Posted on 03/06/2006 10:47:30 AM PST by ShadowAce
updateGaining root access to a Mac is "easy pickings," according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability.
On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.
Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced".
The hacker that won the challenge, who asked ZDNet Australia to identify him only as "gwerdna", said he gained root control of the Mac in less than 30 minutes.
"It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet Australia .
According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple.
"The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server -- with various remote services running and local access to users… There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access.
"There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches -- good examples for Linux are the PaX patch and the grsecurity patches. They provide numerous hardening options on the system, and implement non-executable memory, which prevent memory based corruption exploits," said gwerdna.
Gwerdna concluded that OS X contains "easy pickings" when it comes to vulnerabilities that could allow hackers to break into Apple's operating system.
"Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," added gwerdna.
Apple's OS X has come under fire in recent weeks with the appearance of two viruses and a number of serious security flaws, which have since been patched by the Mac maker.
In January, security researcher Neil Archibald, who has already been credited with finding numerous vulnerabilities in OS X, told ZDNet Australia that he knows of numerous security vulnerabilities in Apple's operating system that could be exploited by attackers.
"The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms.… If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems," said Archibald at the time.
An Apple Australia spokeswoman said today it was unable to comment at this stage.
Why not? With its Unixy underpinnings, someone might think to use it in the role of a traditional multiuser timesharing system. Obviously, that's worth reconsidering at the very least, given that there appear to be holes in local account security that are known to blackhats. What's wrong with allowing that maybe, just maybe, OS X is not suitable for that role? It's not like that's the target market for Apple anyway, so they're hardly going to be losing much business as a result.
Wouldn't you agree that it's better to test a server role using the actual server version of an operating system?
What's wrong with allowing that maybe, just maybe, OS X is not suitable for that role?
It's as suitable as any other OS in its market. They ALL have had privilege elevation exploits.
It's not like that's the target market for Apple anyway
Sure. Lemme get out my copy of FreeBSD Server Edition (TM), rather than Desktop Edition (TM)...err, wait. There isn't any such thing.
I can sort of understand segmenting your clientele based on the number of concurrent connections, or the number of processors, or some such. I'm not so sure segmenting based on security is such a hot idea. Unless you're suggesting something other than that OS X server is more secure than the desktop version.
It's as suitable as any other OS in its market. They ALL have had privilege elevation exploits.
Which one do we know for a fact has unpublished, unpatched exploits TODAY?
Not for FreeBSD, but there is for OS X. Since we don't know the exact exploit used, we don't know if it works on Server too. This isn't as big as the difference between NT4 (server) and Windows 98 (client), but it's bigger than the difference between NT 3.51 Server and Workstation (the only difference there being registry entries that restricted Workstation, Microsoft made it a bit harder for NT 4 but it's still doable).
Face it, all OSs are a race against hackers. At any one time, any OS will have known and unknown vulnerabilities, patched and unpatched. What matters is the reaction time to fix once notified and the number/severity of the vulnerabilities for the roles you're using. Anything else is just playing games.
I agree
I own a MAC and Several PC's....SSH isn't normally left open....for GAWD sake...and I would never set any machine as a server....
The article is out to lunch....and not real world!
Learn to read. We don't know the exploit. An exploit could be as serious as a flaw in core OS components used by both client and server, or as simple as a difference in the default configuration between the two. From the article, it sounds like he used a buffer overflow exploit. Because he had shell access, he could have attacked any number of software packages on the system (made by Apple or third parties, although Apple is in the end responsible for the security of third-party apps it ships with OS X). Some that may or may have not been present in Server in various states of configuration (an iPhoto exploit wouldn't have done any good on Server), or part of a different security rollup that would have included the appropriate patch. We just don't know.
FYI, there are numerous code changes between client and server, but the biggest difference is the huge package of management and configuration software that ships with the server. That's software the helps you put a server on the Internet without screwing things up, things that can lead to a compromised machines.
But none of that is meant to say that Apple shouldn't start really being on guard security-wise as its OS is starting to get on the radar.
OTOH, Apple had a much smaller marketshare during OS 8/9, and there were over a hundred exploits for those OSs.
Take your own advice - I didn't ask about the exploit, I asked about the difference between Server and desktop.
Until these questions are answered, I am going to throw this report in the trash.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.