Apple OS hacked to the root level in 30 min
- Thread starter N8 v2.0
- Start date
http://test.doit.wisc.edu/
and if you don't understand that distinction you should ease up on your copyin' 'n pastin'thelinkedpage said:
N8 once agin reveals himself as a dumbass conservative.
Macs are so anti-American.
I understand that distinction, and I'm not impressed.Toshi said:
On one hand, there are few Mac multi-user servers compared to their workstation market. On the other hand, ANY UNAUTHORIZED ROOT ACCESS METHOD means the machine is vulnerable, period.
On that note, how is password security on a Mac? Minimum 8 characters, one numeric and alphanumberic, 1 capitalized letter? Or could home users set their root password to "app|e"?
Interesting Question, and I just found the answer. I was kinda suprised too!sanjuro said:
I changed my root password to apple with no problems at all!
N8 said:
I don't understand why thats funny...........?
in order for ANYTHING to be installed, you have to enter your password. period.
In Windoze, your registry can be edited by most any program without your permission, and usually knowledge. And, if you are smart, you install a little plugin called LittleSnitch which warns you before ANYTHING connects to the internet. Mine is set so that a few of the internet programs I run (Firefox, Wordbiz, Adium) are always allowed to connect, but everything else it asks me beforehand. I can accept it for that session, accept forever, or deny for session or forever.
I realize most people that use computers are pretty inept, and yes they can be a risk to themselves, but even moreso on a PC. Anyone that will blindly type their password into somthing is just a downright fool.
Don't get me wrong, I'm not getting up on my Mac horse here, I use both platforms. All i'm saying is I have had hundreds of viruses and spyware on my PCs, and none on my Mac.
BigMike said:
It does tell you how strong your password is though. and it will give you suggestions on what to make it depending on how strong you want to make it. I just asked it for a maximum security password and its suggestion was "bicentenary11801(necessitations"
Mac is as secure as you want it to be. Use lack settings and easy passwords and you SHOULD be violated.
You can only ask a computer to protect yourself from yourself so much before you have to get a clue.
All the web servers at my job ar Mac. Database servers are Sun OS. Both platforms are very secure when compaired to Micro$haft based systems.
<edit> try something like "R1deM@nkey!" as a password. 2 Caps, 2 special characters, 1 number, 1 non dictionary based word. That is a solid P@ssWord!
You can only ask a computer to protect yourself from yourself so much before you have to get a clue.
All the web servers at my job ar Mac. Database servers are Sun OS. Both platforms are very secure when compaired to Micro$haft based systems.
<edit> try something like "R1deM@nkey!" as a password. 2 Caps, 2 special characters, 1 number, 1 non dictionary based word. That is a solid P@ssWord!
Given modern decryption methods, a password of any length can be cracked in a short period of time, provided you have a large enough rainbow table (a large file consisting of sequences of random characters, to approximate sections of a password) to use to have the computer guess the password. Allegedly, 15-digit alphanumeric case-sensitive passwords can be cracked within the a half hour, if its good enough, regardless of platform.
A 15 digit, randomly generated (including caps) password, cracked via brute force (I realize rainbow tables aren't traditional brute force but the method is similar) in a half hour?
That'd be some serious computing power. I'm not sure that's something your average Joe needs to concern himself with, since the average person isn't facing a hacker with a Cray on his hands
Seriously, though, got any links? I've been out of the hacking loop for a number of years now, but I'd be shocked if a 15 digit random password could be cracked in any kind of reasonable timeframe by anyone with a normal amount of computing power. Rainbow tables can be enormous.
That'd be some serious computing power. I'm not sure that's something your average Joe needs to concern himself with, since the average person isn't facing a hacker with a Cray on his hands
Seriously, though, got any links? I've been out of the hacking loop for a number of years now, but I'd be shocked if a 15 digit random password could be cracked in any kind of reasonable timeframe by anyone with a normal amount of computing power. Rainbow tables can be enormous.
Ahh, yes, okay. I'm caught up now, just needed a refresher. It's been a while since I've done any password cracking - it's amazing what most of us will do as bored teenagers 
. Most versions of *nix use a hash with a salt (<homer>mmm... hash with salt 
</homer>), so rainbow cracking isn't effective. I don't know about Macs, though, not sure how they store their passwords.
The last time I was playing with password crackers, I was using a Pentium 60 with a 650mb hard drive. 30-60gb rainbow tables just weren't a practical thing to worry about or even try to use.
