{"id":13402,"date":"2016-02-02T14:11:24","date_gmt":"2016-02-02T19:11:24","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=13402"},"modified":"2023-05-19T08:55:00","modified_gmt":"2023-05-19T12:55:00","slug":"sparkle-updater-vulnerability","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2016\/02\/02\/sparkle-updater-vulnerability\/","title":{"rendered":"Sparkle Updater Vulnerability"},"content":{"rendered":"<p><a href=\"https:\/\/vulnsec.com\/2016\/osx-apps-vulnerabilities\/\">Radek<\/a>:<\/p>\n<blockquote cite=\"https:\/\/vulnsec.com\/2016\/osx-apps-vulnerabilities\/\">\n<p>Let&rsquo;s sum up everything to that point:<\/p>\n<ul>\n<li>AppCast process is using HTTP that could be intercepted and modified on the\nfly<\/li>\n<li>We can insert our HTML and JavaScript code into a WebView component to display\nit to the user<\/li>\n<li>We control the transmission after doing the MITM attack<\/li>\n<\/ul>\n<p>[&#8230;]<\/p>\n<p>The vulnerability is <strong>not<\/strong> in code signing itself. It exists due to the\nfunctionality provided by the WebKit view that allows JavaScript execution and\nthe ability to modify unencrypted HTTP traffic (XML response).<\/p><\/blockquote>\n\n<p>He uses JavaScript and the fact that the Finder is the default FTP handler to mount a <tt>.terminal<\/tt> file at a known location. JavaScript then opens the <tt>.terminal<\/tt> file via a &ldquo;file:\/\/&rdquo; URL, executing arbitrary code. I was surprised that this second part is possible. This seems like more of a WebKit vulnerability.<\/p>\n\n<p><a href=\"https:\/\/www.taoeffect.com\/blog\/2016\/01\/sky-not-falling-sparklegate-not-as-bad-as-it-could-be\/#comment-194183\">Radek<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.taoeffect.com\/blog\/2016\/01\/sky-not-falling-sparklegate-not-as-bad-as-it-could-be\/#comment-194183\"><p>This attack works on stock Mac OS X install, and GateKeeper enabled with both options &ldquo;Mac App Store and identified developers&rdquo; or &ldquo;Mac App Store&rdquo; (the strictest one).<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/www.evilsocket.net\/2016\/01\/30\/osx-mass-pwning-using-bettercap-and-the-sparkle-updater-vulnerability\/\">Simone Margaritelli<\/a> (via <a href=\"https:\/\/www.taoeffect.com\/blog\/2016\/02\/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate\/\">Greg Slepak<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.evilsocket.net\/2016\/01\/30\/osx-mass-pwning-using-bettercap-and-the-sparkle-updater-vulnerability\/\">\n<p>I&rsquo;m not going to explain the details of his attack, his post is quite self explanatory, but I&rsquo;ll show you how easy it is to mass pwn OSX machines on your network using the new <a href=\"https:\/\/github.com\/evilsocket\/bettercap-proxy-modules\/blob\/master\/osxsparkle.rb\">OSX Sparkle<\/a> bettercap proxy module.<\/p>\n<p>Moreover, I improved the attack ... Radek shown how to get RCE using an OSX terminal profile file, <strong>I will show you how to make the target execute any Mach-O executable you want!<\/strong><\/p>\n<\/blockquote>\n<p>My apps use HTTPS for software update checks, using my own code rather than Sparkle, and JavaScript is disabled.<\/p>\n<p>Update (2016-02-02): <a href=\"https:\/\/twitter.com\/rosyna\/status\/694728522099625984\">Rosyna Keller<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/rosyna\/status\/694728522099625984\"><p>That is, Sparkle was <em>explicitly<\/em> opening every file using LaunchServices by overriding the default WebView handler.<\/p><\/blockquote>\n\n<p>Update (2016-02-10): <a href=\"http:\/\/arstechnica.com\/security\/2016\/02\/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive\/\">Dan Goodin<\/a>:<\/p>\n<blockquote cite=\"http:\/\/arstechnica.com\/security\/2016\/02\/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive\/\"><p>Fellow researcher Simone Margaritelli has <a href=\"https:\/\/www.evilsocket.net\/2016\/01\/30\/osx-mass-pwning-using-bettercap-and-the-sparkle-updater-vulnerability\/\">developed a technique that streamlines the attack<\/a> by allowing it to work with the Metasploit exploit framework. He showed how he could exploit the vulnerability on a fully patched Mac running the latest version of the <a href=\"http:\/\/www.videolan.org\/videolan\/\">VLC Media Player<\/a>. VLC developers released an update three days ago that patches the vulnerability so that the attack no longer works against the latest version.