Posted on 03/06/2006 10:47:30 AM PST by ShadowAce
updateGaining root access to a Mac is "easy pickings," according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability.
On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.
Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced".
The hacker that won the challenge, who asked ZDNet Australia to identify him only as "gwerdna", said he gained root control of the Mac in less than 30 minutes.
"It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet Australia .
According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple.
"The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server -- with various remote services running and local access to users… There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access.
"There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches -- good examples for Linux are the PaX patch and the grsecurity patches. They provide numerous hardening options on the system, and implement non-executable memory, which prevent memory based corruption exploits," said gwerdna.
Gwerdna concluded that OS X contains "easy pickings" when it comes to vulnerabilities that could allow hackers to break into Apple's operating system.
"Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," added gwerdna.
Apple's OS X has come under fire in recent weeks with the appearance of two viruses and a number of serious security flaws, which have since been patched by the Mac maker.
In January, security researcher Neil Archibald, who has already been credited with finding numerous vulnerabilities in OS X, told ZDNet Australia that he knows of numerous security vulnerabilities in Apple's operating system that could be exploited by attackers.
"The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms.… If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems," said Archibald at the time.
An Apple Australia spokeswoman said today it was unable to comment at this stage.
I'd like to know a lot more about the conditions of the test. If the guy was dumb enough to allow random users shell access, (I'm assuming through SSH, though there is no way to know it - it could have been telnet!), it would be nice to know if he did anything at all to secure the box. If he was running an http server, did he allow user mods of cgi directories?
Frankly there is is not nearly enough information in the article to tell if this was anywhere close to a valid test.
Are you arguing that it isn't possible/practical to lock down a 'NIX box where a user has shell privilges?
Well, it's easy if you've previously found an exploit, never notified the vendor, and use it when you get the chance.
Why is it so hard to think that maybe local security from the command-line isn't quite what it should be? That's not exactly how Apple intends for anyone to interact with the system, and it certainly seems likely that maybe it hasn't gotten quite as much of their attention as other parts of the system?
Everybody has this problem. It is the nature of the beast. It's not a good thing, but that's the way life is in a multi-user OS. The best you can do is keep the exploits local, and hopefully not in the core OS (as opposed to exploits in services and applications that not everybody uses).
Experience? Tens of thousands of users logging in to shell accounts daily for decades? Besides, the common heritage is not much to speak of - AIX is a SysV derivative, not BSD.
Solaris really is immune to privilege elevation exploits. Oops, found one.
And don't forget AIX.
Solaris has not been around Decades, solaris has been around for 15 years.. SunOS which existed before that was BSD.
"SunOS was the version of the UNIX operating system developed by Sun Microsystems for their workstations and server systems until the early 1990s. This was based on BSD UNIX with some additions from UNIX System V in later versions."
So in your experience did you hand known hackers shell access and tell them 'go at it'?
I like that - "known hackers". LOL.
We gave shell accounts to programmers and other specialists who very much had the skills to exploit weaknesses in the system - at the time, they were called "employees", and they used those shell accounts to do the work required of them. So, whatcha gonna do with OS X? Want to try the same thing?
With many hacks known during that time.
Besides, the common heritage is not much to speak of - AIX is a SysV derivative, not BSD.
They're just different flavors, and the separation was much earlier, as BSD was based on Ken Thompson's teaching at Berkeley at the same time UNIX System Version 6 was being developed. As of Version 7 (three versions before SYSV) they were separate. Of course, a bunch of BSD was dumped back into SYSV UNIX later (especially TCP/IP), so the lines are blurred. A lot of what SCO claims is their copyright in UNIX (SYSV) is actually BSD licensed code.
But in general, AIX and HP/UX are SYSV, Mac and SunOS are BSD, and Solaris is a hybrid SYSx/BSD. Linux is kind of out in left field, being inspired by a from-scratch OS (Minix).
Your post suggested that AIX and Solaris have been running without such exploits. OS X is fairly new in a sense, but it does have a quite old base.
Apple has a damn good OS, but somethings have been leading me to think they they need to get a bit more proactive on security if they want to keep their edge.
And could have went to jail on top of losing their jobs if they did hack the system.
So, whatcha gonna do with OS X? Want to try the same thing?
Give shell accounts to people who I can fire / imprison if they hack a system... Sure I already do that on my Linux systems.. Would I give shell access to someone who is a hacker and tell him he is free to do it? no..
Only the stupid ones. I've always said an OS X virus will eventually be found in the wild. But people switching from Windows at 10.2 (first good stable version) would have enjoyed almost four years of virus-free operation by now. There are probably a few more years before the Mac virus problem becomes severe enough (if it ever does) to be a significant cost to any business as it is with Windows boxes now. Not bad, huh?
And this thing about complaining how things might have gone on Windows or some such doesn't make things better - "Windows is just as crappy!" is probably not the tagline Jobs is looking for in his next "Switch" campaign. So let's just deal with the fact that the thing got owned, in a situation where it shouldn't have been, and go from there.
Ah, I see - it's setting the critical "can this person be fired?" bit that makes the system secure. LOL. Look, at the end of the day, you can either have a system that's secure WRT local accounts, or you can trust everybody. Or, in your case, trust everyone to be afraid of you. My suggestion is that sooner or later you're gonna get burned by trusting someone you shouldn't, unless you take steps to trust but verify the security of your system.
I'd bet with you on AIX, but I'm not so sure about Solaris. Remember sadmind?
but at the end of the day the question is what happens when the rubber meets the road - well, you got that here, and it didn't go so well.
No viruses/worms in the wild. Going good so far. The sadmind vulnerability (sadmind installed by default, authenticated in clear text by default, buffer overflow exploit) was discovered seven years after the release of Solaris, not counting its pre-Solaris heritage (SVR4 and BSD/SunOS).
And this thing about complaining how things might have gone on Windows or some such doesn't make things better ... So let's just deal with the fact that the thing got owned, in a situation where it shouldn't have been, and go from there.
The situation that shouldn't have been was this whole test, using a client, giving out shell accounts. I called BS on this test, and my Windows comment was that I would also call BS on a test with these parameters using XP instead of 2003 Server.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.