beneath the surface of Mac OS X lies an industrial-strength UNIX foundation hard at work to ensure that your computing experience remains free of system crashes and compromised performance. Time-tested security protocols in Mac OS X keep your Mac out of harm's way.
 - Apple Computer

About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.