Nat! bio photo

Nat!

Senior Mull

Twitter Github Twitch

Mulle kybernetiK

mulle-objc

Mulle kybernetiK TV

Updating to 10.9.2 for security reasons, but the biggest backdoor is still there [updated]

So even if 10.9.2 removes "goto fail", one wonders which interesting new security problems will it bring me ? After all Obama really needs all the information he can get.

Another question I asked myself was: Is Software Update actually contacting Apple servers or am I being served a compromised update with even more security holes by the NSA ?

No https, no certificates

Hmm, so lets see, is the download going through https ? I doubt it, downloads from support.apple.com are all by http and https isn't even supported by the servers. So there is no certificate to check the validity of swcdn.apple.com or support.apple.com, meaning a poisoned DNS entry could send me to fake servers.

Who serves me the update ?

Little Snitch tells me I am actually downloading from 


swcdn.apple.com.c.footprint.net
Server:     192.168.2.1
Address:    192.168.2.1#53

Non-authoritative answer:
Name:   swcdn.apple.com.c.footprint.net
Address: 4.23.39.254
Name:   swcdn.apple.com.c.footprint.net
Address: 207.123.48.126
Name:   swcdn.apple.com.c.footprint.net
Address: 4.23.38.254

tcpdump says I am getting the packets from 8.27.133.254. And what does traceroute say ?


kempe:~ nat$ sudo /usr/sbin/traceroute 8.27.133.254
traceroute to 8.27.133.254 (8.27.133.254), 64 hops max, 52 byte packets
 1  192.168.2.1 (192.168.2.1)  0.806 ms  0.725 ms  0.615 ms
 2  fabian (192.168.1.1)  1.937 ms  1.878 ms  1.624 ms
 3  fritz.box (192.168.5.248)  2.214 ms  2.199 ms  2.248 ms
 4  xxxx-xxxx-de0x.nw.mediaways.net (x.x.x.x)  713.684 ms  829.704 ms  652.302 ms
 5  xxxx-xxxx-de0x-chan-xx.nw.mediaways.net (x.x.x.x)  26.494 ms  25.655 ms  27.233 ms
 6  xxxx-xxxx-de0x-xe-0-x-x.nw.mediaways.net (62.53.2.140)  66.522 ms  239.739 ms  497.485 ms
 7  rmwc-dsdf-de02-xe-1-0-3-0.nw.mediaways.net (62.53.1.222)  620.301 ms
    rmwc-dsdf-de02-xe-0-1-0-0.nw.mediaways.net (62.53.1.220)  737.256 ms  896.806 ms
 8  xmwc-dsdf-de02-chan-5.nw.mediaways.net (62.53.0.161)  31.221 ms  32.206 ms  31.614 ms
 9  dialup-212.162.17.145.frankfurt1.mik.net (212.162.17.145)  912.939 ms  909.899 ms  917.762 ms
10  vl-3105-ve-135.ebr1.dusseldorf1.level3.net (4.69.161.161)  971.423 ms  1012.815 ms  1002.612 ms
11  ae-1-3102.edge4.dusseldorf1.level3.net (4.69.161.138)  997.428 ms  62.026 ms  70.390 ms
12  * * *
13  * * *
14  * * *
15  * * *

dialup-212.162.17.145.frankfurt1.mik.net WTF ?

I just love to see a router with a name like dialup-212.162.17.145.frankfurt1.mik.net in traceroute. Predictably by that name, it's also upping the ping times to close to a second. Now obviously something is accidentally or purposefully going wrong there. Who is mik.net ? According to who.is it's just an american parked domain and always has been that way. Why would they have a reverse lookup IP and be situated in Frankfurt ? Why not it's a global world.. :)

Let's make another traceroute from a different machine:


