Dan on Security
Register | Login
OS X Apps Using Sparkle Updater are Vulnerable to MITM and RCE

Applications in OS X using an older version of the Sparkle Updater framework to pull the app updates might be vulnerable to MITM (Man-in-the-Middle) and RCE (Remote Code Execution). This includes well known and widely used apps such as VLC, Tunnelblick or SequelPro.

The vulnerability exists on applications that do not use HTTPS to retrieve the updates. In case of using plain HTTP, an attacker on the same network can perform a MITM attack to replace the response from the server with either a malicious binary or by sending JavaScript code, can open the user's browser to redirect them to a malicious site, or even perform RCE by exploiting WebKit.

First vulnerability is connected with the default configuration (http) which is unsafe and leads to RCE over MITM attack inside untrusted environment.

The second one is the risk of parsing file://, ftp:// and other protocols inside the WebView component. As a result, if there is a security flaw on the server that allows replacing XML file, it can target all people through the affected application. It's possible even without knowing the private DSA key, without modifying application binary on the server and over https. After that, it doesn't require the MITM attack anymore.
Check the post for further details and PoC. The solution for now is to block any updates from apps trying to connect via HTTP to the update server (e.g. via Little Snitch) and update manually whenever needed.

Tags: osx sparkle vulnerability
More from: vulnsec.com

show/hide source |


No comments found :-( To post a comment, please log in