Skip to comments.
Remote Root Exploit in Mac OS X
carrel.org ^
| 11/26/03
| William Carrel
Posted on 11/26/2003 1:31:31 PM PST by general_re
Mac OS X Security Advisory
Vulnerability:
Malicious DHCP response can grant root access
Affected Software
Mac OS X 10.3 (all versions through at least 26-Nov-2003)
Mac OS X Server 10.3 (all versions through at least 26-Nov-2003)
Mac OS X 10.2 (all versions through at least 26-Nov-2003)
Mac OS X Server 10.2 (all versions through at least 26-Nov-2003)
Probably earlier versions of Mac OS X and Mac OS X Server
Possibly developer seeded copies of future versions of Mac OS X
Abstract
A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings.
What does this mean to the average user
Anyone who can gain access to your network can gain administrator (root) access to your computer and therefore steal your data or launch attacks upon others as soon as you reboot your machine. System administrators and users of affected software should read the section "Workarounds" for immediate actions to protect their machines. It is important to note that WEP security in 802.11b/g (AirPort/AirPort Extreme) wireless networks is generally not sufficient to protect your network from access by an attacker.
Vendor Patch
Apple Computer has been notified of this issue and may be working a fix at this time. At the time of this writing, a fix is not available from Apple.
(Excerpt) Read more at carrel.org ...
TOPICS: Miscellaneous; Technical
KEYWORDS: apple; computersecurity; lowqualitycrap; macuser; macuserlist; nosteenkingpatches; osx; root; schadenfreude
Navigation: use the links below to view more comments.
first previous 1-20, 21-40, 41-60, 61-79 next last
To: basil
I did turn off my airport thingee, though, as I seldom use it. LOL! Spoken like a true Mac user!
41
posted on
11/26/2003 4:37:41 PM PST
by
Snowy
(Annoy a lib -> Work hard, earn money, and be happy!)
To: Bush2000
Repeat after me: "OSX is se-currrrrrrrrrrrrrrrrrre....." BWAHAHAHAHAHAHAHAHAHAHAHAHA!
Repeat after me, Microsoft is secure!! BWAHAHAHAHAHAHAHAHAHAHAHAHA!BWAHAHAHBWAHAHAHAHAHAHAHAHAHAHAHAHA!AHAHAHAHAHAHAHAHAHA!
I just found three gigs of hacker crap hidden in my "Secure" IIS server. Now, I religiously update every time there is a security release. But, holy crap, my three year old Linux server on the same network never has crashed. I guess we all know who the moron is now, huh Bushie.
To: general_re
I find it amusing to see all of the posters on here gloating over a minor security breech that may allow a hacker to get to the "root" level of a Mac OSX system impact a few computers hooked up to a network with a bad guy on it.
Why is that amusing?
Because 99.9% of Windows users are already at least as exposed since they already are operating in what is essentially the "root" level of Windows and any hacker who gains access to their computer can do anything he likes to their computers without having to jump through these hoops to do the damage that theoretically MIGHT be done to one or two Macs on a network with a hypothetical rouge server!
That is funny.
To: Bush2000
Wow...all we need now is for someone to post one of those annoying penguin pics.
44
posted on
11/26/2003 6:32:06 PM PST
by
BureaucratusMaximus
(if we're not going to act like a constitutional republic...lets be the best empire we can be...)
To: Bush2000
According to the log, it's taken Apple almost a month and a half to address this bug. Makes MS look responsive.
Well, MicroSoft has more experience.
45
posted on
11/26/2003 6:36:32 PM PST
by
gitmo
(Stability cannot be purchased at the expense of liberty. -GWB)
To: Snowy
Think how good you would be if you never touched a computer until you were in your sixties. I spent all my "wonder years" raising our five kids. I may be late to the game and don't know the terminology, but I sure as hell can do what I need or want to do with it.
46
posted on
11/26/2003 6:46:50 PM PST
by
basil
To: SengirV
Nothing to see here folks, move along. I wish, but this is a nasty hole. Because it's trusted by default, the LDAP server can specify mountpoints on your box, which means I can run any arbitrary code I like by mounting my filesystem overtop yours. I can set up a root crontab job that starts up my code automatically, like enabling SSH, even if you've disabled it, and at that point, I've got a root login available to me, even if you don't - and odds are, you'd never notice what I was up to. All I have to do is sit back and wait for you to reboot to take my configuration instead of yours.
47
posted on
11/26/2003 7:57:05 PM PST
by
general_re
(Take away the elements in order of apparent non-importance.)
To: Swordmaker
Because 99.9% of Windows users are already at least as exposed since they already are operating in what is essentially the "root" level of Windows and any hacker who gains access to their computer can do anything he likes to their computers without having to jump through these hoops to do the damage that theoretically MIGHT be done to one or two Macs on a network with a hypothetical rouge server! The difference is, I need physical access to the Windows machine in most cases, even if you're running as an administrator, and if I have physical access, you're dead, no matter what OS you're running. This hole is much nastier than that, because it's a remote exploit. I don't have to pull a "Mission: Impossible" job and break into your house - I can just hang out at the Starbucks and look for folks with a Powerbook and a wireless card.
