Remote Root Exploit in Mac OS X

carrel.org ^ | 11/26/03 | William Carrel

[general_re]

Mac OS X Security Advisory

Vulnerability:

Malicious DHCP response can grant root access

Affected Software

Mac OS X 10.3 (all versions through at least 26-Nov-2003)
Mac OS X Server 10.3 (all versions through at least 26-Nov-2003)
Mac OS X 10.2 (all versions through at least 26-Nov-2003)

Mac OS X Server 10.2 (all versions through at least 26-Nov-2003)
Probably earlier versions of Mac OS X and Mac OS X Server
Possibly developer seeded copies of future versions of Mac OS X

Abstract

A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings.

What does this mean to the average user

Anyone who can gain access to your network can gain administrator (root) access to your computer and therefore steal your data or launch attacks upon others as soon as you reboot your machine. System administrators and users of affected software should read the section "Workarounds" for immediate actions to protect their machines. It is important to note that WEP security in 802.11b/g (AirPort/AirPort Extreme) wireless networks is generally not sufficient to protect your network from access by an attacker.

Vendor Patch

Apple Computer has been notified of this issue and may be working a fix at this time. At the time of this writing, a fix is not available from Apple.

[general_re]

Commence finger-pointing, hand-waving, gloating - whatever your cup of tea happens to be...

[RedBloodedAmerican]

Darn the luck! Happy Thanksgiving, Steve!

[litany_of_lies]

Don't point the finger at this Mac user, who realizes our safety is only in our (small) numbers.

Do you know if Norton Personal Firewall protects against this problem? My guess would be yes (tentative sigh of relief).

[Vermonter]

ping!

[Bush2000]

Repeat after me: "OSX is se-currrrrrrrrrrrrrrrrrre....." BWAHAHAHAHAHAHAHAHAHAHAHAHA!

[CyberCowboy777]

:~)

[Bush2000]

Do you know if Norton Personal Firewall protects against this problem? My guess would be yes (tentative sigh of relief).

No, it doesn't. If you need to run a DHCP server under OSX, you're screwed unless you patch or run the workarounds.

[Bush2000]

I have a feeling that this thread will be remarkably quiet. The Mac bigots tend to ignore bad news.

[proust]

chirp chirp.

[general_re]

From a quick scan, it looks like the problem is on the client end - the DHCP client is set up to implicitly trust LDAP information it gets from the DHCP server, so you can hijack the OS by pointing it to a malicious LDAP server via DHCP. If LDAP is disabled on the client end, you should okay, but if not, you could be in major trouble - the malicious LDAP server can replace the normally disabled root account with its own functioning root account. Major trouble.

[adam_az]

Hi,

I didn't ask to be on your ping list, so please remove me.

Thanks,
adam.

[Bush2000]

2003-10-09 Initial version of this advisory
2003-10-09 Apple Computer notified
2003-10-09 Apple Computer confirmed receipt and forwarded to eng. team
2003-10-11 Minor edits, also added "Philosophical Issues" and "Path to Root"
2003-10-14 Apple Computer assigns specific point of contact
2003-10-14 Requested confirmation of issue with Apple Computer
2003-10-15 Apple Computer confirms issue
(2003-10-24 Original deadline given to Apple for acknowledging issue)
(2003-10-24 Mac OS X 10.3 is released with this known issue)
(2003-10-28 Mac OS X 10.3 Security Update released, does not address issue)
2003-10-28 Requested update of fix status from Apple Computer
2003-10-28 Apple Computer proposes Nov. 3 fix date
2003-10-29 Apple Computer reneges on Nov. 3 date
2003-10-29 Requested fix in "2 or 3 weeks" from Apple Computer
(2003-11-04 Mac OS X 10.3 Security Update released, does not address issue)
(2003-11-15 Mac OS X 10.3.1 is released with this known issue)
2003-11-17 Requested update of fix status from Apple Computer
2003-11-18 Requested update of fix status from Apple Computer
(2003-11-19 Mac OS X 10.3.1 Security Update released, does not address issue)
2003-11-19 Apple Computer replies "scheduled to go out in December's update"
2003-11-19 Deadline of Nov. 26 given to Apple Computer
2003-11-25 Minor edits, made "Path to Root" a little more work for the script kiddies
2003-11-26 Advisory issued (48 days after initial vendor notification)

According to the log, it's taken Apple almost a month and a half to address this bug. Makes MS look responsive.

[Bush2000]

I didn't ask to be on your ping list, so please remove me.

I'll bet you don't want to be pinged. Ignorance is bliss.

[general_re]

I'm not wild about people releasing vulnerabilities before a patch is available, but this does seem to be rather slow in coming....

[Sabretooth]

Ya, but their computers are sooo pretty.

HAHAHAHAHAHAHA!

[litany_of_lies]

Just talked to tech support for Road Runner and lucked into someone who has a Mac. FWIW, he understands the nature of the problem but doesn't see it as a significant issue for RR Mac customers. Went and made the suggested settings changes anyway.

[RedBloodedAmerican]

BWAHAHAHAA

[Bush2000]

I'm not wild about people releasing vulnerabilities before a patch is available, but this does seem to be rather slow in coming....

I agree. There really ought to be a standard for the length of time that's acceptable for security researchers to hold back reporting a problem. Eight weeks does seem like a long time but, if it's a complicated fix, that needs to be taken into account.

[First_Salute]

Bump.