root@muller:/home/nat # traceroute 8.27.133.254
traceroute to 8.27.133.254 (8.27.133.254), 64 hops max, 52 byte packets
 1  static.1.30.9.5.clients.your-server.de (5.9.30.1)  1.214 ms  1.407 ms  0.742 ms
 2  hos-tr4.juniper2.rz16.hetzner.de (213.239.223.225)  0.503 ms
    hos-tr2.juniper1.rz16.hetzner.de (213.239.222.97)  10.624 ms
    hos-tr3.juniper2.rz16.hetzner.de (213.239.223.193)  53.773 ms
 3  core21.hetzner.de (213.239.245.93)  0.385 ms
    core22.hetzner.de (213.239.245.133)  0.444 ms
    core21.hetzner.de (213.239.245.93)  0.604 ms
 4  core11.hetzner.de (213.239.245.225)  3.108 ms
    core12.hetzner.de (213.239.245.29)  4.215 ms
    core12.hetzner.de (213.239.245.214)  3.172 ms
 5  juniper4.rz2.hetzner.de (213.239.245.26)  3.125 ms  3.200 ms
    juniper4.rz2.hetzner.de (213.239.203.138)  3.051 ms
 6  ae55.edge7.Frankfurt1.Level3.net (195.16.162.253)  7.484 ms
    ae51.bar2.Munich1.Level3.net (62.140.25.101)  9.544 ms  9.626 ms
 7  vlan80.csw3.Frankfurt1.Level3.net (4.69.154.190)  11.282 ms
    ae-18-18.ebr2.Berlin1.Level3.net (4.69.153.250)  25.528 ms
    vlan90.csw4.Frankfurt1.Level3.net (4.69.154.254)  11.273 ms
 8  ae-63-63.ebr3.Frankfurt1.Level3.net (4.69.163.1)  11.493 ms
    ae-28-28.ebr2.Dusseldorf1.Level3.net (4.69.200.173)  19.093 ms
    ae-63-63.ebr3.Frankfurt1.Level3.net (4.69.163.1)  11.464 ms
 9  ae-2-3202.edge4.Dusseldorf1.Level3.net (4.69.161.142)  18.994 ms
    ae-45-45.ebr1.Dusseldorf1.Level3.net (4.69.143.165)  11.486 ms
    ae-2-3202.edge4.Dusseldorf1.Level3.net (4.69.161.142)  18.954 ms
10  ae-1-3102.edge4.Dusseldorf1.Level3.net (4.69.161.138)  11.355 ms * *
11  * * *
12  * * *

No mik.net there. So everything converges at ae-1-3102.edge4.Dusseldorf1.Level3.net (4.69.161.138).

Transparent Level3 proxy for opacity

swcdn.apple.com.c.footprint.net is like a subdomain running on c.footprint.net footprint.net itself is some domain used by Level3. The server at c.footprint.net is apparently some kind of Apache server running the Foot Print Managed Cache Protocol FPMCP 4.8

This presumably acts as a transparent proxy, redirecting and/or caching traffic for swcdn.apple.com.

No proxy and no mik.net with support.apple.com


kempe:~ nat$ sudo /usr/sbin/traceroute supportdownload.apple.com
Password:
traceroute: Warning: supportdownload.apple.com has multiple addresses; using 2.16.218.146
traceroute to a781.gi3.akamai.net (2.16.218.146), 64 hops max, 52 byte packets
 1  192.168.2.1 (192.168.2.1)  0.863 ms  0.830 ms  0.728 ms
 2  fabian (192.168.1.1)  1.993 ms  1.859 ms  2.047 ms
 3  fritz.box (192.168.5.248)  2.049 ms  2.192 ms  1.981 ms
 4  xxxx-xxxx-de0x.nw.mediaways.net (x.x.x.x)  713.684 ms  829.704 ms  652.302 ms
 5  xxxx-xxxx-de0x-chan-xx.nw.mediaways.net (x.x.x.x)  26.494 ms  25.655 ms  27.233 ms
 6  xxxx-xxxx-de0x-xe-0-x-x.nw.mediaways.net (62.53.2.140)  66.522 ms  239.739 ms  497.485 ms
 7  rmwc-dsdf-de02-xe-0-1-0-0.nw.mediaways.net (62.53.1.220)  106.696 ms  106.996 ms  102.321 ms
 8  rmwc-dsdf-de01-chan-6-0.nw.mediaways.net (62.53.1.92)  85.159 ms  107.993 ms  102.052 ms
 9  213.140.50.148 (213.140.50.148)  102.359 ms
    xe4-0-3-0-grtdusix1.253.52.176.in-addr.arpa (176.52.253.169)  103.872 ms
    213.140.50.148 (213.140.50.148)  103.209 ms
10  xe-5-1-3-0-grtfraix4.red.telefonica-wholesale.net (94.142.120.250)  106.925 ms  99.661 ms
    so3-1-2-0-grtfraix4.red.telefonica-wholesale.net (94.142.121.6)  106.702 ms
11  172.52.252.174 (172.52.252.174)  98.832 ms  101.219 ms  97.487 ms
12  a2.18-218-146.deploy.akamaitechnologies.com (2.16.218.146)  107.367 ms  95.680 ms  106.963 ms

But in the end, I have no idea what I am being served. "Software Update" is a giant backdoor, noone talks about.

Using Software Update to destroy a machine

Coincidentally, just a day after I posted this, someone presented an attack on Macs by fake firmware, which I assume was delivered via Software Update: RSA security attack demo deep-fries Apple Mac components .

Nice.