<\/p>\n<p>[&#8230;]<\/p>\n<p>The precise number of apps affected isn&rsquo;t known because it&rsquo;s not easy to detect all the conditions necessary for them to be vulnerable. Radek estimated the number to be \"huge\" and said he has confirmed that the list includes Camtasia 2 v2.10.4, DuetDisplay v1.5.2.4, uTorrent v1.8.7, and Sketch v3.5.1. Computer forensics expert Jonathan Zdziarski told Ars that the <a href=\"http:\/\/hopperapp.com\/\">Hopper reverse engineering tool<\/a> and <a href=\"http:\/\/www.dxo.com\/us\/photography\/photo-software\/dxo-opticspro\">DXO Optics Pro<\/a> are also susceptible. A longer list of apps that rely on Sparkle is <a href=\"https:\/\/github.com\/sparkle-project\/Sparkle\/issues\/717\">here<\/a>, but readers are cautioned that not all of them communicate over insecure HTTP channels or use a vulnerable version of the update framework. Margaritelli said the most recent version of the Adium instant messenger uses HTTPS for updates and isn&rsquo;t vulnerable.<\/p><\/blockquote>\n\n<p><a href=\"http:\/\/www.macrumors.com\/2016\/02\/09\/sparkle-hijacking-vulnerability\/\">Juli Clover<\/a>:<\/p>\n<blockquote cite=\"http:\/\/www.macrumors.com\/2016\/02\/09\/sparkle-hijacking-vulnerability\/\"><p>Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework.<\/p><\/blockquote>\n\n<p>Update (2016-02-16): <a href=\"http:\/\/tidbits.com\/article\/16261\">Josh Centers<\/a>:<\/p>\n<blockquote cite=\"http:\/\/tidbits.com\/article\/16261\">\n<p>If you are still worried, how do you figure out which apps are vulnerable? People have offered all sorts of Terminal commands to suss out vulnerable apps, but the best one I&rsquo;ve found comes from <a href=\"http:\/\/www.mackungfu.org\/how-to-find-if-your-apps-are-affected-by-the-sparkle-hijack\">RussW, a commenter on Mac Kung Fu<\/a>. His solution checks to see if the app uses both Sparkle and an insecure HTTP connection, and then it prints out a list of those apps in a fairly readable format.<\/p> \n\n<p>Unfortunately, there are smart quotes in RussW&rsquo;s text that partially break the command (thanks to reader Joe for pointing that out), so I&rsquo;ve created a <a href=\"http:\/\/pastebin.com\/4LfdZBMm\">Pastebin link with the properly formatted command<\/a>. Follow that link, copy the command under RAW Paste Data, paste the command in the Terminal window, and press Return. Terminal will list the vulnerable apps in your Applications folder.<\/p> \n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Radek: Let&rsquo;s sum up everything to that point: AppCast process is using HTTP that could be intercepted and modified on the fly We can insert our HTML and JavaScript code into a WebView component to display it to the user We control the transmission after doing the MITM attack [&#8230;] The vulnerability is not in [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2023-05-19T12:55:03Z","apple_news_api_id":"c3b2e728-1ed5-45e3-8433-0a1e70c79d15","apple_news_api_modified_at":"2023-05-19T12:55:03Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/Aw7LnKB7VReOEMwoecMedFQ","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[131,465,30,903,1199,48,2387,328],"class_list":["post-13402","post","type-post","status-publish","format-standard","hentry","category-technology","tag-bug","tag-gatekeeper","tag-mac","tag-mac-os-x-10-10-yosemite","tag-mac-os-x-10-11","tag-security","tag-sparkle","tag-webkit"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/13402","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=13402"}],"version-history":[{"count":5,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/13402\/revisions"}],"predecessor-version":[{"id":13569,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/13402\/revisions\/13569"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=13402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=13402"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=13402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}