Quantcast

Apple OS hacked to the root level in 30 min

Toshi

Harbinger of Doom
Oct 23, 2001
26,588
1,920
http://test.doit.wisc.edu/

thelinkedpage said:
The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.
and if you don't understand that distinction you should ease up on your copyin' 'n pastin'
 

LordOpie

MOTHER HEN
Oct 17, 2002
21,033
0
Denver
y'all don't think that N8 was trying to have a serious conversation, do you?

He's like the Ralph Mouth of the forum... just spewing crap to have fun.
 

sanjuro

Tube Smuggler
Sep 13, 2004
17,412
0
SF
Toshi said:
http://test.doit.wisc.edu/
and if you don't understand that distinction you should ease up on your copyin' 'n pastin'
I understand that distinction, and I'm not impressed.

On one hand, there are few Mac multi-user servers compared to their workstation market. On the other hand, ANY UNAUTHORIZED ROOT ACCESS METHOD means the machine is vulnerable, period.

On that note, how is password security on a Mac? Minimum 8 characters, one numeric and alphanumberic, 1 capitalized letter? Or could home users set their root password to "app|e"?
 

BigMike

BrokenbikeMike
Jul 29, 2003
8,933
0
Montgomery county MD
sanjuro said:
On that note, how is password security on a Mac? Minimum 8 characters, one numeric and alphanumberic, 1 capitalized letter? Or could home users set their root password to "app|e"?
Interesting Question, and I just found the answer. I was kinda suprised too!

I changed my root password to apple with no problems at all!
 

BigMike

BrokenbikeMike
Jul 29, 2003
8,933
0
Montgomery county MD
N8 said:

I don't understand why thats funny...........?

in order for ANYTHING to be installed, you have to enter your password. period.

In Windoze, your registry can be edited by most any program without your permission, and usually knowledge. And, if you are smart, you install a little plugin called LittleSnitch which warns you before ANYTHING connects to the internet. Mine is set so that a few of the internet programs I run (Firefox, Wordbiz, Adium) are always allowed to connect, but everything else it asks me beforehand. I can accept it for that session, accept forever, or deny for session or forever.

I realize most people that use computers are pretty inept, and yes they can be a risk to themselves, but even moreso on a PC. Anyone that will blindly type their password into somthing is just a downright fool.


Don't get me wrong, I'm not getting up on my Mac horse here, I use both platforms. All i'm saying is I have had hundreds of viruses and spyware on my PCs, and none on my Mac.
 

BigMike

BrokenbikeMike
Jul 29, 2003
8,933
0
Montgomery county MD
BigMike said:
Interesting Question, and I just found the answer. I was kinda suprised too!

I changed my root password to apple with no problems at all!

It does tell you how strong your password is though. and it will give you suggestions on what to make it depending on how strong you want to make it. I just asked it for a maximum security password and its suggestion was "bicentenary11801(necessitations"
 

jimmydean

The Official Meat of Ridemonkey
Sep 10, 2001
29,421
1,999
Portland, OR
Mac is as secure as you want it to be. Use lack settings and easy passwords and you SHOULD be violated.

You can only ask a computer to protect yourself from yourself so much before you have to get a clue.

All the web servers at my job ar Mac. Database servers are Sun OS. Both platforms are very secure when compaired to Micro$haft based systems.

<edit> try something like "R1deM@nkey!" as a password. 2 Caps, 2 special characters, 1 number, 1 non dictionary based word. That is a solid P@ssWord!
 

Thrillkil

Monkey
May 25, 2005
595
0
Isla Vista, CA
Given modern decryption methods, a password of any length can be cracked in a short period of time, provided you have a large enough rainbow table (a large file consisting of sequences of random characters, to approximate sections of a password) to use to have the computer guess the password. Allegedly, 15-digit alphanumeric case-sensitive passwords can be cracked within the a half hour, if its good enough, regardless of platform.
 

binary visions

The voice of reason
Jun 13, 2002
21,653
402
NC
A 15 digit, randomly generated (including caps) password, cracked via brute force (I realize rainbow tables aren't traditional brute force but the method is similar) in a half hour?

