8

Bypassing Little Snitch

“Little Snitch informs you whenever a program attempts to establish an outgoing Internet connection. You can then choose to allow or deny this connection, or define a rule how to handle similar, future connection attempts. This reliably prevents private data from being sent out without your knowledge. Little Snitch runs inconspicuously in the background and it can also detect network related activity of viruses, trojans and other malware.” — Little Snitch website

Foreword

Programs like Little Snitch instill users with a false sense of security. Mac owners often use Little Snitch to prevent pirated applications from dialing home and to ensure that cracked versions of software don’t contain spyware. Nothing could be more naive: If an attacker can run code in the right context, it’s game over. Apps like Little Snitch can’t possibly prevent that.

Keep in mind that this specific attack could have been prevented, but there are more insidious ways to bypass Little Snitch. The security model is broken by design.

How to bypass Little Snitch

Once a binary is allowed access to the internet, Little Snitch will continue to allow access even if the binary changes. On OS X, applications are usually installed by dragging them to the Applications folder. This means they are owned by the user who installed them. Firefox and Chrome take advantage of this to auto-update without the root password. We can use this to overwrite binaries.

We bypass Little Snitch by replacing a trusted binary with our own executable; it will execute with the network-permissions of the original app.

Example

We need a binary that connects to the internet and we can’t use an interpreted language. For your convenience, here is one such program.

Download it. Then compile as follows:

brew install curl && brew link curl
make

You can ensure that Little Snitch is working by running ./payload.

Lets backup Firefox and replace it.

mv /Applications/Firefox.app/Contents/MacOS/firefox{,.orig}
mv payload /Applications/Firefox.app/Contents/MacOS/firefox

That’s it. If you were writing a program that needed network access without permission,  you would do this programatically and execute Firefox. That’s not the case here, so launch Firefox manually and examine /little_snitch_example.txt

Lastly, you probably want to use Firefox again:

mv /Applications/Firefox.app/Contents/MacOS/firefox{.orig,}

Closing Notes

In real usage, you should examine ~/Library/Application Support/Little Snitch/rules.usr.xpl to pick the right binary.

Lastly, all testing was done on Snow Leopard. You may need to tweak this for Lion or the App Store.

  1. Arup Wardi says:

    Dear sir !
    I’ve a problem in accessing filezilla,it couldn’t connect to my website.So I coudn’t check it and couldn’t
    upload any files to it.It’s said that something has blocked it,probably it’s malware or firewall.
    my questions
    1.How to overcome my filezilla,so that I can monitor and check my web/my host ?
    2.How to overcome firewall and malware,so that I can use my filezilla ?

    Thanks,
    Arupwardi

  2. SNitched says:

    now that little snitch is broken…what is your suggestion to keep safe? i really do hope you have one…
    pointing out a problem(thanks!) but lacking a solution is depressing and frightening … ; )
    btw, one step forward is to send this post to the little snitch company and see what they say/do about it…keep us posted…

    • Natan Yellin says:

      Don’t run untrusted software. There is no other solution.

      • Joe says:

        Yes, I agree. Firefox is an abysmal piece of software that should be deleted and never used.

        As for you “logic” on this situation, it’s very weak.

        > Programs like Little Snitch instill users with a false sense of security

        Don’t programs like Firefox do the same thing? “We know it’s safe because it’s open source.” what bullshit.

        How about Firewalls? virus scanners? root kit scanners? “open source” software? a degree in CS?

        Based upon YOUR logic, they are all UNNECESSARY and should be avoided. Just trust the “man in the hat.”

        Wow, it just hit me. This is completely opposite of the right philosophy: “Trust but verify.” Ironic that “Open Sores” backers claim this ideology, but NEVER follow it. It’s always trust your betters.

        > Nothing could be more naive

        oh I beg to differ. CS students who think they have a clue; tend to be far more naive than most people. Then again I could say that about most college students, CS’rs are more arrogant about their tiny bit of knowledge.

        Naiveté is wearing a Che or Castro shirt, voting for “Hope and Change,” believing in Open Source or “communal” anything, “open sores” aka organic, “fairness,” and my favorite: Wants are Rights. the list is endless.

        And then there is the little issue of you skipping over several steps, and assuming that something could happen “in the right context.” Well “in the right context” we don’t need computers. Wouid you choose that context?

  3. Bobby Droptable says:

    This is bullshit. The security concept is not ‘broken by design’. It’s your fault if you use your computer with an administrator account. If i try any of the commands above my terminal simply tells me to f*ck off because i do not have the proper rights. Things will break if you use your (any) computers admin account for everyday work. Again, this is entirely your own fault, not little snitch’s. It does everything right here.

  4. what drove national growthONPlace the cost of a $265check out nearly $156 and potential consumers will transform away. If you are it authentic which the very good gladness on the bestIt’s possible that different mechanisms may be at work in different people.