I know the tendency is to downplay this, but remote exploits of any sort are serious enough, and remote root access is a major, major problem. This is a potentially very serious problem for some users, and I strongly suggest you take the workarounds into consideration if you're potentially affected - this thing has been public for a little more than twelve hours now, and I practically guarantee that someone's scripted it and is taking it for a test drive by now.
48
posted on
11/26/2003 8:05:55 PM PST
by
general_re
(Take away the elements in order of apparent non-importance.)
To: general_re
heh heh heh. That ought to wipe the smug grins off a few faces. Apple's OS-whatever has its roots in unix derivatives. Hackable? You betcha.
49
posted on
11/26/2003 8:12:52 PM PST
by
Noumenon
(I don't have enough guns and ammo to start a war - but I do have enough to finish one.)
To: FastCoyote
I guess we all know who the moron is now, huh Bushie.
Don't be too hard on yourself, Forrest.
50
posted on
11/26/2003 8:32:59 PM PST
by
Bush2000
To: basil
...if someone broke into my computer they would be so bored with it at the end of 5 minutes, that they'd move on.
That's a rather naive assumption. They could also destroy your computer.
51
posted on
11/26/2003 8:35:19 PM PST
by
Bush2000
To: general_re
So in order to exploit this, you must have total control over my network, since you are replacing the existing LDAP server. Yes it is a problem, but far from the usual windows problems where opening up an email totally screws you over.
52
posted on
11/26/2003 9:04:33 PM PST
by
SengirV
To: Bush2000
They could also modify the kernal so that processes could be hidden even from unix commands like 'top'. Then your computer could be instructed to serve out whatever the malicious person wanted - say like child porn.
Once you've got root, you can make the box do whatever it _can_ do. that said, I'd bet that the fix for this comes out in about 2 days.
53
posted on
11/26/2003 9:20:26 PM PST
by
glorgau
To: SengirV
So in order to exploit this, you must have total control over my network, since you are replacing the existing LDAP server
Not true. All that I have to do is get your client machine to use my box as the LDAP server. That isn't difficult, particularly if I have access to the network segment on which the machine-to-be-attacked resides.
54
posted on
11/26/2003 10:31:11 PM PST
by
Bush2000
To: glorgau
But if you just turn off any network authorization services and don't use DHCP, you are fine. However, you probably won't be able to use the network :-) Actually you just need to disable the "Use DHCP-supplied server" options for LDAP and NetInfo. You can still use DHCP to get an IP address. This is really just a problem with default settings; auto-configuration from remote LDAP or NetInfo servers can be quite useful in controlled environments, but it should *not* be the default behavior.
To: Bush2000
That isn't difficult, particularly if I have access to the network segment on which the machine-to-be-attacked resides. You *must* have access to the same subnet as the target. You can't attack a random Mac on the Internet with this technique. The main threat seems to be for the Starbucks wireless user.
To: SengirV
So in order to exploit this, you must have total control over my network, since you are replacing the existing LDAP server. No, I just have to find a wireless user and pretend to be an LDAP server...
57
posted on
11/27/2003 5:40:48 AM PST
by
general_re
(Take away the elements in order of apparent non-importance.)
To: Bush2000
Settle down, Thomas. There are no reports that anyone in the real world has been attacked with this exploit. The patch will be available in a few days, after it has been tested.
58
posted on
11/27/2003 8:51:35 AM PST
by
HAL9000
To: HAL9000
From Apple's knowledge base:
TITLEMac OS X: Directory Access Configuration In the Presence of a Malicious DHCP Response
|
Article ID: Created: Modified: |
32478 11/26/03 11/26/03 |
|
TOPIC
Learn how to configure the Directory Access feature to protect your Mac from a malicious DHCP server.
DISCUSSION
Please note that the exploit requires the malicious DHCP server to be located on your local subnet. For typical home network configurations with a broadband (DSL or cable service) modem and a NAT (Network Address Translation) device, such as Apple's Airport, this exploit is not possible.
If there is a chance that a malicious DHCP server has been injected into your subnet or you are operating on an untrusted network there are two solutions to the potential vulnerability depending on if you are using a directory service.
No directory service: For users that do not use a directory service you can go into the Directory Access utility and uncheck the "Use DCHP-supplied LDAP Server" option (Figure 1). You are no longer susceptible to this exploit.
Figure 1 Uncheck the Use DHCP-supplied LDAP Server option
Directory service: If your Mac is configured to use a directory service consult with your IT administrator before changing any settings. Your IT administrator will need to change the default setting from "automatic" to "custom" search policy in the Directory Access authentication tab and specify the correct LDAP server.
Document Information |
Product Area: |
MC |
Category: |
|
Sub Category: |
|
Keywords: |
kmosx ktech |
|
|
|
|
|
Email this document to: |
(Ex: ) |
|
|
|
|
|
|
Navigation: use the links below to view more comments.
first previous 1-20, 21-40, 41-60, 61-79 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson