|Home » Industry Watch
A Leopard Mail Vulnerability
Old tricks come back to haunt.
Apple Mail is again vulnerable to a cheap exploitation in Leopard. This according to Edward Henning of Heise Security. This 'security hole' was given a perfunctory (cheap) band-aid fix for Tiger; now the band-aid's come loose.
Right Hand & Left
The exploit takes advantage of Apple's fundamental indecision re file associations and endemic features of their most popular file system HFS+. Although more advanced utilities such as Rixstep's Xfile and Tracker will pick this up on the spot Apple's default tools - including their notorious Finder - will not.
Apple files can have multiple forks. Some of these are recognised by Apple's Finder. But this very same program won't necessarily show correct information. Files appearing to be image files can in fact hide malicious code and be set not to display images but run malicious code.
The Proof of Concept
Heise have a proof of concept you can obtain from their site for testing. [See link below.] The file 'Heise.jpg' is sent by mail to you; it is 1413 bytes in size with only 75 bytes in the data fork. The rest is in the extended attribute 'com.apple.ResourceFork' - the resource fork.
The data fork is a simple shell script. It does no harm; it just proves the concept.
echo "heise Security: You are vulnerable."
When you open your 'image file' Terminal runs instead, lists a bunch of files on your hard drive, and then prints the message 'you are vulnerable'.
Flashback: Oompa Loompa
Both Kevin Finisterre's 'proof of concept' input managers exploit InqTana and the feared Oompa Loompa which wreaked havoc at MacRumors were released in February 2006. Kevin's intentions were honourable - he wanted to focus attention on the input managers design flaw and InqTana was never released in the wild; Oompa Loompa's intentions were not honourable.
And Oompa Loompa was released in the wild - first at the 'Mac Underground' and then at MacRumors, disguised as - image files.
Unwitting hackers - and clueless MacRumors forum members - double clicked the exploit file thinking they'd see pictures of Britney's new baby and screenshots of Leopard respectively - and most of them never knew what hit them.
Oompa Loompa was not benign; but written in haste it had a number of minor flaws preventing it from becoming more widespread. The author - who communicated anonymously through Tor with this site at the time - admitted knowing of the flaws but expressed no further interest in 'proving his point' which was payback for 'Mac user smugness' and 'fanboy antics'.
Oompa Loompa was a fortunate wake-up call for Apple and OS X users and luckily was not followed by further evolved exploits. Apple proceeded to plug the 'hole' not with a proper security system audit but by what the media in general found less than adequate: they put protective code in their own web applications but left the system itself - and everyone else's web applications such as Firefox, Thunderbird, Camino, Eudora - wide open.
The vulnerability in Leopard Mail discovered by Edward Henning of Heise Security is the same as used by Oompa Loompa almost two years ago.
The Same Story Again in Pictures
The Heise mail bomb - or a malicious mail bomb - comes to your inbox and looks very much the innocuous image file. The icon itself is believable enough. It's a familiar Preview icon. And it says 'JPEG'. However it's the wrong icon - and Apple Mail doesn't catch the trick.
Trying 'open with' here - or anywhere else in the system for that matter - won't warn you off. Terminal's the 'default' to open this file but it's not even listed.
Running a 'slideshow' from inside Mail yields nothing - no image but no clue either.
Trying to 'save' the file likewise yields nothing - things only happen when you try to open it. If you however click on that link in your inbox you'll see the following in Tiger Mail. This is what Edward Henning reports as missing (or unreliable) with Leopard Mail.
But trying to open this file with Xfile immediately gives the game away.
Tracker catches it right away too and even displays the right icon.
Xfile's ACP file info sheet shows something's up too - and again displays the right icon.
Xattr shows what's up in the second data stream.
HexFiend shows it too.
But Leopard Mail - and truth be told OS X in general - won't tell you what's up. Even when it's too late.
I believe that something big is going to happen.
It isn't anything. I opened it in Terminal and it did nothing. I checked the logs and the running processes and there was nothing foul going on.
This is a very very sad day for the Mac platform. I always hoped that this would not happen in my lifetime. I am almost in shock now. I can't believe this is reality. All because of this bastard with his pics. I am extremely pissed, sad, and scared. This guy needs to pay - this is war IMO.
The reason security research on OS X is so interesting is that Apple take the injudicious move of branching off from tried and true Unix code to create something they're rather reluctant to call Unix anymore. Unix has had a good thirty years to mature and more researchers inspecting it by an order of magnitude. Apple use a closed source model and they're venturing out into new territory where the risk for exploits grows geometrically. And they're carrying with them legacy ideas from the birth of NeXT which predates the birth of the web. And they don't listen.
- The Technological
I didn't write it for the press - although I knew that was coming. It was more just because I was annoyed with all the fanboys.
- author of Oompa Loompa to Rixstep
Tracker: No Escape
Rixstep: Xfile Test Drive
Learning Curve: Fanboy Quotes II
Industry Watch: The Chocolate Tunnel
Industry Watch: Oompa Loompa Quotes
Industry Watch: The Legend of Oompa Loompa
Learning Curve: Peeking Inside the Chocolate Tunnel
Heise: Apple Mail in Leopard with the same old error
Heise: Security hole in Mac OS X also affects Apple Mail (Feb 2006)