07:26 AM

Hole-y Leopard!

A first-hand look at the problems with the new OS X OS's firewall

3:26 PM -- I did a fresh install of Mac OS X Leopard the other night. I was looking forward to all of the new features, most of which I didn't even know about. I like running the latest and greatest versions, so Leopard seemed like a good fit.

Apple had been advertising how much more secure Leopard was (cue Kanye West's song "Stronger" but with Leopard being "harder, better, faster, stronger"), but within days of its release, security researchers were already picking it apart. I've always been happy with the firewalling within Mac OS X, using ipfw. The firewall GUI has always been lackluster, but manual configuration is easy because of ipfw's simplified rule language (See Leopard With Chinks in Its Armour.)

But researchers say Leopard's firewall is full of holes. (If you were near my office yesterday, you would have heard me yelling about how their test must be flawed.) So, like other claims against something I like, I recreated the test myself. I set up an old laptop with Xubuntu and connected it to my Mac Book Pro with a crossover cable. After setting up the IPs and confirming they could ping and SSH into each other, I set forth to prove the claims wrong.

But it turns out they were right. The "set access for specific services and applications" firewall setting might as well be the "allow all incoming connections" default. If you thought setting this parameter and allowing SSH would only permit TCP port 22 inbound, you're wrong (as was I). In his test, Jürgen Schmidt used netcat to listen on a local port, and the firewall opened up to allow access to that port. When the firewall setting was changed to "block all incoming connections," access to the netcat listener was blocked. But how many people want to enable SSH, Web sharing, Bonjour, or Remote Desktop on their Leopard machines?

The firewall settings do nothing for UDP. Even at "block all incoming connections," I was able to connect from my Xubuntu laptop to the NTP daemon (ntpd) on my Leopard laptop. I still haven't figured out why Leopard has an NTP daemon accepting connections, but the fact that it is accessible even when all incoming connections are supposed to be blocked is more disturbing.

The firewall logs used to be stored in "/var/log/ipfw.log" in Tiger (Mac OS X 10.4), but are now stored in "/var/log/appfirewall.log." I guess this change is because the Leopard firewall has been enhanced to be application-aware, which is why it opened up to the netcat listener. The other big change is the rules are no longer visible by running "sudo ipfw list." The only rule listed by ipfw when "block all incoming connections" is set is "65535 allow ip from any to any." That's essentially an anti-firewall rule: It does nothing. Or in other words, it allows everything.

There is hope, though. WaterRoof is a GUI frontend to ipfw for Mac OS X and it works well with Leopard. The only issue I've found is that it still expects the logs to be in "/var/log/ipfw.log," so clicking on the view logs button comes up empty. For those of you squeamish about configuring the firewall, the pre-configured rule sets are solid and will work for you out of the box. Just tune the Leopard firewall setting to "allow all incoming connections" and manage everything with WaterRoof. You will have to build your own UDP firewall rules, because there are none included by default. UDP rules tend to get sticky, so at a minimum, deny inbound UDP for ports 123, 5353, and 5454 to cover possible vulnerabilities in NTP and Bonjour.

Even though the firewall may have been flawed to begin with in Leopard, I'm confident that I'm well-protected from network-based threats, using my custom rules. If you're thinking about upgrading, heed the warnings about Leopard's firewall: It's not on by default, and even at its most restrictive setting, it still lets in UDP, and the daemons listening on UDP ports may be vulnerable.

– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.