The attack surface when attacking Mac OS X clients is much larger than when restricting yourself to the server side. Any application that accesses the Internet is a potential target (as are many that don’t). Mac OS X is founded on the principle that things should be easy for the user; they should just work. For an attacker, this means the operating system is designed to handle a large number of formats and protocols automatically. For example, Safari will view just about any fi le format you can imagine. The key to determining the client-side attack surface is to understand exactly what types of fi les and protocols each applica-tion is willing to consume. And understanding that relies on understanding the relationship between the applications and the fi les they process.
Each application has an Info.plist fi le that declares the known URL protocols, extensions, MIME types, and fi le types the application can handle. In Mac OS X, LaunchServices is responsible for determining what application is associ-ated with a given fi le type or extension. An application will get registered with LaunchServices whenever it is fi rst put on disk and its Info.plist fi le is processed.
Note that, typically, downloading an application from the Internet will present the user with a warning, which prevents an attacker from automatically regis-tering application associations without the user’s knowledge.
The prototypical client-side application is Safari, the default web browser in Mac OS X. Look at its Info.plist fi le, which you can fi nd at /Applications/Safari.
app/Contents/Info.plist. What follows is the beginning of this fi le.
<?xml version=”1.0” encoding=”UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”
“http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0”>
<dict>
<key>Application-Group</key>
<string>dot-mac</string>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleDocumentTypes</key>
<array>
Chapter 3 ■ Attack Surface 73
The fi rst important key is CFBundleDocumentTypes. This indicates the types of documents supported by the bundle. In this case it is an array of such types.
The fi rst is a CSS style sheet. This type of document has a fi le extension of .css and a MIME type of text/css. Based on the CFBundleTypeRole, Safari is regis-tered as a viewer of this type. The next entry in the array is a PDF document, for which Safari is also a viewer.
The following list reveals what each key means in the CFBundleDocumentTypes array.
CFBundleTypeExtensions: The fi le name extension for the fi le
CFBundleTypeIconFile: The icon in the bundle that Finder should associate with the fi le type
CFBundleTypeMIMETypes: The MIME type for the fi le
CFBundleTypeName: The text that will be shown in Finder to describe the fi le
95363c03.indd 73
95363c03.indd 73 1/25/09 4:40:25 PM1/25/09 4:40:25 PM
CFBundleTypeRole: Specifi es whether the program can open (Viewer), open and save (Editor), or is simply a shell to another program
LSIsAppleDefaultForType: Specifi es whether the bundle should be the default application for this type
As we mentioned earlier, LaunchServices compiles all of this application information and stores it in a database. Querying this database, for example, determines what application is launched when a fi le is double-clicked in a Finder window. This database can be viewed by the lsregister program, as seen in the following output. native-app scriptable services ppc i386
icon: Contents/Resources/compass.icns
Chapter 3 ■ Attack Surface 75
rank: Default roles: Viewer
flags: apple-internal relative-icon-path icon: Contents/Resources/document.icns bindings: .pdf, application/pdf
---…
The information from Info.plist is seen in the database. A graphical tool called RCDefaultApp (http://www.rubicode.com/Software/RCDefaultApp/) queries the LaunchServices database and presents the information in a more coherent form; see Figure 3-4.
Figure 3-4: RCDefaultApp reveals that files with an atr extension are associated with QuickTime Player.
In this fi gure, RCDefaultApp indicates that any fi le with the extension “.atr”
will be opened by the QuickTime Player. This particular fi le format is not used very often and therefore the code may not be well tested. Such obscure fi le formats can be fertile grounds for fuzzing; see Chapter 5, “Finding Bugs.”
RCDefaultApp can be used to fi nd the application for each fi le format that the operating system recognizes.
Safari
Safari is the most feature-rich web browser in existence. Features, of course, require code, and additional code increases the attack surface. In this section you will see how to determine all the functionality accessible to an attacker when a Safari web browser visits the attacker’s website.
Safari handles a number of fi le formats and MIME types natively and has extensive support for fi le formats with built-in plug-ins. The LaunchServices
95363c03.indd 75
95363c03.indd 75 1/25/09 4:40:25 PM1/25/09 4:40:25 PM
database (derived from the Info.plist fi le and accessible via RCDefaultApp or from the Info.plist fi le directly) reveals the fi le types that are handled natively:
$ cd/Applications/Safari.app/Contents
$ grep -A3 CFBundleTypeExtensions Info.plist | grep string <string>css</string>
<string>pdf</string>
<string>webarchive</string>
<string>syndarticle</string>
<string>webbookmark</string>
<string>webhistory</string>
<string>webloc</string>
<string>download</string>
<string>gif</string>
<string>html</string>
<string>htm</string>
<string>js</string>
<string>jpg</string>
<string>jpeg</string>
<string>jp2</string>
<string>txt</string>
<string>text</string>
<string>png</string>
<string>tiff</string>
<string>tif</string>
<string>url</string>
<string>ico</string>
<string>xhtml</string>
<string>xht</string>
<string>xml</string>
<string>xbl</string>
<string>svg</string>
This list includes all fi le types handled remotely or locally, so they should be checked individually if you are looking for particular fi le types to attack remotely. For example, browsing to a “webarchive” fi le over the Internet will only download the fi le, not display it in Safari. Safari will natively render PDF, JPG, PNG, TIF, ICO, and SVG image formats. It also parses JavaScript, HTML, and XML.
Of course, with the help of plug-ins, there are many more fi le types supported.
The easiest way to view these fi le types is to go to Help ➢ Installed Plug-ins in Safari; see Figure 3-5.
Figure 3-5 indicates that Safari handles .swf fi les with the Adobe Flash plug-in, which is installed by default. The QuickTime plug-in reveals an additional 59 fi le formats supported by Safari. It is hard to imagine a web browser that has no bugs when parsing more than 60 fi le formats. The Java plug-in represents yet another vector of attack through Safari.
95363c03.indd 76
95363c03.indd 76 1/25/09 4:40:25 PM1/25/09 4:40:25 PM
Chapter 3 ■ Attack Surface 77
Figure 3-5: The list of installed Safari plug-ins and their associated file types