SecureState Releases New Attack for OS X Lion

Security Company reveals security issues with Apple’s OS X Lion Operating System

(Cleveland, Ohio) SecureState, an information security company, announces a new security issue with Apple's OS X Lion operating system and its captive portal functionality. Members of the SecureState Profiling Team were instrumental in researching and revealing the attack.

Background

Recently, Apple released the newest version of its flagship operating system OS X 10.7 Lion. According to wired.com's live blog of Apple’s press conference, OS X 10.7 has already been downloaded more than 6 million times. Along with numerous new features, the newest version now provides auto-recognition of “captive portals”.

A captive portal is a page that users are redirected to when they join a network. They usually host information about Terms of Service and occasionally a login. Many users typically encounter these when signing on to wireless networks at hotels, coffee shops, or airports. The new feature in OS X 10.7, that has been present in iOS for some time now, is designed to notify users of this portal, so they can accept the terms of service or log in as necessary to ensure that the device has an active network connection. This makes it possible for applications that run in the background, such as email client applications, to continue to function without the user having to check for connectivity when joining a new network.

This new feature also poses a large security risk. When an OS X laptop joins a network, which contains a captive portal, a window is automatically opened to prompt the user to interact with it. This presents a large security issue if an attacker can control this functionality. OS X detects the captive portal by requesting the URL: www.apple.com/library/test/success.html

However, when this request fails (such as when a captive portal is present) the page that is returned will be opened in a special browser window. An important characteristic to note about this feature is that it appears to only affect open wireless networks, not networks encrypted with WEP or WPA.

The Attack

Attackers can control the captive portal page by using already known techniques. Attackers can configure DHCP servers and host rogue DNS servers, poison DNS servers, or even Man in the Middle network segments to intercept the DNS request to www.apple.com.

Once the attacker can redirect traffic from the client to the attacker’s system instead of Apple, they can perform a variety of attacks via JavaScript. This attack can be used to steal the user’s cookies, allowing control of the user’s computer. Although these attacks are nothing new to the browser exploit world, one key factor makes this issue more concerning: this attack vector now requires no user interaction to be initiated.

More details can be found on SecureState’s OS X Lion Captive Portal Hijacking Attack blog post.

Find out more about the tools related to this attack here:
BeEF: www.beefproject.com
Metasploit: www.metasploit.com

About SecureState

SecureState provides information security assessments and information protection to help our clients obtain and maintain their desired state of security. SecureState information protection consultants work to provide the very best physical, logical and personnel security services through audit and compliance, attack and penetration tests, data forensics, and security program building. Our clients span a variety of industries giving SecureState the experience of working in unique environments. We take that experience, combined with our consultants' experience of working for Military Intelligence, Big X Consulting, government agencies and various other law enforcement entities, and apply it to your organization.