Anyhow, the rule of thumb is that physical access equals root access. Don't let strangers play with your computer, kids
. Most versions of *nix use a hash with a salt (<homer>mmm... hash with salt </homer>), so rainbow cracking isn't effective. I don't know about Macs, though, not sure how they store their passwords.The last time I was playing with password crackers, I was using a Pentium 60 with a 650mb hard drive. 30-60gb rainbow tables just weren't a practical thing to worry about or even try to use.
Anyhow, the rule of thumb is that physical access equals root access. Don't let strangers play with your computer, kids
I bet Osama has a Mac.Echo said:
It's all moot if you have a half decent firewall on your router anyway. No house is completely safe, and no OS is completely safe. Regardless of your OS, store valuable stuff elsewhere, and use a firewall...duh.
i didnt read the thread but, iPods suck get an iRiver. :looney:
manhattanprjkt83 said:
Unix systems are secure because sys admins and researchers make it secure. Windows are rife with security issues, but many PC owners are clueless to how to secure their systems, hence the huge market for security programs.jimmydean said:
Macs probably do not have the same base of security researchers as the other unix flavors do because of the short history of os10. On the other hand, Mac users are probably even more clueless than PC owners about security, because they never had to be.
please do at least do 10 seconds of research before you post false information. OS X is based on freebsd, with a different (micro)kernel.sanjuro said:
http://developer.apple.com/opensource/index.html
I am not an OS/10 expert, but I have 15 years of Unix experience to draw upon.Toshi said:
I am very familiar with the FreeBSD-OS10 connection. Hell I see Apple employees every freaking day on the train to Mountain View. I rode home with one.
What I am saying is security holes do not pop up from insecure "kernels". Applications running with root privilege are the weak spot of any unix system.
From the emacs move-mail hack to Apache exploits, there are probably plenty of Mac applications which have not vetted for security. Keep in mind "the vulnerability he exploited has yet to be published and Apple has not released a patch for it"
For example, lets say you download a music player, and to speed up its playback, it reserves a block of register memory for cache. Lets say I figure how to write past the reserved block into system register space, allowing me to overwrite the system commands. So by downloading a song, I could access your system. This is how Robert Morris exploited the "finger" hack, btw.
You think Macs are secure because they run a BSD kernel. I'm telling you that that means very little, and all I have to back it up is the 30 minute root hack.
Arrogance is the first weakness which hackers exploit.
thanks for explaining what a buffer overflow is. please note that with protected memory such a simple exploit shouldn't work to escalate privileges, especially since most os x apps do not require being run as an admin or root (unlike the case on windows). also, this does not address your original, incorrect implication that OS X has more security holes by being a unix with a "short history".
unfortunately there is is a good deal of *nix admins out there giving *nix a bad name because they are too lazy to stay up to date with security updates. Things like Ubuntu have made it easy for joe shmoe to get a linux server up and running.sanjuro said:
sudo is what seperates the machines from the toys.
To set access level on an application basis is half the battle. With that, you can run in user mode without leaving you machine open unless you open it. Unlike Windows that wants you to run as all or nothing.dfinn said:
Unless you run a Linux box as root, then your just a jackass.
sudo (superuser do) is a program in Unix, Linux, and similar operating systems such as Mac OS X that allows users to run programs in the guise of another user (normally in the guise of the system's superuser).
I know what sudo is. It was your analogy that has me completely confused.
I think your understanding of sudo is a little off. Here's the quick description from the sudo man page:
Which brings me back to my original question. When OSX prompts you for your username/pass to install or perform a function as the "admin" user is it actually then running that as the "admin" user (aka sudo) or is it somehow being run as the lower level user?
I think your understanding of sudo is a little off. Here's the quick description from the sudo man page:
sudo is basically an ACL to see if a certain user is allowed to run a command as another user, and if that user is allowed to do that it runs the command as the requested user.
Which brings me back to my original question. When OSX prompts you for your username/pass to install or perform a function as the "admin" user is it actually then running that as the "admin" user (aka sudo) or is it somehow being run as the lower level user?
When prompted to install, it is the OS authentication to perform the install. If you give it rights and you don't know what it is your doing, then again, your a jackass. But the user is run as non-root, so the box by default is somewhat more secured.
The ability to run a command or process at any time through sudo makes all the difference. Most Windows users are running at some level much higher than that and it allows exploits without a check or even a cue to the user that something bad is about to happen. The OS assumes the rights and doesn't check.
Windows boxes are toys, I don't trust mine beyond that. My Linux/OS X machines are far more secure by nature alone, not to mention the additional security I build into them that prevents bad things from happening.
The ability to run a command or process at any time through sudo makes all the difference. Most Windows users are running at some level much higher than that and it allows exploits without a check or even a cue to the user that something bad is about to happen. The OS assumes the rights and doesn't check.
