Posted on 03/06/2006 10:43:40 AM PST by Senator Bedfellow
The exploit was to achieve Root... which is not an Admin level but one higher level of access. The link I was trying to find was where he stated that users were given an account to the Mac just as though they had set it up and the challenge was to get root access without knowing the password.
This account set up was "automatic" for anyone who wanted in... the owner of the Mac Mini did not stay around to grant each requester an account. That means to me that he probably "scripted" it. If I were a hacker, I would probably start by looking at that script... 'cause it might just have the password in it.
From http://rm-my-mac.wideopenbsd.org/:
That's why I set up an LDAP server and linked it to the Macs naming and authentication services, to let people add their own account to this machine. That way, they will all be able to enjoy the beauty of Mac OS X Tiger. And, of course, get a better chance of rm'ing it!
And the word 'add' is a link to THIS page: http://rm-my-mac.wideopenbsd.org/ssh where one shall see:
This is the place you add yourself an account on my Mac.
To log in, simply SSH to rm-my-Mac.WideOpenBSD.ORG using the name and password you've choosen. It might take a while to log in as SSH is started from inetd and needs to generate keys upon startup.
'Nuff said. Fare thee well.
"Add an account" = "give everyone access to everything"? Well, maybe in Appleworld, but on saner systems, it's not quite that easy.
LDAP
CVE-ID: CAN-2005-1338
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Passwords could initially be stored into LDAP in plain text when using an LDAP server not running on Mac OS X.
Description: When a system is bound to an LDAP server that has "ldap_extended_operation" disabled or not supported, and new accounts are created using the Workgroup Manager, then the initial password can be stored in the clear. If the password is modified using the Inspector, it will be correctly stored in a hashed form. This issue does not occur when using the Apple supplied Open Directory server. For servers not supporting "ldap_extended_operation," this update now stores new passwords in the hashed form.
Several commenters who claim to know the details of the box that was hacked claim the owner CHANGED many of the current components (including having a bootable LINUX partition) and dropped back to some that had not been patched to fix vulnerabilities. They have stated categorically that the Mac Mini was NOT a standard, default installation. I wonder if this app might have been one he dropped back on. The owner of the box, on his website, states:
"It (his Mac Mini) runs a default install of Mac OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP."
From this, I infer that he has replaced Apple's own selected UNIX software with "decent" versions. "Fink" is an app that allows UNIX programs to run under OS X. Just as obviously, the target Mac Mini WAS NOT a default installation as claimed.
This guy claims to have set up an "LDAP server" and then linked it to the Mac's naming and authentication services... but did he run them through Inspector? Where did he get his LDAP (there are some non-Apple versions available for OS X). Since he has installed (by his own words) a "decent version" of Apache... then it is reasonable to conclude that the LDAP server is the one built into THAT "decent version" of Apache and not the one Apple provided which uses Apple's Workgroup Manager and Apple's Inspector.
There were Kerberos vulnerabilities a couple of years ago that allowed user escalation... and OpenLDAP works with Kerberos... IS this one he dropped back on? Too many questions.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.