That'd be some serious computing power. I'm not sure that's something your average Joe needs to concern himself with, since the average person isn't facing a hacker with a Cray on his hands ;)

Seriously, though, got any links? I've been out of the hacking loop for a number of years now, but I'd be shocked if a 15 digit random password could be cracked in any kind of reasonable timeframe by anyone with a normal amount of computing power. Rainbow tables can be enormous.
 

binary visions

The voice of reason
Jun 13, 2002
21,653
402
NC
Ahh, yes, okay. I'm caught up now, just needed a refresher. It's been a while since I've done any password cracking - it's amazing what most of us will do as bored teenagers :p. Most versions of *nix use a hash with a salt (<homer>mmm... hash with salt :drool:</homer>), so rainbow cracking isn't effective. I don't know about Macs, though, not sure how they store their passwords.

The last time I was playing with password crackers, I was using a Pentium 60 with a 650mb hard drive. 30-60gb rainbow tables just weren't a practical thing to worry about or even try to use.

Anyhow, the rule of thumb is that physical access equals root access. Don't let strangers play with your computer, kids ;)
 

Ridemonkey

This is not an active account
Sep 18, 2002
4,109
0
Toronto, Canada
It's all moot if you have a half decent firewall on your router anyway. No house is completely safe, and no OS is completely safe. Regardless of your OS, store valuable stuff elsewhere, and use a firewall...duh.
 

sanjuro

Tube Smuggler
Sep 13, 2004
17,412
0
SF
jimmydean said:
Mac is as secure as you want it to be. Use lack settings and easy passwords and you SHOULD be violated.

You can only ask a computer to protect yourself from yourself so much before you have to get a clue.

All the web servers at my job ar Mac. Database servers are Sun OS. Both platforms are very secure when compaired to Micro$haft based systems.

<edit> try something like "R1deM@nkey!" as a password. 2 Caps, 2 special characters, 1 number, 1 non dictionary based word. That is a solid P@ssWord!
Unix systems are secure because sys admins and researchers make it secure. Windows are rife with security issues, but many PC owners are clueless to how to secure their systems, hence the huge market for security programs.

Macs probably do not have the same base of security researchers as the other unix flavors do because of the short history of os10. On the other hand, Mac users are probably even more clueless than PC owners about security, because they never had to be.
 

Toshi

Harbinger of Doom
Oct 23, 2001
26,588
1,920
sanjuro said:
Unix systems are secure because sys admins and researchers make it secure. Windows are rife with security issues, but many PC owners are clueless to how to secure their systems, hence the huge market for security programs.

Macs probably do not have the same base of security researchers as the other unix flavors do because of the short history of os10. On the other hand, Mac users are probably even more clueless than PC owners about security, because they never had to be.
please do at least do 10 seconds of research before you post false information. OS X is based on freebsd, with a different (micro)kernel.

http://developer.apple.com/opensource/index.html
 

sanjuro

Tube Smuggler
Sep 13, 2004
17,412
0
SF
Toshi said:
please do at least do 10 seconds of research before you post false information. OS X is based on freebsd, with a different (micro)kernel.

http://developer.apple.com/opensource/index.html
I am not an OS/10 expert, but I have 15 years of Unix experience to draw upon.

I am very familiar with the FreeBSD-OS10 connection. Hell I see Apple employees every freaking day on the train to Mountain View. I rode home with one.

What I am saying is security holes do not pop up from insecure "kernels". Applications running with root privilege are the weak spot of any unix system.

From the emacs move-mail hack to Apache exploits, there are probably plenty of Mac applications which have not vetted for security. Keep in mind "the vulnerability he exploited has yet to be published and Apple has not released a patch for it"

For example, lets say you download a music player, and to speed up its playback, it reserves a block of register memory for cache. Lets say I figure how to write past the reserved block into system register space, allowing me to overwrite the system commands. So by downloading a song, I could access your system. This is how Robert Morris exploited the "finger" hack, btw.

You think Macs are secure because they run a BSD kernel. I'm telling you that that means very little, and all I have to back it up is the 30 minute root hack.

Arrogance is the first weakness which hackers exploit.
 

Toshi

Harbinger of Doom
Oct 23, 2001
26,588
1,920
thanks for explaining what a buffer overflow is. please note that with protected memory such a simple exploit shouldn't work to escalate privileges, especially since most os x apps do not require being run as an admin or root (unlike the case on windows). also, this does not address your original, incorrect implication that OS X has more security holes by being a unix with a "short history".
 

dfinn

Turbo Monkey
Jul 24, 2003
2,129
0
SL, UT
sanjuro said:
Unix systems are secure because sys admins and researchers make it secure. Windows are rife with security issues, but many PC owners are clueless to how to secure their systems, hence the huge market for security programs.
unfortunately there is is a good deal of *nix admins out there giving *nix a bad name because they are too lazy to stay up to date with security updates. Things like Ubuntu have made it easy for joe shmoe to get a linux server up and running.
 

dfinn

Turbo Monkey
Jul 24, 2003
2,129
0
SL, UT
Toshi said:
especially since most os x apps do not require being run as an admin or root (unlike the case on windows).
I thought they were actually running as the admin user, but they are using sudo to make sure you have the ability to run the programs as the admin user.
 

Toshi

Harbinger of Doom
Oct 23, 2001
26,588
1,920
dfinn said:
I thought they were actually running as the admin user, but they are using sudo to make sure you have the ability to run the programs as the admin user.
what is "they"?
 

jimmydean

The Official Meat of Ridemonkey
Sep 10, 2001
29,421
1,999
Portland, OR
dfinn said:
I'm having a really hard time making sense of that. Is there a point to it?
To set access level on an application basis is half the battle. With that, you can run in user mode without leaving you machine open unless you open it. Unlike Windows that wants you to run as all or nothing.

Unless you run a Linux box as root, then your just a jackass.
 

jimmydean

The Official Meat of Ridemonkey
Sep 10, 2001
29,421
1,999
Portland, OR
sudo (superuser do) is a program in Unix, Linux, and similar operating systems such as Mac OS X that allows users to run programs in the guise of another user (normally in the guise of the system's superuser).
 

dfinn

Turbo Monkey
Jul 24, 2003
2,129
0
SL, UT
I know what sudo is. It was your analogy that has me completely confused.

I think your understanding of sudo is a little off. Here's the quick description from the sudo man page:

execute a command as another user
sudo is basically an ACL to see if a certain user is allowed to run a command as another user, and if that user is allowed to do that it runs the command as the requested user.

Which brings me back to my original question. When OSX prompts you for your username/pass to install or perform a function as the "admin" user is it actually then running that as the "admin" user (aka sudo) or is it somehow being run as the lower level user?
 

jimmydean

The Official Meat of Ridemonkey
Sep 10, 2001
29,421
1,999
Portland, OR
When prompted to install, it is the OS authentication to perform the install. If you give it rights and you don't know what it is your doing, then again, your a jackass. But the user is run as non-root, so the box by default is somewhat more secured.

The ability to run a command or process at any time through sudo makes all the difference. Most Windows users are running at some level much higher than that and it allows exploits without a check or even a cue to the user that something bad is about to happen. The OS assumes the rights and doesn't check.

Windows boxes are toys, I don't trust mine beyond that. My Linux/OS X machines are far more secure by nature alone, not to mention the additional security I build into them that prevents bad things from happening.
 

sanjuro

Tube Smuggler
Sep 13, 2004
17,412
0
SF
Toshi said:
thanks for explaining what a buffer overflow is. please note that with protected memory such a simple exploit shouldn't work to escalate privileges, especially since most os x apps do not require being run as an admin or root (unlike the case on windows). also, this does not address your original, incorrect implication that OS X has more security holes by being a unix with a "short history".
The applications written for OS/X are only a few years old, and have not been throughly poked and prodded like BIND or apache (which have had major security flaws which have been fixed over the years).

This is the list of patches from the most recent Apple Security Update http://docs.info.apple.com/article.html?artnum=303382:

Here are some of the highlights (and if case you were wondering, there is no instance of the word "malicious" in the most recent Solaris 10 security patch release. There are 11 in this one.):

Security Update 2006-001

automount
Impact: Malicious network servers may cause a denial of service or arbitrary code execution
Description: File servers on the local network may be able to cause Mac OS X systems to mount file systems with reserved names. This could cause the systems to become unresponsive, or possibly allow arbitrary code delivered from the file servers to run on the target system.

Directory Services
Impact: Malicious local users may create and manipulate files as root
Description: The passwd program is vulnerable to temporary file attacks. This could lead to privilege elevation. This update addresses the issue by anticipating a hostile environment and by creating temporary files securely. Credit to Ilja van Sprundel of Suresec LTD, vade79, and iDefense (idefense.com) for reporting this issue.

LibSystem
Impact: Attackers may cause crashes or arbitrary code execution depending upon the application
Description: An attacker able to cause an application to make requests for large amounts of memory may also be able to trigger a heap buffer overflow. This could cause the targeted application to crash or execute arbitrary code. This update addresses the issue by correctly handling these memory requests. This issue does not affect systems prior to Mac OS X v10.4. Credit to Neil Archibald of Suresec LTD for reporting this issue.

Mail
Impact: Download Validation fails to warn about unsafe file types
Description: In Mac OS X v10.4 Tiger, when an email attachment is double-clicked in Mail, Download Validation is used to warn the user if the file type is not "safe". Certain techniques can be used to disguise the file's type so that Download Validation is bypassed. This update addresses the issue by presenting Download Validation with the entire file, providing more information for Download Validation to detect unknown or unsafe file types in attachments.

perl
Impact: Perl programs may fail to drop privileges
Description: When a perl program running as root attempts to switch to another user ID, the operation may fail without notification to the program. This may cause a program to continue to run with root privileges, assuming they have been dropped. This can cause security issues in third-party tools. This update addresses the issue by preventing such applications from continuing if the operation fails. This issue does not affect Mac OS X v10.4 or later systems. Credit to Jason Self for reporting this issue.

rsync
Impact: Authenticated users may cause an rsync server to crash or execute arbitrary code
Description: A heap-based buffer overflow may be triggered when the rsync server is used with the flag that allows extended attributes to be transferred. It may be possible for a malicious user with access to an rsync server to cause denial of service or code execution. This update addresses the problem by ensuring that the destination buffer is large enough to hold the extended attributes. This issue does not affect systems prior to Mac OS X v10.4. Credit to Jan-Derk Bakker for reporting this issue.

Safari
Impact: Viewing a maliciously-crafted web page may result in arbitrary code execution
Description: A heap-based buffer overflow in WebKit's handling of certain HTML could allow a malicious web site to cause a crash or execute arbitrary code as the user viewing the site. This update addresses the issue by preventing the condition causing the overflow. Credit to Suresec LTD for reporting this issue.

Safari
Impact: Viewing a malicious web page may cause arbitrary code execution
Description: By preparing a web page including specially-crafted JavaScript, an attacker may trigger a stack buffer overflow that could lead to arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional bounds checking.

Safari
Impact: Remote web sites can redirect to local resources, allowing JavaScript to execute in the local domain
Description: Safari's security model prevents remote resources from causing redirection to local resources. An issue involving HTTP redirection can cause the browser to access a local file, bypassing certain restrictions. This update addresses the issue by preventing cross-domain HTTP redirects.

Safari, LaunchServices
Impact: Viewing a malicious web site may result in arbitrary code execution
Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).
 

Toshi

Harbinger of Doom
Oct 23, 2001
26,588
1,920
dfinn said:
most apps do not require running as root. maybe they do to install updates to them, but not when you run them day to day:

a few examples of user space apps, note how they do not ask you to authenticate when you run them:

office
mail.app
safari
ichat
msn messenger
ical
itunes
stickies
photoshop
terminal*
textwrangler
X11

* only use sudo when you need to. with great power comes great responsibility, etc.
 

Toshi

Harbinger of Doom
Oct 23, 2001
26,588
1,920
sanjuro said:
The applications written for OS/X are only a few years old, and have not been throughly poked and prodded like BIND or apache (which have had major security flaws which have been fixed over the years).
so how do you account for the presence of rsync, automount, and perl on that list?
 

dfinn

Turbo Monkey
Jul 24, 2003
2,129
0
SL, UT
most apps do not require running as root. maybe they do to install updates to them, but not when you run them day to day:
sorry for the confusion. I was talking about during the install specifically, but I re-read your post and realized you were talking about running these apps once they are installed.
 

sanjuro

Tube Smuggler
Sep 13, 2004
17,412
0
SF
Toshi said:
so how do you account for the presence of rsync, automount, and perl on that list?
They suck, and don't use them!!!

Rsync and perl are technically not part of standard distribution. More importantly, this is a flaw with the OS/X implementation only. Or me, Dfinn, and alot of RM'ers would very busy for a while....

Also, automount is not exactly a security flaw on solaris, aix, hpux, etc.
 

DirtyMike

Turbo Fluffer
Aug 8, 2005
14,241
832
My own world inside my head
BigMike said:
I don't understand why thats funny...........?

in order for ANYTHING to be installed, you have to enter your password. period.

In Windoze, your registry can be edited by most any program without your permission, and usually knowledge. QUOTE]

Actually on win XP. if you follow the recomended way to setup your users, you will have to have the Main users PW to be able to install anything. Thats how mine is set, Turn on the machine, it boots up, Its duel OS so i have to select my OS,<One for gaming one for all other> Then i select what user i want to be in and enter ther PW. If your logged into any other user than teh Main, it wont even let you start the Install program. From there you still have to retype the PW. So in reality Mac and PC are only as secure as teh operator wants them to be.