07:26 AM

Hole-y Leopard!

A first-hand look at the problems with the new OS X OS's firewall

3:26 PM -- I did a fresh install of Mac OS X Leopard the other night. I was looking forward to all of the new features, most of which I didn't even know about. I like running the latest and greatest versions, so Leopard seemed like a good fit.

Apple had been advertising how much more secure Leopard was (cue Kanye West's song "Stronger" but with Leopard being "harder, better, faster, stronger"), but within days of its release, security researchers were already picking it apart. I've always been happy with the firewalling within Mac OS X, using ipfw. The firewall GUI has always been lackluster, but manual configuration is easy because of ipfw's simplified rule language (See Leopard With Chinks in Its Armour.)

But researchers say Leopard's firewall is full of holes. (If you were near my office yesterday, you would have heard me yelling about how their test must be flawed.) So, like other claims against something I like, I recreated the test myself. I set up an old laptop with Xubuntu and connected it to my Mac Book Pro with a crossover cable. After setting up the IPs and confirming they could ping and SSH into each other, I set forth to prove the claims wrong.

But it turns out they were right. The "set access for specific services and applications" firewall setting might as well be the "allow all incoming connections" default. If you thought setting this parameter and allowing SSH would only permit TCP port 22 inbound, you're wrong (as was I). In his test, Jürgen Schmidt used netcat to listen on a local port, and the firewall opened up to allow access to that port. When the firewall setting was changed to "block all incoming connections," access to the netcat listener was blocked. But how many people want to enable SSH, Web sharing, Bonjour, or Remote Desktop on their Leopard machines?

The firewall settings do nothing for UDP. Even at "block all incoming connections," I was able to connect from my Xubuntu laptop to the NTP daemon (ntpd) on my Leopard laptop. I still haven't figured out why Leopard has an NTP daemon accepting connections, but the fact that it is accessible even when all incoming connections are supposed to be blocked is more disturbing.

The firewall logs used to be stored in "/var/log/ipfw.log" in Tiger (Mac OS X 10.4), but are now stored in "/var/log/appfirewall.log." I guess this change is because the Leopard firewall has been enhanced to be application-aware, which is why it opened up to the netcat listener. The other big change is the rules are no longer visible by running "sudo ipfw list." The only rule listed by ipfw when "block all incoming connections" is set is "65535 allow ip from any to any." That's essentially an anti-firewall rule: It does nothing. Or in other words, it allows everything.

There is hope, though. WaterRoof is a GUI frontend to ipfw for Mac OS X and it works well with Leopard. The only issue I've found is that it still expects the logs to be in "/var/log/ipfw.log," so clicking on the view logs button comes up empty. For those of you squeamish about configuring the firewall, the pre-configured rule sets are solid and will work for you out of the box. Just tune the Leopard firewall setting to "allow all incoming connections" and manage everything with WaterRoof. You will have to build your own UDP firewall rules, because there are none included by default. UDP rules tend to get sticky, so at a minimum, deny inbound UDP for ports 123, 5353, and 5454 to cover possible vulnerabilities in NTP and Bonjour.

Even though the firewall may have been flawed to begin with in Leopard, I'm confident that I'm well-protected from network-based threats, using my custom rules. If you're thinking about upgrading, heed the warnings about Leopard's firewall: It's not on by default, and even at its most restrictive setting, it still lets in UDP, and the daemons listening on UDP ports may be vulnerable.

– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.