Windows boxes are toys, I don't trust mine beyond that. My Linux/OS X machines are far more secure by nature alone, not to mention the additional security I build into them that prevents bad things from happening.
The applications written for OS/X are only a few years old, and have not been throughly poked and prodded like BIND or apache (which have had major security flaws which have been fixed over the years).Toshi said:
This is the list of patches from the most recent Apple Security Update http://docs.info.apple.com/article.html?artnum=303382:
Here are some of the highlights (and if case you were wondering, there is no instance of the word "malicious" in the most recent Solaris 10 security patch release. There are 11 in this one.):
Security Update 2006-001
automount
Impact: Malicious network servers may cause a denial of service or arbitrary code execution
Description: File servers on the local network may be able to cause Mac OS X systems to mount file systems with reserved names. This could cause the systems to become unresponsive, or possibly allow arbitrary code delivered from the file servers to run on the target system.
Directory Services
Impact: Malicious local users may create and manipulate files as root
Description: The passwd program is vulnerable to temporary file attacks. This could lead to privilege elevation. This update addresses the issue by anticipating a hostile environment and by creating temporary files securely. Credit to Ilja van Sprundel of Suresec LTD, vade79, and iDefense (idefense.com) for reporting this issue.
LibSystem
Impact: Attackers may cause crashes or arbitrary code execution depending upon the application
Description: An attacker able to cause an application to make requests for large amounts of memory may also be able to trigger a heap buffer overflow. This could cause the targeted application to crash or execute arbitrary code. This update addresses the issue by correctly handling these memory requests. This issue does not affect systems prior to Mac OS X v10.4. Credit to Neil Archibald of Suresec LTD for reporting this issue.
Impact: Download Validation fails to warn about unsafe file types
Description: In Mac OS X v10.4 Tiger, when an email attachment is double-clicked in Mail, Download Validation is used to warn the user if the file type is not "safe". Certain techniques can be used to disguise the file's type so that Download Validation is bypassed. This update addresses the issue by presenting Download Validation with the entire file, providing more information for Download Validation to detect unknown or unsafe file types in attachments.
perl
Impact: Perl programs may fail to drop privileges
Description: When a perl program running as root attempts to switch to another user ID, the operation may fail without notification to the program. This may cause a program to continue to run with root privileges, assuming they have been dropped. This can cause security issues in third-party tools. This update addresses the issue by preventing such applications from continuing if the operation fails. This issue does not affect Mac OS X v10.4 or later systems. Credit to Jason Self for reporting this issue.
rsync
Impact: Authenticated users may cause an rsync server to crash or execute arbitrary code
Description: A heap-based buffer overflow may be triggered when the rsync server is used with the flag that allows extended attributes to be transferred. It may be possible for a malicious user with access to an rsync server to cause denial of service or code execution. This update addresses the problem by ensuring that the destination buffer is large enough to hold the extended attributes. This issue does not affect systems prior to Mac OS X v10.4. Credit to Jan-Derk Bakker for reporting this issue.
Safari
Impact: Viewing a maliciously-crafted web page may result in arbitrary code execution
Description: A heap-based buffer overflow in WebKit's handling of certain HTML could allow a malicious web site to cause a crash or execute arbitrary code as the user viewing the site. This update addresses the issue by preventing the condition causing the overflow. Credit to Suresec LTD for reporting this issue.
Safari
Impact: Viewing a malicious web page may cause arbitrary code execution
Description: By preparing a web page including specially-crafted JavaScript, an attacker may trigger a stack buffer overflow that could lead to arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional bounds checking.
Safari
Impact: Remote web sites can redirect to local resources, allowing JavaScript to execute in the local domain
Description: Safari's security model prevents remote resources from causing redirection to local resources. An issue involving HTTP redirection can cause the browser to access a local file, bypassing certain restrictions. This update addresses the issue by preventing cross-domain HTTP redirects.
Safari, LaunchServices
Impact: Viewing a malicious web site may result in arbitrary code execution
Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).
most apps do not require running as root. maybe they do to install updates to them, but not when you run them day to day:dfinn said:
a few examples of user space apps, note how they do not ask you to authenticate when you run them:
office
mail.app
safari
ichat
msn messenger
ical
itunes
stickies
photoshop
terminal*
textwrangler
X11
* only use sudo when you need to. with great power comes great responsibility, etc.
They suck, and don't use them!!!Toshi said:
Rsync and perl are technically not part of standard distribution. More importantly, this is a flaw with the OS/X implementation only. Or me, Dfinn, and alot of RM'ers would very busy for a while....
Also, automount is not exactly a security flaw on solaris, aix, hpux, etc.
BigMike said: