Core Security Technologies identifies Mac OS X sandbox hole
Although Apple plans to require sandboxing in all third-party Mac App Store apps as of March 2012, it sounds as though Apple needs to get its own sandbox in order first. Researchers at Core Security Technologies have found a way to circumvent the sandboxing restrictions built into Mac OS X.
According to the researchers, "sending Apple events is possible within the no-network sandbox (kSBXProfileNoNetwork). A compromised application hypothetically restricted by the use of the no-network profile may have access to network resources through the use of Apple events to invoke the execution of other applications not directly restricted by the sandbox."
The researchers point out that Charlie Miller addressed a similar issue in a talk at Black Hat Japan 2008, so this is not strictly a new issue. Apple did make some modifications to its sandboxing after Miller's talk, but it seems some exploitable holes still remain.
Apple has apparently been aware of this issue for some time. The researchers point out that Apple's "App Sandbox Design Guide" states that "applications that require sending Apple events to other arbitrary applications are not suitable for sandboxing," and they speculate this is because "some developer tools restrict Apple events by default while defining the sandbox. The reason for this is that, as we show here, by dispatching Apple events a process can escape the sandbox."
Core Security Technologies' researchers provided Threat Post with one possible scenario that could result from this flawed sandboxing implementation: If you're running a third-party address book app that's running as a sandboxed process, an attacker could provide you with a file containing both his contact information and code that allows him to take control of the app. While Apple's sandboxing would prevent him from spreading that code beyond the address book app itself, it would also allow him to send the app's contents back to himself, including any contact information you'd put into it.
It seems likely this is something Apple will address relatively soon now that it's been publicized, either via a standalone security update or in a dot-update to OS X itself.
Share
Although Apple plans to require sandboxing in all third-party Mac App Store apps as of March 2012, it sounds as though Apple needs to...
Add a Comment
These kinds of holes will continue to crop up as long as sandboxing is an add-on. Apple needs to step back and rethink this add-on approach replacing it with low level core OS functionality that is fully congruent with all other core functions, especially inter-application communication. The challenge is to develop ways and means to disallow bad behavior without also disallowing the things that make the OS useful.
November 15 2011 at 9:06 AM Report abuse Permalink rate up rate down ReplyI think there's a bit of hand waving at the "allow him to send the app's contents back to himself" that is very significant and not so easily overcome.
November 14 2011 at 6:54 PM Report abuse Permalink rate up rate down ReplyNo, this is the part that is significant and non-trivial:
> an attacker could provide you with a file containing both his contact information and code that allows him to take control of the app.
The first step is actually finding a buffer overflow bug or whatever in the address book's contact importer to begin with that allows you to run arbitary code. If that part is possible, the attacker is already even in a perfect sandbox able to at least nuke all your addresses. Also, since I suppose the profile we're talking about is a "No network" sandbox, most of this is moot because very few apps these days require no network access. So, sending things inside the app to the Internet can occur already if you are using an app with that bad of a buffer overflow bug combined with a (more common) network-enabled sandbox.
Sounds like exactly the kind of security hole Growl is dependent on to work. Can anyone confirm or debunk?
November 14 2011 at 6:34 PM Report abuse Permalink rate up rate down ReplyDeals of the Day
more deals- Acoustic Research Digital Photo Frame with iPod Dock for $50 + free shipping
- Apple iPhone 4 8GB for Verizon, AT&T, or Sprint for $50 + pickup at Best Buy
- Unlocked iPhone 4S 16GB for GSM (AT&T, T-Mobile) for $619 + free shipping
- Apple iMac Core i7 Quad 3.4GHz 27" w/ 24GB RAM, 2TB HDD for $2,677 + $29 s&h
- Used Apple Magic Mouse for $36 + $4 s&h
- Skullcandy Riot Earbud Headphones for $10 + free shipping
Software Updates
more updatesFeatured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
4 Comments