Trusted Mac OS X firewall Little Snitch is vulnerable to local privilege escalation attacks that could give criminals the ability plant rootkits and keyloggers on some El Capitan systems.

The Little Snitch firewall vulnerability was found by Synack Director of Research and well-known OS X hacker Patrick Wardle. Affected are 3.x versions of the Little Snitch firewall software released prior to build 3.6.2 running on El Capitan. Wardle did not test versions of Little Snitch released prior to 3.x.

In January, Wardle discovered that the firewall software contained a local escalation of privileges (EoP) vulnerability that any local user (or malware) could exploit. The following month, Little Snitch’s developer Objective Development released the (3.6.2) version of the firewall that fixed the problem.

“This is a serious flaw and an important software update that Little Snitch users could have easily missed,” Wardle told Threatpost.

Users can fix the problem simply by updating to the latest version. However, Wardle points out, because older versions of the Little Snitch software are vulnerable to this type of attack, it’s possible that attackers could install older versions of the firewall software (or just load an older version of the Little Snitch driver) on a target’s computer in order to exploit the vulnerability.

Next month, at DEF CON, Wardle will publicly discuss the vulnerability for the first time and describe two additional Little Snitch vulnerabilities that have been previously disclosed.

“Exploiting this vulnerability would afford an unauthorized (local) user that ability to get arbitrary code executing in the context of the kernel (ring-0). Here, they could install a rootkit, keylogger, disable System Integrity Protection (SIP) and more,” Wardle said.

Wardle said the Little Snitch bug is tied to the software’s driver that runs at the kernel level. He said he was able to reverse engineer the way Little Snitch’s user-mode firewall configuration settings “talked” to the kernel. Next, he spoofed the Little Snitch client and figured out how to authenticate to the kernel and send code instructions (or messages) to the kernel.

One of the kernel’s interfaces Wardle found had a heap overflow vulnerability. “That means I can send a special requests to the kernel that have the security vulnerability and as it processes my request, I can get arbitrary code execution in the kernel,” he said.

This means that a local user, or a piece of malware that is running on the system, can make this same request if Little Snitch is installed and can trigger the vulnerability and start executing code in the kernel. An attacker could escalate code privileges from normal to root and bypass Apple System Integrity Protection and run unsigned code in the kernel.

“This would be pretty much game over for the victim,” he said.

Wardle said when he reached out to Little Snitch in January, the company was responsive and issued a patch just weeks later. However, Wardle is critical of how Little Snitch alerted its customers and others within the security community. Blink, Wardle argues, and you would of missed the critical patch.

Foregoing the usual CVE designation of a security flaw within its product, Objective Development identified the vulnerability via an alert that included five fixes. The last fix listed by Little Snitch addressed the EoP vulnerability: “Fixed a rare issue that could cause a kernel panic.”

“Downplaying this bug means users aren’t going to be aware of it and patch as quickly,” Wardle said.

Little Snitch developer Objective Development said based on its server logs, it estimates 95 percent of its users are running a Little Snitch version that is not affected. It did not disclose its install base or the number of Little Snitch customers that remained vulnerable.

The origins of the Little Snitch vulnerability date back to 2013 when Wardle first identified the bug that was not a security issue at that time. The Little Snitch bug did not present a security vulnerability at that time because of a separate bug in previous versions of Mac OS that was tied to Apple’s implementation of a copy routine within the kernel.

“This wasn’t a security vulnerability, rather Apple had described how this copy routine should work, but the way they it was implemented was incorrect on 64-bit systems,” Wardle said.  So when Apple got around to fixing its own kernel implementation issue (two years after Wardle notified Apple of the bug’s existence) the Little Snitch bug became exploitable.

“Obviously, a paid ‘security product’ should not actually reduce the security of one’s system,” he said.

Categories: Hacks, Vulnerabilities