Date: Mon, 5 Nov 2007 20:36:51 +0100 (CET)
From: Juergen Schmidt <ju@ct.heise.de>
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: Leopard's firewall damages Skype and WoW
In-Reply-To: <Pine.LNX.4.64.0710292225340.5763@localhost>

Hi,

some further research on the firewall of Mac OS X Leopard proved, that the
firewall is altering binaries on the disc -- in some cases they refuse to
work after that.

In contrast to Tiger, the firewall in Leopard no longer operates at the
packet level but rather it works with applications, to which it permits
or denies specific network activities.
In order to unambiguously identify applications, Apple uses code
signatures. Certain applications signed by Apple are automatically permitted
to communicate with the network past the firewall without showing that in
the user interface -- even if the firewall is set to "Block all incoming
connections". (see: http://www.heise-security.co.uk/articles/98120).

By contrast, if an application which does not have a valid signature opens
a network port, the firewall swings into action.
In restricted mode, simply trying to start a service brings up a window
asking the user for permission. The system records this choice and enters
it into the firewall's exceptions list. Hitherto Apple furnishes unsigned
programs with a digital signature in the process.
If changes are made to the program subsequently, the permission is withdrawn.

Code signing becomes a problem when an application performs its own
self-integrity check and determines that the file on the hard disk has
been changed. The firewall's code signature changes the checksum of
Skype's binary on the disc:

MD5 (Skype) = 9d7fa7f77b8dc2a3c2ae61737a373c11
MD5 (Skype-org) = 4245cb201a94c76ddcb54b1cc1e58cfa

after which, if the user attempts to start Skype from the command line it
displays the following message:

Main starting
Check 1 failed. Can't run Skype

Similar behaviour has been observed by World of Warcraft users.

For more see:

http://www.heise-security.co.uk/news/98492