ssh Protocol Vulnerability

June 8, 2004: v.1.5: Link to page on Apple's 6/7 Security Update added.

May 25, 2004: v.1.4: Related Information links added.

May 25, 2004: v.1.3: The paragraph on how ssh must be set up has been made more precise, thanks to comments by John Gruber.

May 24, 2004: v.1.0: Page created.

There is an informative discussion of a critical Mac OS X security flaw here. The flaw exploits the Mac's ability to run various applications or perform other tasks in specified in URLs that invoke various protocols. For example, the disk:// protocol can mount a disk image. This convenient mechanism was implemented with little regard for security; it is trivial to construct URLs that execute arbitrary code on a web surfer's machine.

Apple is providing patches, but so far they are not sufficient. To protect yourself, install the free RCDefaultApp, which allows you to remap the protocol helpers (MoreInternet is not good enough). Disable the disk, (and disks?), ftp, help, aft, telnet, and ssh protocols. Applescript looks dangerous, but word is that it's not. All of these are discussed here, except ssh (well, it will be too when I add my comment).

You must also disable the ssh protocol. Ssh is an encrypted form of telnet. It can optionally execute an arbitrary command on the host machine as part of its invocation. If the malicious url uses the ssh:// protocol and tells your machine to connect to itself, and if you have remote logins enabled, and if you have connected to your own machine with ssh in the past (so that the localhost will be accepted as a known host) and if you have created credential files so that no password will be requested, then the Terminal program will open a new window with an ssh connection to your own machine and immediately execute the command specified in the malicious url.

Here is a demonstration. This URL only executes the command "hostname", which simply tells you the name of your computer. Then it sleeps for a while so you can see the output in case you have set windows to go away upon process completion. However, any malicious code could be substituted for the command executed by this URL:

 

Click here for a demonstration of the ssh protocol vulnerability.

Related Information

Another ssh vulnerability, involving disk image mounting as well.

Limited but typically clear-headed discussion by Matt Neuburg.

Apple Security Update 2004-06-07.