Pwning Mac OS X with evilgrade + MacPorts

The idea of this post is to show the flaws in the packages distribution of the project MacPorts for Mac OS X

The MacPorts use:

a) To update your repository rsync server
b) The packages are distributed via http / ftp
c) Before installing a new package it is checked with the MD5/SHA1 in the local repository

To perform the attack we need to do the following tasks:
1) Prepare the rsync server on the attacker's machine ( with all the files of

mkdir -p /dev/evilgrade/release/ports
mkdir -p /dev/evilgrade/release/base
#Get the files from
/usr/bin/rsync -rtzv --delete-after --exclude=/PortIndex* rsync:// /dev/evilgrade/release/ports/
/usr/bin/rsync -rtzv --delete-after --exclude=/PortIndex* rsync:// /dev/evilgrade/release/base/

2) Configure the file /etc/rsyncd.conf:

max connections = 20
log file = /var/log/rsync.log
timeout = 300
comment = Stuff
path = /dev/evilgrade/release/
read only = yes
list = yes
uid = nobody
gid = nogroup
# auth users = craig
# secrets file = /etc/rsyncd.secrets
hosts allow = #change for your subnet
3) Then start the rsync server /etc/init.d/rsync start
4) In this case we will attack the package serf in the category www. The idea is that when you install this package we create a listener shell port 5555
We have to edit the repository file /dev/evilgrade/release/ports/www/serf/Portfile and change checksums md5 with the hash of our payload/agent found in /evilgrade/agent/serf-0.7.2. tar.bz2

You could also prepare the repository for all "Porfiles" point to the same package with the same md5 so any installation which infect the victim port

This agent has a line (132) in to leave a shell at port 5555

4) On the victim machine ( for this test add in /etc/hosts the following lines or make any forwarding traffic attack :
5) Start evilgrade on the attacker machine
6) On the victim machine run a "sudo port selfupdate" and then "sudo port install serf"

7) We verify that our attacker is receiving the rsync request by reading the file /var/log/rsync.log
Check what happend in evilgrade:
8) Enjoy your shell!
Download the MacPort agent from and uncompress it in the evilgrade path.
Remember to keep your systems updated! ;)


Click here for comments
July 8, 2011 at 4:01 PM ×


you should be aware that this is not a new vulnerability and also other packagement systems exist which do not yet sign their packages.

MacPorts will address this with the next release, which is 2.0. With this release we will start signing our own ports tree. The rsync server will distribute a signed tarball which will be verified with our public key on sync/selfupdate.

This feature is currently in beta as is the rest of MacPorts 2.0. Testers providing comments, constructive criticism or bug reports are more than welcome. You can find notes about the latest beta at the time of this writing here:


November 29, 2014 at 7:44 AM ×

I found a post on a blog ( that contains DoubleDirect Attack, and it was one of them targeting the Mac OS X, the question becomes, how to address this vulnerability?

Post a Comment
Thanks for your comment